The Biden administration is looking to Congress for help with ‘filling gaps in statutory authorities’ for improving U.S. cybersecurity.
Department of Homeland Security Secretary Alejandro Mayorkas suggested U.S. cybersecurity policy should continue to rely on critical-services providers voluntarily implementing measures to protect their operations from cyberattacks.
Mayorkas testified before the House Homeland Security Committee Tuesday, alongside FBI Director Christopher Wray, on worldwide threats to the homeland. Cybersecurity has formed an increasingly significant portion of the annual hearing, which this year focused on an array of nation-state and criminal adversaries.
Addressing all witnesses, outgoing Rep. Jim Langevin, D-R.I., asked “what gaps should we be looking to fill related to improving the cybersecurity of critical infrastructure?”
Langevin put his question in the context of a Nov. 7 letter President Joe Biden wrote to select congressional committees, which noted, “Our nation lacks a comprehensive way to establish mandatory minimum cybersecurity requirements across our critical infrastructure, and current approaches differ by sector.”
“My Administration looks forward to working with the Congress to fill gaps in statutory authorities to ensure our critical infrastructure is protected from cyber attacks,” the letter reads.
Mayorkas did not respond directly to the question. He instead recounted actions DHS’ Transportation and Security Administration and the Cybersecurity and Infrastructure Security Agency have already taken. In CISA’s case, he praised the release of voluntary cybersecurity performance goals and said the agency should focus more of its efforts on international collaboration.
Wray, similarly, did not directly answer the question, but weighed in on the FBI’s relationship with cybersecurity firms and critical infrastructure stakeholders, following efforts to mitigate Russian cyberattacks against Ukraine.
“The private sector partnership is the critical ingredient to defending critical infrastructure in this country,” he said. “And I think we've made very significant progress. There's also a lot more work to be done, but we're very much on the right path in my view.”
Wray drove home the importance of industry’s role in securing critical infrastructure, more than 80% of which is privately controlled, by highlighting a potential shift in adversarial objectives.
“It's become an increasingly crowded field of threat actors targeting critical infrastructure,” he said, adding. “One of the things we were particularly concerned about during the Russia-Ukraine conflict is the possibility that, for example, the Russian intelligence services—which have long targeted our critical infrastructure for espionage purposes—could choose to use the same access for more destructive purposes.”