The Committee on Homeland Security has been able to favorably report seven bipartisan homeland security bills that aim to secure governments from rising cyber-attacks. These bills will help protect government networks and provide critical infrastructure owners and operators with mitigation strategies against critical vulnerabilities, and establish a national cyber exercise program to promote more regular testing of preparedness and resilience to cyber incidents.
Among the bills advanced in the Congress is one that includes critical legislation to enhance pipeline security, which comes in the aftermath of the DarkSide ransomware incident, which infected IT systems at Colonial Pipeline leading to the fuel pipeline operator shutting down operations for multiple days.
“Since the beginning of this Congress, this Committee has engaged in extensive oversight of these events and how the Federal government partners with others to defend our networks,” Senator Bennie G. Thompson, a Democrat from Mississippi and chairman of the Homeland Security Committee, said in a media statement. “The legislation we reported today was the result of this oversight. I am pleased that they received broad bipartisan support and hope they are considered on the House floor in short order.”
The Pipeline Security Act introduced by Congressman Emanuel Cleaver, a Democrat from Missouri, aims to enhance the ability of the Transportation Security Administration (TSA), and guard pipeline systems against cyberattacks, terrorist attacks, and other threats. This measure codifies TSA’s Pipeline Security Section and clarifies TSA’s statutory mandate to protect pipeline infrastructure.
The Colonial Pipeline ransomware attack follows a string of disturbing cyberattacks against government entities and the private sector – from SolarWinds and Pulse Connect Secure to Microsoft Exchange Server and the Oldsmar water facility. In an interview published Wednesday in The Wall Street Journal, Joseph Blount, CEO at Colonial Pipeline said he authorized the ransom payment of US$4.4 million because executives were unsure how badly the cyberattack had breached its systems.
Commenting on the bill making its way through Congress, Industrial Defender CEO Jim Crowley says that stricter government regulations addressing critical infrastructure cybersecurity are right around the corner. “Electric utilities have had to comply with the NERC CIP regulations that enforce standardized security controls for many years, which means the regulatory infrastructure to do this is already there. It’s highly likely that a similar set of enforceable standards based on NERC CIP or the NIST Cybersecurity Framework will be introduced for the entire energy industry,” he added.
Another bill, the State and Local Cybersecurity Improvement Act, introduced by Congresswoman Yvette D. Clarke, a Democrat from New York seeks to authorize a new $500 million grant program to provide state and local, tribal, and territorial governments with dedicated funding to secure their networks from ransomware and other rising cyber-attacks.
The Cybersecurity Vulnerability Remediation Act introduced by Congresswoman Sheila Jackson Lee, a Democrat from Texas, seeks to authorize the development and distribution of cyber ‘playbooks’ to critical infrastructure owners and operators, to provide them with mitigation strategies against the most critical, known vulnerabilities – especially those affecting software or hardware that is no longer supported by a vendor, including for industrial control systems.
To promote more regular testing and systemic assessments of preparedness and resilience to rising cyber attacks against critical infrastructure, another bill, the CISA Cyber Exercise Act introduced by Congresswoman Elissa Slotkin, a Democrat from Mississippi, seeks to establish a National Cyber Exercise program within the Cybersecurity and Infrastructure Security Agency (CISA).
The DHS Blue Campaign Enhancement Act introduced by Congressman Peter Meijer, a Republican from Mississippi, aims to strengthen the DHS Blue Campaign and enhances the availability of human trafficking prevention training opportunities and the development of such training and materials.
To support DHS mission continuity and facilitate the readiness and resilience in the event of a chemical, biological, radiological, nuclear, or explosives attack, naturally occurring disease outbreak, or pandemic, another piece of legislation, the DHS Medical Countermeasures Act introduced by Congresswoman Mariannette Miller Meeks, a Republican from Iowa.
The Domains Critical to Homeland Security Act brought in by Ranking Member John Katko, a Republican from New York, aims to authorize DHS to conduct research and development into supply chain risks for critical domains of the U.S. economy and transmit the results to Congress.
The nation’s critical infrastructure has in the last few months been repeatedly hit by cybersecurity incidents. Incidents, such as the SolarWinds supply chain cyber incident, Colonial Pipeline ransomware attack, and Oldsmar water plant hack have intensified the urgent need to strengthen critical infrastructure, reduce operational downtime, and protect from financial and reputational damage.
This forced the Biden administration to release an Executive Order to bring about decisive steps that modernize U.S. critical infrastructure and its approach to cybersecurity. The move will increase visibility into threats while employing appropriate resources and authorities to maximize the early detection of cybersecurity vulnerabilities and incidents on its networks.