Where CISA’s Plan for Securing Industrial Control Systems Intersects with Private-Sector Liability Protections

Gary Saxe/Shutterstock

Companies are reluctant to collaborate with the government unless they are legally off the hook.

The Cybersecurity and Infrastructure Security Agency’s newly released strategy to invest in technology to protect industrial control systems from cyberattacks relies on private-sector entities sharing information about risks they face with the government but doesn’t include liability protections companies are asking for in exchange.

Industrial control systems are used to automate processes in sectors such as electricity, water, transportation and manufacturing. If hackers successfully infiltrate them it could lead to devastating physical consequences, so they are attractive targets.

CISA’s five-year plan to protect these systems is to work with their private-sector owners and operators to identify the threats they’re encountering and assess where they’re vulnerable, so the government can ultimately prioritize investments to improve their defenses.

The strategy doesn’t note where the government’s share of the investments would come from. A bill approved by a House Appropriations Committee Tuesday would provide $2.25 billion in funding for CISA in 2021.

“CISA and the ICS community must know the impact our actions have on the national ICS risk landscape, particularly with respect to [National Critical Functions],” the CISA plan reads. “With this knowledge, together we will work as a single, unified organization that achieves sustainable and enduring ICS security and drives wise, risk-informed ICS security investments.” 

But companies have long been reluctant to share information about their defenses for fear they’ll be held responsible for any resulting harm. 

A 2015 law on sharing information for cybersecurity provides protections from liability related to antitrust issues. A public-private CISA task force last year proposed further “resolving legal constraints” to information sharing.  

CISA’s strategy is one part of a more comprehensive vision for protecting critical infrastructure, which is outlined by the Cyberspace Solarium Commission, and takes such concerns into account. 

“I think the tension is that people don’t want to share because there’s a possibility that in sharing they may expose themselves, there may be problems,” Brandon Valeriano, a senior advisor to the commission told Nextgov during a webcast Tuesday. “That’s really a key issue, is we need to get people to be more open about what the problems are in this [private] sector." 

Establishing the kind of trust such information sharing necessitates is foundational to CISA’s strategy. 

The Solarium Commission recommends passing a law that guarantees critical infrastructure companies designated as systemically important are protected from liability if they come under certain cyber attacks, including those perpetrated by transnational criminal groups. But those companies “would need to have demonstrated good-faith compliance with all requirements set as a consequence of their designation,” including national risk identification and assessment efforts, under the solarium recommendations.

An amendment to the National Defense Authorization Act in the Senate—SA 2095—proposes “removing legal barriers relating to cooperating with the federal government during times of emergency or to promote national security.” It would provide a liability shield for certain critical infrastructure companies under certain conditions, including cyberattacks.