Finance Sector Deals Latest Blow to Cyber Solarium Construct Teetering in NDAA

Legislation to advance a landmark agreement between government and industry for securing critical infrastructure from an increasing array of cyberattacks is getting criticism from an unexpected source: the finance sector.

A key policy leader says the banking industry—which is already subject to regulations for cybersecurity—is inexplicably shooting itself in the foot by opposing inclusion in “must-pass” legislation this fall of a provision that would address enforcement gaps in an increasingly interdependent ecosystem of critical infrastructure.

The provision was attached as an amendment to the House-passed FY 2023 National Defense Authorization Act. It was  not included in legislation filed by the Senate Armed Services Committee, but there is still ample room in the NDAA process for changes when the bill is expected to come to the Senate floor in September. 

“Ironically, the language they have been fighting states that any regulation already in effect would be the standard for that industry,” Mark Montgomery, told Nextgov. “So they are just impacting every other industry that is not well regulated, and which they rely on: satellites, cloud service providers, water, pipelines, etc.”

Montgomery served as executive director of the Cyberspace Solarium Commission, a congressionally mandated body with representation from lawmakers across the political spectrum and top private-sector executives. Congress created the commission by passing the 2019 NDAA, named for the late Sen. John McCain, R-Ariz. Montgomery was policy director of the Senate Armed Services Committee under McCain’s chairmanship. He is now the lead for cybersecurity and technology innovation at the Foundation for Defense of Democracies think tank, from which he continues to advocate for the government’s adoption of the Solarium Commission’s proposals.

The grand bargain of the commission was that companies controlling the most important of the nation’s critical infrastructure should receive certain benefits—such as priority access to government resources and a liability shield in case of incidents—in exchange for shouldering certain burdens, such as the verifiable implementation of appropriate security measures. The recommendation to end a longstanding hands-off approach going back to the Obama administration was documented along with a host of others the commission issued in its March 2020 report.  

The amendment in the NDAA now being negotiated was introduced by Rep. Jim Langevin, D-R.I., who was a Cyber Solarium commissioner. It would lay the groundwork for executing the group’s proposal, instructing the secretary of the Homeland Security Department to work with sector risk management agencies and the Office of the National Cyber Director to identify no more than 200 systemically important entities. 

Those entities would then be required to report certain information to the Cybersecurity and Infrastructure Security Agency,  which the legislation says, “shall directly support the department’s ability to understand and prioritize mitigation of risks to national critical functions,” including through closer collaboration with intelligence agencies.

With explicit directions that look to eliminate duplicative requirements, Langevin’s provision would also create an interagency council—to be co-chaired by the CISA director and the national cyber director—to determine “cross-sector and sector-specific cybersecurity performance goals.” These would “serve as clear guidance for critical infrastructure owners and operators about the cybersecurity practices and postures that the American people can trust and should expect for essential services,” the provision reads.

Opposition to the amendment from critical sectors of industry not currently regulated for cybersecurity—most notably providers of foundational information and communications technology—is not surprising. The Information Technology Industry Council was among those successfully opposing the inclusion of related Solarium-commission recommendations for Defense contractors in the 2021 NDAA, for example.

On Thursday, Henry Young, policy director for BSA | The Software Alliance, told Nextgov Langevin’s amendment for the current NDAA, “certainly proposed for all the right reasons, increases complexity and uncertainty.”  

“To the extent it adds an additional category and attendant requirements,” Young said of the amendment, “it misses a better opportunity to improve cybersecurity: simplifying requirements and providing certainty, which will allow organizations to focus on developing innovative cybersecurity solutions and less on compliance.”

But Montgomery is baffled, and irritated, by the financial sector’s opposition to the Langevin amendment, which would more likely target sectors lacking appropriate oversight. 

“This current version is only a partial attempt at the [Solarium] objective, but industry lobbyists can't pretend they embraced previous, more comprehensive, versions of the bill, as they have been consistently unhelpful in this effort,” he said. “The financial services opposition is especially galling since they operate under the misguided premise that this bill is not needed since they are ‘already regulated enough’, when the clear intent of this legislation is to identify the critical infrastructures which, unlike financial services, don't have sufficient cyber security guidance or resources in place, and then remediate that problem.”

Both BSA and the trade associations for the banking industry cited presidential policy directive 21—a 2013 edict from the Obama White House—to argue that the Langevin legislation risks duplicating a process for designating systemically important entities. But while the secretary of Homeland Security has assigned a regulator—the Treasury Department—to the financial sector under PPD-21, a corresponding executive order expressly forbade the secretary from designating commercial information technology as critical infrastructure for potential cybersecurity regulation.

In July, 2021, President Joe Biden issued a national security memorandum that picked up where the Obama order left off, instructing the Department of Homeland Security, working with the National Institute of Standards and Technology and other appropriate agencies, to develop and issue performance goals for the sector-specfic infrastructure as well as for infrastructure that cuts across multiple agencies. CISA has published that work and the administration is already using its power to issue cybersecurity requirements for the water, rail and pipeline sectors, but the White House is still looking for statutory reinforcement of its agenda in other areas.

In April, as the wheels started turning on the NDAA vehicle once more, Nextgov reported on Langevin and other lawmakers considering the need to designate cloud service providers critical infrastructure, given the degree to which they underpin modern digital life. They were looking to address the issue in legislation to implement the Solarium Commission’s recommendations regarding systemically important critical infrastructure.

To aid prioritization and risk management efforts, the Langevin amendment instructs the Homeland Security secretary to consider reporting from systemically important entities by asking them to, for example, “identify critical assets, systems, suppliers, technologies, software, services, processes, or other dependencies that would inform the Federal Government’s understanding of the risks to national critical functions present in the entity’s supply chain.”

Pressed to explain what seemed like a contradiction in their criticism of the Langevin amendment—that the provision would be both redundant and require the submission of new data to CISA–a banking industry source told Nextgov the opposition was ultimately about uncertainty over how that data would be used and the potential for its exposure to adversaries. 

“You need to have a clear objective that you're trying to meet when you're crafting [legislation], the source said, and we don't see that reflected in this draft today.”

Montgomery said, “certainly it would be optimal if all the benefits and burdens could be included,” to fully demonstrate the intent of the legislation.  But he also dismissed the industry’s stated concerns over data sensitivity as farcical. 

“At a minimum, the charge that the government is an unsafe place to store data is crazy,” he said. “Does [the Bank Policy Institute] recommend everyone not pay taxes because the [Internal Revenue Service] might get attacked and your data compromised? Of course not.”