To avoid another disaster like the Colonial Pipeline ransomware holdup, Rep. Abigail Spanberger proposes legislation to protect America's critical infrastructure from cyberattacks.
The United States lacks a comprehensive understanding of what constitutes “systemically important critical infrastructure,” despite recent cyberattacks such as this spring’s DarkSide hack of Colonial Pipeline, the Virginia lawmaker’s office said Thursday.
The nation’s largest pipeline network, Colonial transports vital petrochemicals through the commonwealth. The ransomware hack against the company disrupted gas supplies in several states.
In September, a cyberattack by the BlackMatter gang forced New Cooperative, an association of Iowa corn and soy farmers, to take their systems offline. Security researchers believe BlackMatter may be a reconstituted version of the ransomware syndicate DarkSide that disrupted Colonial Pipeline, The Associated Press has reported.
The federal government lacks a process to strengthen protections for such infrastructure, whose disruption could harm America’s national security, economy, public health or supply chains, Spanberger's office said.
To remedy that, Spanberger and John Katko (R-NY-24), ranking member of the House Homeland Security Committee, this week introduced the Securing Systemically Important Critical Infrastructure Act.
Their bill would help establish a transparent process for designating “systemically important critical infrastructure.” It would direct the government’s Cybersecurity and Infrastructure Security Agency to prioritize benefits to SICI owners and operators without burdening them, Spanberger’s office said.
“Earlier this year, Central Virginia families and businesses felt the serious impacts of the cyberattack on the Colonial Pipeline,” Spanberger said in a statement. “In our communities, we saw how critical infrastructure—such as the Colonial Pipeline—plays a fundamental role in our daily lives and in the day-to-day success of our regional economy.”
The Democrat, who represents the 7th Congressional District, said the bill “would help prioritize protecting these systemically important systems from the serious consequences that cyberattacks can have on public safety and health, as well as on our supply chains.”
Spanberger and Katko are co-leading the legislation.
“Our goal is to understand the single points of failure and layers of systemic risk in our economy, because if everything is critical, nothing is,” Katko said. “This effort is complementary to bipartisan incident-reporting legislation that recently passed the House. As cyberattackers continue to act with impunity and disrupt our critical infrastructure, time is of the essence.”
Specifically, the bill would:
—Authorize the CISA director to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure, or SICI.
—Require CISA to consult with Sector Risk Management Agencies and stakeholders in establishing a methodology and criteria for determining what infrastructure qualifies as SICI.
—Provide CISA with clear guidance and parameters for establishing the SICI criteria.
—Require CISA to provide SICI owners and operators with the option to take part in the government’s prioritized cybersecurity services.