Congress is taking the issue of cybersecurity very seriously and using the tools at its disposal to boost the nation’s ability to defend itself in cyberspace.
Rep. James Langevin, D-R.I., is one of the most tech-savvy members of Congress. He is a senior member of the House Armed Services Committee, where he chairs the Cyber, Innovative Technologies, and Information Systems Subcommittee, sits on the Homeland Security Committee, co-founded and chairs the Congressional Cybersecurity Caucus, and served on the Cyberspace Solarium Commission.
Those credentials support his opening comment to the CyberNext DC conference on Nov. 18: “Cybersecurity is one of the major economic and national security challenges of our time. It’s been that way for a while, and it’s not going away.”
Langevin cited the increased visibility and impact of ransomware attacks as a reason that “my colleagues see an urgency for new legislation now, in a way that wouldn’t be possible a few years ago.”
One of his priorities is legislation to create a Joint Collaborative Environment, or JCE, one of the key recommendations of the Solarium Commission. He said language to create the JCE will be “codified” in this year’s National Defense Authorization Act.
“We talk a lot in Washington about enabling information [sharing],” he said. “In practice, entities must be able to make sense of what’s coming forward across the ecosystem. JCE would address this need—a common toolset for public and private stakeholders on cybersecurity risks [such as] malware.”
In addition, Langevin suggested, there are a small number of major companies in the U.S. that should be considered “systemically important critical infrastructure,” or SICI entities, that “should receive certain special benefits but also have certain special obligations.”
The two criteria that determine a SICI enterprise are, first, that the entity’s operations must be highly important to the country. “If hit, would the company just have a very bad day, or would the country have a bad day?” Langevin explained. Second, the company must have a baseline level of cybersecurity maturity that enables them to assist in their own defense, he said.
“In cyberspace, these companies are on the front line, so the federal government must act in a supporting role—not something that we’re used to,” Langevin said. As for the special obligations and benefits, he said that might include defined levels of cybersecurity control to ensure they are properly securing their systems, and in return they might be given “certain liability protections” should they be attacked. “Perfect cybersecurity is unobtainable … Those SICI entities who followed all the recommended steps should not have the same level of liability as those who don’t.”
Langevin said the number of companies designated as SICI would not be large, no more than 120 or so. He said the Obama administration’s 2013 Executive Order 13636, Sec. 9, already required identification of the most critical of the critical infrastructure companies, so it would not be difficult to implement.
The reason to pass legislation covering something already addressed through an executive order is straightforward, Langevin said: “An EO that any president could rescind at any time is not enough of an anchor … [We should] enshrine the designation process in statute.”