WASHINGTON — The U.S. House passed its $840 billion version of the annual defense policy bill, including a provision to identify and better secure critical infrastructure at most risk of cyberattack.
The measure, championed by retiring Rep. Jim Langevin, a Rhode Island Democrat, would designate certain critical infrastructure entities as “systemically important” for the wellbeing of the U.S. and establish new avenues for information sharing, risk management disclosures and rapid responses to digital intrusions, among other steps.
“In the nearly 22 years that I’ve served in Congress, we have come a long way in cyberspace,” Langevin said in a statement following the 329-101 House vote. “When I was elected in 2000, nobody was talking about cybersecurity.”
As many as 200 entities could initially be named, according to the language of the measure, with room for 150% more in four years. Entities could appeal placement on the list.
The vast majority of stateside critical infrastructure is stewarded by the private sector, with assets ranging from communications to chemicals, dams to the defense industrial base. Their destruction would debilitate U.S. economic security, public health and safety, according to the Cybersecurity and Infrastructure Security Agency.
Russia’s February invasion of Ukraine trained a spotlight on critical infrastructure and related digital vulnerabilities.
Lawmakers and analysts warned of potential cyberattacks on American assets — physical and virtual — and CISA issued a so-called Shields Up notice, urging heightened online awareness. The longer the Russia-Ukraine war grinds on, the more likely Moscow will act belligerently in cyberspace, according to Neal Higgins, deputy national cyber director for national cybersecurity.
The measure included in the House’s defense policy package is an offshoot of work done by the Cyberspace Solarium Commission, a bipartisan group assembled to analyze and improve U.S. cybersecurity. Its flagship report, published in 2020, included a recommendation that Congress codify systemically important critical infrastructure, also known as SICI.
“Both the private sector and the U.S. government have a vested interest in protecting these systems and assets and have unique responsibilities for their security and resilience,” the report stated.
Langevin was a member of the commission.
Colin Demarest is a reporter at C4ISRNET, where he covers military networks, cyber and IT. Colin previously covered the Department of Energy and its National Nuclear Security Administration — namely Cold War cleanup and nuclear weapons development — for a daily newspaper in South Carolina. Colin is also an award-winning photographer.