Bipartisan legislation has been introduced in the U.S. House of Representatives that aims to establish a public report for Members of Congress to evaluate the manual operations of critical infrastructure during cyber attacks. The urgency of this measure is underscored by the increasing potential damage of cyber-attacks on vital infrastructures such as the electric grid, water systems, and pipelines, especially with the rising threats from adversarial nations like China, Russia, Iran, and North Korea, as well as state-affiliated groups. These cyber adversaries significantly threaten national and economic security.
Introduced by U.S. Congressman Dan Crenshaw, a Republican from Texas and a member of the House Permanent Select Committee on Intelligence, along with Rep. Seth Magaziner from the House Committee on Homeland Security last week, the Contingency Plan for Critical Infrastructure Act has been referred to the Committee on Homeland Security, and in addition to the Committee on Transportation and Infrastructure, for a period to be subsequently determined by the Speaker, in each case for consideration of such provisions as fall within the jurisdiction of the committee concerned.
The Contingency Plan for Critical Infrastructure Act would require the director of the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the administrator of the Federal Emergency Management Agency (FEMA) and other sector risk management agencies, to deliver a joint sector-by-sector assessment to Congress.
The assessment would include an evaluation of how the National Cyber Incident Response Plan addresses the risk posed to critical infrastructure when they cannot swiftly transition to manual operation; and an assessment of CISA’s capacity and obligations, including remediation and response to cyber incidents and supporting critical infrastructure operators in sustaining operations of essential systems. It also includes an assessment of FEMA’s National Response Framework and how they are equipped to assist critical infrastructure owners and operators in transitioning to manual operating mode during cyber incidents.
Furthermore, the legislation prescribed an examination of the potential costs and challenges associated with mandating sectors to shift to manual operating mode in the event of a cyber incident. This includes considering financial implications, logistical hurdles, and operational impacts. It also includes the development of policy recommendations aimed at ensuring the continuous operation of critical infrastructure in scenarios where there is a widespread cyber incident affecting critical systems.
Additionally, this bill requires that the FEMA update its planning considerations for cyber incidents. Their planning considerations would include best practices and guidelines for essential personnel of critical infrastructure owners and operators; and steps that critical infrastructure owners and operators should take to respond effectively to different levels of degradation in their systems.
It also includes the identification of federal, state, and local resources that are available to support owners and operators of critical infrastructure in the event that they need to transition to manual operating mode, and specific guidelines on how to respond to and remediate the effects of cyber incidents on industrial control devices.
“Cyber-attacks are the number one threat to America’s critical infrastructure, and it’s not a problem any one government agency can solve or even protect against,” Congressman Crenshaw said in a media statement. “The private sector must be more involved, especially when it comes to our water, our energy, our transportation, and our communications. We need a comprehensive assessment of what more can be done to make critical infrastructure more resilient to future cyber-attacks, and we need it immediately.”
“We need to ensure that the infrastructure Americans depend on to keep the lights on, the water running and commerce flowing, are protected from cyber attacks,” said Rep. Magaziner. “This bipartisan bill will help ensure that Americans are protected from criminals and adversarial nations who target our country in cyberspace on a daily basis.”
The FBI director Christopher Wray testified before the House Select Committee on the Chinese Communist Party earlier this year warning Members of Congress that Chinese government-backed hackers are working ‘to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.’ One component of responding to the threat posed by America’s adversaries is understanding the challenges of operating critical infrastructure manually in the event of a catastrophic cyber-attack and how the government can better assist operators in such a situation.
Earlier this month, members of the U.S. House Committee on Homeland Security have called for the Department of Homeland Security (DHS) and the Department of Energy (DOE) to declassify information about the national security threats posed by unmanned aerial systems (UAS), or drones, from the People’s Republic of China, notably those by Da Jiang Innovations (DJI) and Autel Robotics. The request stems from findings by Sandia National Laboratories (SNL) that highlight significant national security risks associated with these drones.
