Banking Groups Urge Senators to Reject NDAA Provision as Harmful to Cybersecurity

Murat Taner/Getty Images

The provision for identifying “systemically important entities” included in the House-passed NDAA could still hitch a ride on the massive defense bill when it’s called to the floor in the upper chamber.

A provision in annual legislation to authorize spending by the Defense Department could endanger the cybersecurity of critical infrastructure, trade associations for the financial sector argued in a letter to key senators.

“Providing [the Cybersecurity and Infrastructure Security Agency] with details of supply chain risk management practices and ‘identifying critical assets, systems, suppliers, technologies, software, services, processes or other dependencies’ could expose firms to risk if it is inappropriately disclosed or stolen in a breach,” the American Bankers Association and the Bank Policy Institute wrote in a July 29 letter to the chair and ranking member of both the Senate Armed Services Committee and the Senate Homeland Security and Governmental Affairs Committee. “This information would be highly valuable to malicious actors, because it would provide a roadmap for how to attack a firm or disrupt a critical system or service.”

The letter described a provision attached to the House-passed National Defense Authorization Act during floor votes. It was not included in legislation filed by the Senate Armed Services Committee two weeks ago, but the NDAA process is just getting started, with ample room for changes, including when the bill is expected to come to the Senate floor in September. 

Proposed as an amendment by Rep. Jim Langevin, D-R.I., the provision would initiate an interagency process at the Department of Homeland Security to identify no more than 200 entities which would be designated “systemically important entities.” As such, they would be required to report certain information to CISA, in exchange for closer collaboration with intelligence agencies and assistance in responding to incidents. 

According to the legislation, the information required “shall directly support the department’s ability to understand and prioritize mitigation of risks to national critical functions.”

But that was not enough to satisfy the industry, which said the legislation doesn’t “specify what CISA would do with such information, [or] how it would be shared or protected against disclosure.”

“As the Senate considers the National Defense Authorization Act for Fiscal Year 2023, we urge you to oppose language creating a designation for Systemically Important Entities (SIEs) that was added to the House bill as floor amendment 554,” the letter reads. “Financial institutions are supportive of efforts to improve the identification and risk assessment of critical infrastructure but believe the provision, as written, would duplicate existing designations without addressing gaps in government efforts to help protect private critical infrastructure from national security threats.”

The provision represents the second attempt by House lawmakers to implement recommendations of the congressionally-mandated Cyberspace Solarium Commission, which suggested systemically important critical infrastructure be subject to both benefits and burdens in an ideal public-private collaboration, in the interest of cybersecurity. In April, debate over a proposal from Rep. John Katko, R-N.Y.—focused more on the benefits than the burdens—broke down along partisan lines.