Legislative and Federal policy efforts are coming together to focus on protecting the top-most tiers of critical infrastructure in the United States, top officials from the House and the Cybersecurity and Infrastructure Security Agency (CISA) agreed today.
The bipartisan Securing Systemically Important Critical Infrastructure (SICI) Act introduced earlier this month by Reps. John Katko, R-N.Y., and Abigail Spanberger, D-Va., aims to identify SICI and protect it from cyberattacks. Although the bill is still awaiting further action in the House, CISA Director Jen Easterly said her agency is already taking steps to protect critical infrastructure regarded as systematically important.
During an event today hosted by the Center for Strategic and International Studies, Rep. Katko, ranking member of the House Committee on Homeland Security, and Easterly discussed the importance of protecting critical infrastructure, and why legislation like the SICI Act is critical in a time of increased cyberattacks.
“This Systemically Important Critical Infrastructure Act is something that I’m particularly proud of, because it’s emblematic of my thought process with respect to how to deal with this unbelievable scourge of ransomware attacks,” Rep. Katko said. “And that is to set up a collaborative model whereby it’s not just regulatory in nature, but it’s much more collaborative in nature. And it starts with identifying what really is systemically important critical infrastructure. If everything is SICI… then nothing really is SICI, right?”
Easterly agreed with the ranking member and said she believes protecting SICI “is hugely important.”
“Notwithstanding whether this ends up in legislation or not, and I certainly hope it does, we are already thinking through the model,” the CISA director said.
Easterly explained that CISA is currently prototyping a variety of different approaches in its National Risk Management Center to start identifying what constitutes SICI, “based on economic centrality, network centrality, and logical dominance in the national critical functions.”
However, Easterly noted CISA is not a huge fan of the SICI acronym, saying it sounds “disturbing” sometimes with its similarity to “sickie,” so instead her agency is calling this effort “Pisces: Primary Systemically Important Entities.”
“We’re looking at this through a variety of lenses. We’re going to move forward and do it whether it ends up in legislation or not, but I think that signaling, that ending up in law, will be very helpful in continuing to bring the private sector to the table,” Easterly said. “Because, I think we’re in a state now where our critical infrastructure is much more vulnerable than it should be. And frankly, that’s what I worry about most every day.”
Rep. Katko agreed that bringing the private sector to the table is important to preventing future cyberattacks, and hopes his bill will serve as a way to do just that.
“I really think this bill would set the tone for having that model whereby we look at seemingly intractable problems in the cyber realm and don’t just say, I in Congress, have all the ideas. Don’t just say, I at CISA have all the ideas, or don’t say that I in the private sector have all the ideas. Work together. Sit down and figure [it] out,” Rep. Katko said. “Tell us what you think is important and then let’s take the most important of the most important, and really drill down to make them as safe as possible.”