Recent cybersecurity legislation passed by the House suggests that Congress is still not serious about addressing the cyber threats against our critical infrastructure. Some recent noteworthy examples:
The Energy Cybersecurity University Bill directs the Secretary of Energy to create a grant program to “provide financial assistance to graduate students and postdoctoral researchers pursuing certain courses of study relating to cybersecurity and infrastructure.”
How does this address the immediate danger of cyber vulnerabilities in our energy sector? Aren’t there more near-term and impactful actions that we could focus on? Maybe mandating certain minimum cybersecurity standards like multi-factor authentication? And perhaps there are ways that the federal government could incentivize the adoption of critical cybersecurity capabilities and help fund such mandates. Also, requiring energy sector owners and operators to manage and report cyber risk in accordance with a defined standard like the NIST Cybersecurity Framework (CSF) is critically important for measuring risk posture and improvement over time across the entire energy sector.
The House-passed RANSOMWARE Act requires the Federal Trade Commission (FTC) to provide a biennial report on ransomware and other cyberattacks from foreign groups or governments targeting the U.S., with a particular focus on Russia, China, North Korea, and Iran. It seems the real emphasis here was coming up with a cute yet cumbersome acronym – Reporting Attacks from Nations Selected for Oversight and Monitoring Web Attacks and Ransomware from Enemies (RANSOMWARE). Good grief. All that just to mandate another report every two years.
Who else would have assumed that this type of incident data regarding our most significant adversaries was already being collected and could easily be reported? Whether the responsibility falls to the FTC or not, shouldn’t cybersecurity incident data from these adversaries be top-of-mind already, and likely readily available from another government agency like CISA?
These are two recent examples of cybersecurity legislation that suggest we still aren’t taking cyber threats against critical infrastructure seriously. We appear to be crawling when we should have been sprinting years ago.
The Colonial pipeline ransomware attack was more than a year ago. That event alone should have been enough of a wake-up call to convince the federal government to take immediate steps to secure the energy sector. It wasn’t the first attack against our critical infrastructure, but it raised awareness of the energy security vulnerability because it caused gas prices to go up.
Previous articles I’ve published have hypothesized about the impact of cyber attacks on our power grid. Such events could be catastrophic. Russia, for instance, demonstrated an ability to take down power grids in other countries more than ten years ago. The risk to our power grid is real, and should be taken very seriously.
Meanwhile, the federal government is spending time and effort on benign legislative efforts to address the cyber risk to our energy sector. More layers of bureaucracy are being added to create a “cybersecurity university” that offers no direct or immediate benefit to address the known gaping chest wounds facing our energy sector. Instead, legislators are spending time on a bill to simply require a report on cyberattacks – information that is likely already being collected and could easily be reported without congressional action. How is it that legislators have seemingly just now become concerned about cyberattacks attributable to Russia, China, North Korea, and Iran when they’ve been major players in such attacks for years? Maybe it was a way for them to show action on cybersecurity by passing these two bills before leaving for their August Recess, not to take action that will have a real impact.
These recent examples of cybersecurity legislation appear to be more legislative theater than the meaningful actions needed NOW to provide near-term risk reduction benefits for the energy sector.
Even some well-meaning amendments on critical infrastructure cybersecurity, which the House added in July to the annual defense authorization bill, don’t do enough. Yes, it’s a good idea, as these amendments propose, to designate (i.e., prioritize) certain critical infrastructure entities “as systemically important” and to create an interagency council for critical infrastructure cybersecurity coordination (even if that is only to facilitate harmonization of future federal agency cybersecurity policies and requirements). But they aren’t game changers like further pushing the energy sector to make greater use of effective cybersecurity tools and strategies, and to manage and report their cyber risk using the NIST CSF.
As a country, we need not just acknowledge that our critical infrastructure is at risk of cyberattack from certain adversaries, but take steps to protect it before it’s too late.