Top cyber officials highlighted the importance of defensive measures as lawmakers move on related initiatives, including a bill to identify systemically important critical infrastructure.
Making critical infrastructure more resilient to attacks will be one of four outcomes national security officials hope to achieve by hosting representatives from 30 countries in coming weeks.
“Later this month the National Security Council will be hosting 30 countries coming together on a counter ransomware initiative with four lines of effort around cryptocurrency resilience disruption and diplomacy,” Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger said.
Neuberger spoke Tuesday at Mandiant’s Cyber Defense Summit along with National Security Agency and U.S. Cyber Command Director Paul Nakasone, who also described efforts to combat ransomware with the private sector.
“Partnerships are truly essential to achieve outcomes, either by bolstering defenses or disrupting adversary activities,” Nakasone said, adding that Cyber Command and NSA are “focusing on sharing insights at an unclassified level, creating new environments and spaces both physically and virtually for unclassified collaboration, and working with companies to convey that ‘we are from the government and we're here to help’ is not a terrifying idea.”
Neuberger said participants at the ransomware meetings will try to arrive at “what are the most effective resilience efforts so that we are more defensible against this threat.”
The international effort will also seek cooperation on increasing visibility through anti-money laundering efforts, holding nation-states accountable for harboring cyber criminals, and helping to build capabilities in other countries. But following events like the ransomware attack on Colonial Pipeline and other massive hacks this year, lawmakers are still divided on how to improve the resilience of U.S. critical infrastructure.
On Tuesday, Rep. John Katko, R-N.Y., the ranking member of the House Homeland Security Committee, proposed legislation with Rep. Abigail Spanberger, D-Va., aimed at identifying systemically important critical infrastructure, the owners of which would move to the front of the line for resources—including security clearances—and other assistance from the government.
The Cybersecurity and Infrastructure Security Agency already describes 16 critical infrastructure sectors, which officials have said President Joe Biden shared with Russian President Vladimir Putin in a meeting about the kinds of attacks that shouldn’t be tolerated by responsible governments.
The idea of identifying a narrower set of systemically important critical infrastructure emerged from the congressionally mandated, non-partisan, public-private Cyberspace Solarium Commission. The commission recommended critical infrastructure companies determined to be systemically important be given certain benefits but also that they should bear certain responsibilities, such as the implementation of appropriate cyber defenses that would improve their resilience to attack.
The Katko bill does not include the second part of the equation, but legislation from Sens. Angus King, I-Maine, and Ben Sasse, R-Neb.—both members of the Solarium commission—as well as Senate Armed Services Committee member Mike Rounds, R-S.D., comes closer to the initial proposal. The Senate bill, introduced in July, would require the secretary of Homeland Security “to determine the benefits and burdens for SICI-designated entities,” according to a press release.
“The passage of a law codifying systemically important critical infrastructure (SICI) in law and establishing a methodology for identifying SICI is a critical first step in reimagining the social contract between the Federal government and our most important economic, national security, and societal assets,” King said in a statement to Nextgov. “However, Congress must continue to do its utmost to ensure that the executive branch, spearheaded by the Cybersecurity and Infrastructure Security Agency and National Cyber Director, are given the direction, authorities, and resources to implement a systematic approach to protecting SICI entities.”
In a subsequent press release, King applauded the new Katko-Spanberger bill.
As lawmakers prepare to enter the next phase of negotiations over the annual defense authorization act, they are also trying to reconcile House and Senate proposals on how to get companies to report cyber incidents to the government, with Sen. Mark Warner, D-Va. describing the House bill as toothless.
Warner has legislation on the issue that is separate from that proposed by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio. The Peters-Portman bill, which is more aligned with the House proposal, is scheduled for a markup in the Homeland Security and Governmental Affairs Committee Wednesday.
Testifying before the Senate Homeland Security Committee Sep. 23, CISA Director Jen Easterly voiced support for fines to enforce cyber incident reporting. That mechanism is included in the Warner bill, but not the Peters-Portman legislation or the House bill, which both would use subpoenas to try to draw information on incidents out of companies.
Asked on Tuesday whether he has an opinion on the incident disclosure efforts in Congress, Nakasone said only that he agreed with Easterly.