Having succeeded in passing a number of their recommendations through the last National Defense Authorization Act, the commissioners plan to embrace an oversight role as they push for more new laws.
An attack on the water treatment facility of a small town in Florida this year continues to shape policymakers’ approach to cybersecurity, with key lawmakers citing the incident while discussing their priorities.
Some members of the congressionally established Cyberspace Solarium Commission—Reps. Mike Gallagher, R-Wis., Jim Langevin, D-R.I. and Samantha Ravich, chair of the Center for Cyber and Technology Innovation at the Foundation for Defense of Democracies—participated Tuesday in Hack the Capitol. The event, created by security researchers and sponsored by cybersecurity companies, was focused on securing the industrial control systems of critical infrastructure.
Asked to do the equivalent of choosing between her children in disclosing what critical infrastructure sector worries her the most, Ravich did not hesitate.
“I'll give everyone a hint, it’s what I’ve been drinking out of this bottle,” she said. “Water security, you know, terrifies me. A lot of attention goes to the energy sector and that is right, that is important, but frankly, in some respects, especially just as an average citizen, you can live without the lights on for a bit but, but try to live without water for even a few days.”
Ravich argued that an unknown intruder attempting to poison a water treatment plant in Oldsmar, Florida, in February shows that adversaries are aware of the vulnerabilities in the country’s water supply and demonstrated “the ease with which even an inexperienced hacker could alter the performance of automated production chemical balancing systems.”
Ravich and the other commissioners noted that there are elements that are foundational to security across multiple critical infrastructure systems, but both Gallagher and Langevin also found a powerful example of why they matter in the Florida water hack.
“I think it's an area we're not paying enough attention to,” Gallagher said. “I come from a district where we've had some water issues and it's really hard to overstate just the chaos that would ensue if you really started messing with people's water supply, and the lack of confidence that that would produce. It's really important to my constituents.”
Langevin, who has focused on secure software development and liability, highlighted the water hack in noting that “industrial control systems control physical processes, but their brains are digital circuits that run on software.”
Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger also used a forum on industrial control systems and the context of the water supply hack to tease an executive order—anticipated any day now— that is expected to include new software procurement standards.
But congressional action arguably has more staying power, Gallagher said. He said he and Langevin are working on getting the group’s next three recommendations into the upcoming National Defense Authorization Act. Those measures, he said, will be aimed at having the executive branch create three critical technology centers for testing and evaluating common elements of the supply chain; having the Department of Homeland Security designate “systemically important critical infrastructure” entities that would enjoy a degree of liability protection and access to intelligence in exchange for the security certification and incident reporting obligations; and requiring the executive branch to designate a non-governmental, non-profit organization to be funded as the National Cybersecurity Certification and Labeling Authority and manage a voluntary program for ICS devices.
Langevin’s position on the House Armed Services Committee was instrumental in turning some of the commission’s recommendations into law, Gallagher said. He predicted that the representatives and senators who served on the commission will spend time overseeing the administration’s implementation of laws like ones establishing the office of the National Cyber Director and granting new authorities to the Cybersecurity and Infrastructure Security Agency.
“I think a lot of our work is going to be just basic oversight and review the past successes to see where we hit the mark and where we may have missed it a little bit,” he said.
The other big thing the lawmakers will be focused on is swaying appropriators.
“We recommend an increase of at least $400 million for the FY22 appropriation to respond to these changing requirements,” Langevin and Gallagher wrote in an April 22 letter to the chair and ranking member of the House Appropriations Committee regarding CISA’s responsibilities.