Congressional leaders of the Cyberspace Solarium Commission stressed a need to focus specifically on water treatment systems.
Leaders of the Senate Environment and Public Works Committee are touting their inclusion of cybersecurity considerations in a pair of bills that could form a significant part of the foundation for debate on a bipartisan infrastructure package Wednesday.
“My hope is that today’s hearing will shed some light on the urgent need to protect our physical infrastructure and will help spur further action as we consider infrastructure legislation,” Committee Chairman Tom Carper, D-Del., said after a hearing Wednesday.
Carper said the idea to hold the hearing came from Ranking Member Shelley Moore Capito, R-W.V., one of a handful of bipartisan senators who reached an agreement with the White House over an infrastructure deal. But there are still disagreements within the Senate and with the House over issues like how to pay for what President Joe Biden hopes will be a historic level of investment.
During the hearing, Capito highlighted the Surface Transportation Reauthorization Act and the Drinking Water and Wastewater Infrastructure Act for including resources to improve cybersecurity in the related sectors.
On Monday, Senate Majority Leader Chuck Schumer announced that those two bills, along with two others that cleared their committees with overwhelming majorities—a rail and safety bill from the Commerce Committee and an energy infrastructure bill from the Energy and Natural Resources Committee—make up a core bipartisan infrastructure framework. He filed cloture on what he called a shell bill and said if senators can’t reach an agreement on legislative text for an infrastructure package by Thursday, he would make the four bills from the core bipartisan framework the content of a pending substitute amendment for the infrastructure debate.
As lawmakers look to move forward on broad infrastructure legislation, recent cyberattacks on water treatment facilities, including in Florida, Kansas and California, have already focused attention on that sector.
“These attacks are very scary for the public when you think about your water system being invaded,” Capito said. “When they occur they can leave us questioning the safety of our water systems.”
Carper cited a 2019 report from the American Water Works Association that identified cyber risk as the top threat facing the sector.
“Cyber vulnerabilities in our water systems represent unique national security challenges,” he said. “A major breach in our water infrastructure system could jeopardize the safety of our drinking water and impair a community's ability to safely dispose of harmful waste, threatening human health.”
Sen. Angus King, I-Maine and Rep. Mike Gallagher, R-Wis., co-chairs of the congressionally mandated Cyberspace Solarium Commission, both testified before the committee on the importance of protecting the water sector, specifically, from cyberattacks, noting that it is generally not as well-resourced as other critical infrastructure sectors, despite its importance.
King said the federal government could help with technical support, penetration testing and a standard for protection.
Carper and Capito both expressed support for funding that isn’t tied to mandatory cybersecurity measures. That was the exact opposite tone of a hearing in the House Energy and Commerce Committee Tuesday where lawmakers heard that tying funds for cybersecurity to specific practices would appropriately incentivize improvement.
“There's no one-size-fits-all solution to all the different cyber threats facing our critical infrastructure systems at the federal level, we should build flexibility into our solutions so that state and local leaders have the tools they need to effectively address their unique cyber security challenges,” Carper said. “At the same time we must also recognize that many local government agencies and infrastructure systems face significant challenges in just fulfilling their core missions. Therefore any federal assistance and cyber security should be structured to help these entities remain focused on their core mission.”
Capito added: “I look forward to hearing from our witnesses on the ways the federal government can act as a better partner in protecting our drinking water and wastewater systems from cyberattacks, without costly mandates that can distract from the core mission of providing safe, reliable and affordable water surface to the American public.”
Also testifying before the committee, John Sullivan, head of the Water Information Sharing and Analysis Center, agreed with the senators on the need for flexible support. He said the Energy Infrastructure Act, which encourages participation in private-sector ISACs and is part of what Schumer considers a core infrastructure deal, is a promising model for legislation.