Langevin tees up cyber legislation for 2022

Rep. Jim Langevin (D-R.I.) is looking to create a statutory framework for threat information sharing and mitigation between a small number of critical infrastructure firms and the federal government.

Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

Rep. Jim Langevin (D-R.I.) speaks at a Capitol Hill conference in 2018.

Rep. Jim Langevin (D-R.I.) is laying groundwork for cyber legislation that would cement a threat information sharing framework between the federal government and the nation's top critical infrastructure companies to pass next year.

Langevin, who chairs the House Armed Services Cyber, Innovative Technologies, and Information Systems Subcommittee, said creating a bill to establish an ecosystem of systemically important critical infrastructure entities (SICIEs) would be his top priority for 2022.

The proposal is part of the legislative recommendations of the Cyberspace Solarium Commission, on which Langevin served.

Speaking at the CyberNext conference in Washington, D.C. on Nov. 18, Langevin explained that the proposal recognizes private entities whose operations are of "high consequence to the nation" and a "baseline level of cybersecurity maturity" that puts the firm in a position to defend its own networks.

"In other words, if a certain company were hit with a ransomware attack, and its services were disabled, would it be just the company having a bad day, or the entire country having a bad day," Langevin said.

Companies that have far-reaching operations and the cyber capabilities including technical staff and infrastructure would be invited to collaborate with the federal government's cyber agencies on mitigation in the event of an attack or an identified threat. Langevin said he expected legislation to rely on parameters spelled out in a 2013 executive order on protecting critical infrastructure to provide the basis for who is tagged with the SICIE label.

"You may be thinking that this is quite a small swath of our nation's critical infrastructure. And you'd be right," Langevin aid. He estimated that not more than 120 companies would earn the designation. He also said he wanted to make sure the SICIE category is enshrined in law, rather than in an administrative order that can be repealed or changed.

"Legislative solutions and cybersecurity problems are not always easy, and we need to make sure that we get them right," Langevin said.

The planned critical infrastructure legislation is a follow-on to a measure establishing a joint collaborative environment (JCE) for analyzing cybersecurity threats to be shared by the public and private sectors. Langevin proposed the establishment of the JCE in the FY2022 National Defense Authorization Act and he said he is "confident' that the measure will be included in the final bill.

"Without a common toolset for analyzing cyber threat information streams, the act of sharing information will be significantly less effective. So [with] the JCE we basically address this need: it will support a common toolset that public and private sectors' stakeholders can use to collaboratively analyze information on cyber threats, cybersecurity risks."

The proposal would facilitate what Langevin called a "social contract' between the U.S. government and private sector companies that could see benefits, such as limited liability, in exchange for sharing information on cyber threats.

"I hope to work with my colleagues and both parties on a comprehensive bill that contains both benefits and obligations [for SICIE companies] because achieving the operational equation that Solarium envisioned is only possible with both."