Two key bills have been introduced to improve U.S. cybersecurity shields, as the nation bolsters its critical infrastructure sector, which includes physical assets such as roads and fiber, apart from the intellectual and human capital behind them. The sector deals with pivotal and crucial functions of government and the private sector that are so vital to the U.S. that their disruption, corruption, or dysfunction would have a debilitating effect on security, the economy, national public health or safety, or any combination thereof.
One bill aims to create a ‘response and recovery’ fund to help public and private entities respond to and recover from cyberattacks. The other bill intends to help ensure that the Department of Homeland Security (DHS) is identifying and addressing risks to critical infrastructure.
The first bill, Cyber Response and Recovery Act, would create an authority for the Secretary of Homeland Security, in consultation with the National Cyber Director, to declare a significant cyber incident in the event of an ongoing or imminent attack that would impact national security, economic security, or government operations.
Introduced in the Senate by U.S. Senators Rob Portman, a Republican from Ohio and Gary Peters, a Democrat from Michigan, ranking member and chairman of the Homeland Security and Governmental Affairs Committee, the bipartisan legislation would provide additional resources and better coordination for serious cyberattacks or breaches that risk the safety and security of Americans.
This would enable the CISA to coordinate federal and non-federal response efforts, and allow the Secretary access to a Cyber Response and Recovery Fund that would help support federal and non-federal entities impacted by the event. The bill would authorize US$20 million over seven years for the fund, and would require DHS to report to Congress on its use. The legislation also helps improve the federal response to cyber breaches, such as recent and serious attacks by foreign adversaries, including the Chinese and Russian governments that allegedly penetrated both federal networks and private companies’ servers.
“The multiple recent cyberattacks from sophisticated malicious actors against U.S. government clearly demonstrate our vulnerability to attack,” said Senator Portman in a press statement. “These cyberattacks will continue, and we must ensure that we have the capacity to respond when they do. This bipartisan bill will provide emergency resources when impacted organizations are overwhelmed and unable to respond to a debilitating attack.”
“Extensive breaches and attacks of public and private networks in just the last few months have compromised our national security and shown our nation is not adequately prepared to tackle evolving cyber threats,” said Senator Peters. “As these challenges continue to grow, our national security apparatus needs more tools and resources to improve our response to these threats and defend against cyber-attacks from our foreign adversaries, like the Chinese government.”
Last October, Portman and Peters led several bipartisan efforts to bolster the nation’s cybersecurity shields. They introduced a bill to require the federal government to make better investments in cybersecurity shields to keep Americans’ data safe. The U.S. Senate also unanimously approved their legislation to promote stronger cybersecurity shields and measures between the DHS and state and local governments.
A bipartisan bill, National Risk Management Act, was also introduced in the US Senate to strengthen the security of critical infrastructure sectors by requiring the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) to continually conduct a five-year National Risk Management Cycle.
Following CISA’s identification of the risks, the White House would have to “identify and outline current and proposed national-level actions, programs, and efforts to be taken to address the risks identified,” according to the bill.
Introduced by Senators Maggie Hassan, a Democrat from New Hampshire and Ben Sasse, a Republican from Nebraska, the legislation would require the secretary, acting through the director of the CISA, to establish a process to identify, assess and prioritize risks to critical infrastructure, considering both cyber and physical threats, vulnerabilities, and consequences.
“When a criminal shuts down a hospital system to get a ransomware payment or a foreign adversary hacks government agencies, we face grave threats to our national security and well-being,” said Senator Hassan in a press statement. “We must stay ahead of emerging threats to critical infrastructure, and I am glad to work across the aisle to help ensure that the administration and Congress are working together to make our critical infrastructure sectors more secure.”
“The rules of war are being re-written. China and Russia are increasingly brazen in their use of cyber tools to get inside American critical infrastructure networks,” said Senator Sasse. “These critical systems must be more resilient. It’s time to get serious about the future of war and how we protect the systems that allow our daily life to run smoothly.”
The latest bill is part of Senator Hassan’s ongoing efforts as chair of the Emerging Threats and Spending Oversight Subcommittee to strengthen DHS’s efforts to keep Americans safe, secure, and free.
Senator Hassan has previously worked to pass the bipartisan DHS Data Framework Act – which is now law – to help ensure that analysts at the DHS can more efficiently identify terrorist threats. Due to the increasing number of cyber threats to government agencies and critical infrastructure, Senator Hassan introduced the bipartisan Hack DHS Act, which was signed into law, to strengthen cyber defenses at the DHS.
The U.S. launched in February an international strategy called CISA Global that joins with international partners to intensify defense against cyber incidents, enhance security and resilience of critical infrastructure, identify and address significant risks to national critical functions, and provide seamless and secure emergency communications.
The National Counterintelligence and Security Center (NCSC) and the The National Insider Threat Task Force (NITTF), in alliance with the Departments of Homeland Security, Treasury, Energy, Defense, and others, are working to better support critical infrastructure entities in the U.S. private sector, state, city, and local governments, and academia.
“We encourage critical infrastructure entities to invest in human-behavior-focused insider threat programs that enhance and supplement traditional security practices and are tailored to their environments and unique threats and risks,” according to new guidelines released by the NCSC.