Congress must fund, execute latest defenses, collaborate with private sector to deal with increase in cyber threats, Katko outlines

U.S. Congressman John M. Katko identified that the nation needs to beef up its cybersecurity funding across the board for NSA, the dot‑mil regime, for CISA, and do more to empower Chris Inglis as the national cyber director. With proper funding, carrying out state‑of‑the‑art defenses, developing good collaborative efforts with the private sector, and working better together as a team, Katko says that stakeholders will be better positioned to achieve the goals while minimizing and eradicating cyberattacks. Katko is most worried about the ‘catastrophic threat’ on the critical infrastructure sector, may it be at a grid, or at a water system.

Katko was speaking at a Washington Post Live event on the steps Congress needs to take today so that the nation does not see that exponential increase in threat over the next decade. “And the way I look at it is you want to look at it from a team approach. Inglis is the head coach. He needs to have the powers of head coach,” Katko said. “You have the quarterback. I would say the civilian and dot‑gov domain being CISA. You have the special teams at NSA, and then you have the offense and defense capabilities on the military,” he adds. 

Analyzing his time spent in Congress, on whether there was a particular breach or hack that he felt was a ‘wake-up call’ that helped lawmakers understand how pressing this issue is, Katko, a Republican from New York, said, “the Colonial Pipeline was such a‑‑such a shock to the system, and when you see people filling up garbage bags of gasoline out of panic at gas stations, you know that you’ve got the attention of people. And that was followed up by the JBS attack and some of the others.” 

“Obviously, some of the ones for us, the geeks in the cyber realm, where we know about the more sophisticated attacks like the Log4j and some of those other ones at‑‑could have crippling effects,” Katko said. “But the Colonial Pipeline one, I think, really woke everybody up because there’s critical infrastructure 101, and critical infrastructure got attacked. And we weren’t ready for it,” he adds.

Katko introduced last October legislation that would call for identifying systemically important critical infrastructure. Assessing how that legislation would help prevent another Colonial Pipeline from occurring, Katko said “well, the way we look at it is there are 16 critical infrastructure sectors, right? If they’re all systematically important, then none of them are, and, you know, none get the‑‑you got to look at the‑‑the whole idea behind the SICI legislation‑‑is the slang for it‑‑would be to say of all these critical infrastructures, this is the most critical, right? And then you identify it.”

The Congressman said that after passing the reporting requirements legislation, incident reporting, “I’m starting to see within the development of the rulemaking process at CISA that I think it’s going to shake itself out without the necessity for that legislation, someone at legislation that was more‑‑I don’t want to say bureaucratic. What’s the word?–‑‑regulatory in nature, and I think that would be a mistake.”

“I think we need to continue with the collaborative effort we’re developing with the private sector and CISA, information coming in, taking that information, operationalizing it, and then send it back out in a better way and form,” Katko said. “And I think, hopefully, this rulemaking process is going to do that. And I saw one of the RFIs recently, which is very encouraging in that regard,” he adds.

Some Democrats said that Katko’s proposal initially didn’t go far enough, as any bill addressing critical infrastructure needs to also address what the companies and government need to do as a result of that designation. 

Addressing his concerns about too much bureaucracy and what is at risk with having such legislation, Katko said “I think‑‑we should learn from some of the past agencies that have been developed and how they’ve grown into regulatory behemoths that somehow lose their way.”

“I think what happened with‑‑especially with Ukraine in the cyberattacks that happened in Ukraine which preceded the invasion of Ukraine and the threats to the West from Russia, the continued threats today, and the intelligence bearing out that, they’re pecking around getting ready to do major attack, perhaps‑‑I think that showed that we need to be more collaborative with the private sector,” Katko said. “Like, CISA came up with, like, Shields Up, for example. You can go to the website, Shields Up, and you can help your systems right away, and what we’re seeing is that the private sector is incentivized to work with CISA.”

Katko said that when getting a regulatory scheme, “it becomes almost like a shirts‑and‑skins game, you know, where they’re on one side and they’re on the other side. That’s what we’re trying to avoid, and I understand and completely respect what people are saying as far as the SICI legislation.”

“But I think it’s‑‑we can’t lose sight of the fact that the private sector has to have the comfort to work and trust with a teammate, that being CISA, as opposed to more of a dictatorial or rulemaking agency that’s overseeing and causing all kinds of problems with them because I think CISA is a unique agency in that the synergy between the private sector and CISA is the only way that CISA could be successful,” Katko said. “And, if they’re not if they don’t have that synergy and exchange of information on a fluid basis, like we do in the joint terrorism task forces, as I worked with for 20 years as a federal prosecutor, if you don’t have fluidity, I think you have problems.”

Another issue that Katko addressed at the event is whether when talking about such severe attacks on pipelines, and energy grids, can it really be left to the private sector. 

“Oh, we’re not leaving it to the private sector,” Katko said. “No. Make no mistake about it. There’s going to be rules. There’s going to be rulemaking with the incident reporting, and the incident reporting, as it shakes out, I think, will tell us whether or not we ultimately need the SICI legislation and what kind,” he adds.

“There was a disagreement, and rare for most of us in Homeland to have disagreements on cyber between Republicans and Democrats, but that was one area we had disagreement,” Katko said. “So that’s why it didn’t get across the finish line. So what I’m saying is the rulemaking process, I think, will shake out a lot of the concerns that both sides have, and then if we need to do something on the back end, we can do it. But I’m not sure we’re going to need to. We’ll have to take a look and see,” he adds.

Katko, along with Rep. Jim Langevin, a Democrat from Rhode Island, announced earlier this year that they would not run for reelection. Answering whether the bipartisan streak within cybersecurity can continue after he leaves, Katko said that it has to, and he thinks it will. “And I think, by and large, people understand in the homeland security realm, at least traditionally on the committee, that some things are bigger than your party, and a lot of things‑‑I think a lot of people can say it’s easy‑‑we’re all in agreement we want to protect the homeland.” 

“We may have difference of opinions around the edges, but we all believe we want to have better cybersecurity,” Katko said. “And we all believe we want to have safer systems, and we all believe we want to be able to clamp back at the bad guys. We want to be able to have deterrence. We want better protection. So I think we will, and I think there’s a lot of people coming up that will pick up that mantle.”

Katko also points out that when he came to Congress as a federal organized crime prosecutor for 20 years, he did very complicated, crazy cases, and earned all his gray hairs. “But I didn’t know much about cyber before I got here, because the biggest threat to homeland when I first got here, like I said, was ISIS, and those inspired major events. Now out of necessity, I’ve had to become an expert on cyber, and I think there’s plenty of people coming up that already have a working knowledge of cyber that will be able to pick up the mantle and run with it, no question in my mind,” he adds.

Given his expertise developed on cyber, Katko evaluates the Biden administration’s record so far on cybersecurity. “I think they’ve had great appointments in the leadership positions. I think Inglis is superb, and I think Jen Easterly at CISA is a terrific, terrific appointment, and some of the others that they’ve had. I mean, I think they’ve got a very strong team across the board, and now that they’ve got these great leaders, the trick is going to be able to empower them, properly fund them, and make sure they all get along well in the sandbox. And that’s probably the last part of the puzzle we need to do,” he adds.

As Katko leaves Congress, the cybersecurity threat that he is most worried about is “a catastrophic threat on the critical infrastructure sector, may it be at a grid, be at a water system.”

“Look what happened in Florida. If that guy didn’t stumble across what was going on at that water system in Florida, thousands of people would have been poisoned and maybe killed. That shows the vulnerability of our systems, and what keeps me up at night,” Katko adds.

At the same event, Anne Neuberger, deputy assistant to the president and deputy national security advisor for cyber and emerging threats, revealed that the communications, water, and healthcare sectors are looking at new cybersecurity standards. The move comes as the U.S. administration is working towards securing cyberspace and strengthening American critical infrastructure.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.