Legislation to advance a landmark agreement between government and industry to secure critical infrastructure against a growing number of cyberattacks is coming under fire from an unexpected source: the financial sector.
A key politician says the banking sector – which is already subject to cybersecurity regulations – is inexplicably shooting itself in the foot by opposing the inclusion in “mandatory” legislation this fall of a provision that would fill application gaps in an increasingly interdependent ecosystem of critical infrastructure.
The provision was appended as an amendment to the National Defense Authorization Act for Fiscal Year 2023 passed by the House. It was not included in legislation tabled by the Senate Armed Services Committee, but there is still ample room in the NDAA process for amendments when the bill is expected to be introduced in the Senate in September.
“Ironically, the language they’re fighting is that any regulations already in place would be the norm for this industry,” said Mark Montgomery. Nextgov. “So they just impact all the other industries that aren’t well regulated that they rely on: satellites, cloud service providers, water, pipelines, etc.”
Montgomery served as executive director of the Cyberspace Solarium Commission, a congressional-mandated body with representation from lawmakers from across the political spectrum and senior private sector leaders. Congress created the commission by passing the 2019 NDAA, named after the late Sen. John McCain, R-Ariz. Montgomery was director of policy for the Senate Armed Services Committee under President McCain. He is now the head of cybersecurity and technology innovation at the Foundation for Defense of Democracies think tank, from where he continues to advocate for government adoption of Solarium Commission proposals. .
The commission’s big bargain was that companies controlling the nation’s most important critical infrastructure should receive certain benefits – such as priority access to government resources and protection from liability in the event of incidents – in exchange for taking in charge of certain burdens, such as the verifiable implementation of appropriate security measures. The recommendation to end a longstanding hands-off approach dating back to the Obama administration was documented along with a host of others the commission released in its March 2020 report.
The amendment to the NDAA being negotiated was presented by Rep. Jim Langevin, DR.I., who was commissioner at Cyber Solarium. It would lay the groundwork for executing the group’s proposal, directing the Secretary of the Department of Homeland Security to work with industry risk management agencies and the Office of the National Director of Cybersecurity to identify no more than 200 entities. of systemic importance.
These entities would then be required to report certain information to the Cybersecurity and Infrastructure Security Agency, which the legislation says will “directly support the department’s ability to understand and prioritize risk mitigation for critical functions.” national”, in particular through closer collaboration with intelligence agencies. .
Along with explicit guidance to eliminate duplicate requirements, Langevin’s provision would also create an interagency board — which would be co-chaired by the CISA director and the national director of cybersecurity — to determine “cross-sector cybersecurity performance goals and sector specific. These would “serve as clear guidance to owners and operators of critical infrastructure on the cybersecurity practices and postures the American people can trust and should expect for essential services,” the provision reads.
Opposition to the amendment from critical industry sectors not currently regulated for cybersecurity, including core information and communications technology providers, is unsurprising. The Information Technology Industry Council was among those who successfully opposed the inclusion of the Solarium Commission’s related recommendations for defense contractors in the NDAA 2021, for example.
On Thursday, Henry Young, BSA Policy Director | The Software Alliance, said Nextgov Langevin’s amendment to the current NDAA, “certainly proposed for all the right reasons, increases complexity and uncertainty.”
“To the extent that it adds an additional category and related requirements,” Young said of the amendment, “it misses a better opportunity to improve cybersecurity: to simplify requirements and provide certainty, which will allow organizations to focus on developing innovative cybersecurity solutions and less on compliance.”
But Montgomery is baffled, and angered, by the financial industry’s opposition to the Langevin Amendment, which would more likely target sectors lacking proper oversight.
“This current version is only a partial attempt to [Solarium] objective, but industry lobbyists cannot claim to have passed the previous, more comprehensive versions of the bill, as they have always been useless in this effort,” he said. “The opposition to financial services is particularly infuriating because it operates on the mistaken premise that this bill is unnecessary because they are ‘already sufficiently regulated’, when the clear intent of this legislation is to ‘identify critical infrastructure that, unlike financial services, does ‘not have enough cybersecurity guidance or resources, and then fix that problem.
The BSA and banking industry associations cited Presidential Directive 21 — a 2013 executive order from the Obama White House — to argue that the Langevin legislation risks duplicating a systemically important entity designation process. But while the Secretary of Homeland Security assigned a regulator — the Treasury Department — to the financial sector under PPD-21, a corresponding executive order specifically prohibited the secretary from designating commercial information technology as infrastructure. critical for possible cybersecurity regulation.
In July 2021, President Joe Biden issued a National Security Memorandum that picked up where Obama’s order left off, asking the Department of Homeland Security, in conjunction with the National Institute for Standards and technology and other appropriate agencies, to develop and publish performance goals. for sector-specific infrastructure as well as for infrastructure that crosses multiple agencies. CISA published this work and the administration is already using its power to issue cybersecurity requirements for the water, rail and pipeline sectors, but the White House is still seeking statutory reinforcement of its program in other areas. areas.
In April, as the wheels began to turn again on the NDAA vehicle, Nextgov reported on Langevin and other lawmakers considering the need to designate cloud service providers’ critical infrastructure, given the extent to which they underpin modern digital life. They were seeking to address the issue in legislation to implement the Solarium Commission’s recommendations regarding systemically important critical infrastructure.
To facilitate risk prioritization and management efforts, the Langevin Amendment directs the Secretary of Homeland Security to consider flagging systemically important entities by requiring them, for example, “to identify assets, systems, vendors, technologies, software, services, processes, or other dependencies that would inform the Federal Government’s understanding of the risks to the national critical functions present in the entity’s supply chain.
Pressed to explain what appeared to be a contradiction in their criticism of the Langevin Amendment – that the provision would be both redundant and require new data to be submitted to CISA – a banking industry source said Nextgov the objection was ultimately about the uncertainty of how this data would be used and the potential for its exposure to adversaries.
“You must have a clear goal that you are trying to achieve when creating [legislation]the source said, and we don’t see that reflected in this project today.
Montgomery said that “it would certainly be optimal if all benefits and encumbrances could be included,” to fully demonstrate the intent of the legislation. But he also dismissed the industry’s stated concerns about data sensitivity as outlandish.
“At a minimum, the accusation that government is a dangerous place to store data is crazy,” he said. “Do [the Bank Policy Institute] recommend everyone not to pay taxes because [Internal Revenue Service] could be attacked and your data compromised? Of course not.”