Editor’s Note: Angus King is a senator from Maine and co-chair of the Cyberspace Solarium Commission. Tom Fanning is CEO of the Southern Company and a commissioner on the Cyberspace Solarium Commission. The opinions expressed here are their own.
As anyone who has watched the news the last few months can attest, the United States’ critical infrastructure continues to be unacceptably vulnerable to cyberattacks. In early May, Colonial Pipeline, responsible for delivering refined gasoline to much of the East coast, was shut down by a ransomware attack – leading to ’70s-era car lines from filling stations. Weeks later, JBS, one of the United States’ largest meat suppliers, suffered a similar fate – placing serious uncertainty in the international food supply chain.
This simply cannot be the norm. We must do better.
Many are rightfully asking what the US government is doing to prevent future incidents like these. But the reality is that a large portion – around 85%, according to some reports – of America’s critical infrastructure is privately owned. That limits the federal government’s ability to both identify attacks and assist the private enterprises that own and operate the critical infrastructure Americans depend on to live, work and play.
The federal government and private sector must arrive at a new “social contract” of shared responsibility to secure our country’s cyberspace where both parties have shared, mutual responsibilities. The federal government must be assured that the private companies who own and operate critical systems and assets are doing their utmost to protect them. Likewise, private companies must be assured that the federal government is doing all it can to assist them. This means the federal government must offer up authorities and resources to both defend against and respond to significant cyber-incidents. Building this trust through collaboration is essential to defending America’s critical infrastructure.
More Tech & Innovation Perspectives
The bipartisan Cyberspace Solarium Commission, on which we serve as commissioners, has spent the last two years attempting to address these issues. We’ve recommended steps policymakers can take to increase the visibility of cyber threats and ways to improve the US government’s ability to defend our federal IT systems and support the owners and operators of our country’s most critical systems and assets. The commission recommended more than 75 measures. Last year alone, 25 of the commission’s proposals passed into law – a significant step forward, but clearly only a first step.
This year, Congress has the ability to enact further proposals to close the gap between critical infrastructure providers and the federal government in addressing cyberattacks. Of these proposals, the concept of “systemically important critical infrastructure,” (SICI) is the most important.
Under this law, the Department of Homeland Security would designate a system or asset as “systemically important critical infrastructure” if its disruption is likely to cause widespread damage to the national security, economic security, or public health and safety of the United States. This could include the interruption of critical services, such as water or power, or the disruption of hospitals or financial systems. It would also include systems and assets whose disruption would undermine key national security or defense capabilities or lead to the widespread compromise of critical technologies or devices across the cyber landscape. Companies that own or operate these systems would gain additional “benefits” from the government, such as intelligence and liability protections, and assume additional “burdens,” such as incident reporting and security certification requirements.
SICI legislation would offer three main benefits prior to, and in the event of, a cyberattack. First, to prevent attacks and incidents, SICI entities would receive relevant threat intelligence collected on foreign actors and tailored to the risk profile of the company. Second, in the event of an attack, on one entity, the Secretary of Homeland Security would share relevant information with other companies operating critical infrastructure while protecting the victim company’s information. Finally, in the event that a company has made a good faith effort to comply with SICI performance standards, they would be provided safe harbor and be insulated from liability for damage caused by an attack on their systems.
But with those protections will come mutually agreed upon expectations. Under the legislation, private companies that are listed as managing SICI-designated entities would be required to meet a set of “performance standards” designed by the Department of Homeland Security and the National Institute of Standards and Technology (NIST).These standards – which would include third-party assessments – are designed to ensure that the owners and operators of these entities are doing at least the minimum required to ensure the security of their assets.
This is not a one-size-fits-all solution, nor is it an additional layer of bureaucracy – it recognizes that not all companies are the same size, criticality, or maturity and many face existing regulations. The law takes into account these realities, ensuring that there is no undue burden in the pursuit of accountability.
Today, no such set of standards or benefits exist. Instead, there is a patchwork of sector-specific federal and state regulations, some of which – like those pertaining to the financial services and electricity sectors – largely meet muster, while others – like those in the water sector – do not. As a result, some companies would exceed any potential standard while a number of others would have work to do.
For companies whose current practices exceed SICI standards, the government would reward their cybersecurity investments with concrete legal liability protections. For the critical infrastructure providers that do not meet these standards, it ensures they would integrate cybersecurity into their decision making. Consequently, SICI legislation would work hand-in-hand with America’s critical infrastructure providers to establish mutual accountability and collaboration in a way not previously possible.
Americans depend on uninterrupted access to basic amenities like water, energy, and fuel to do the work necessary to keep this country running. The private sector and the federal government must collaborate under a truly joined effort to protect valuable assets. Codifying cybersecurity standards for the most critical infrastructure and improving public-private relations in cybersecurity are an essential step toward ensuring that work can be done. In an era where malicious actors and adversarial states are attacking our infrastructure with record intensity, Congress must not fail to deliver on common sense reforms which would secure the systems on which we all rely.