Federal push to identify, protect critical groups from hackers gains momentum

Efforts in the federal government and Congress to identify and further protect groups critical to national security from cyber threats are gaining ground amid recent destructive ransomware attacks, officials say.

Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly said Friday that her agency has kicked off an effort to identify “primary systemically important entities” to be protected from threats, often those critical to national continuity. 

“We are prototyping a variety of different approaches in our National Risk Management Center … to try and start identifying those entities that are in fact systemically important, and we are doing it based on economic centrality, network centrality, and logical dominance in the national critical functions,” Easterly said during a virtual event hosted by the Center for Strategic and International Studies (CSIS). 

CISA’s efforts to identify organizations to further protect come as the nation continues to face a wave of ransomware attacks that have, at times, destabilized key supply chains. These have included the ransomware attack in May on Colonial Pipeline, which led to gas shortages in multiple states for over a week. 

“Ransomware, truly a scourge that is affecting all of our lives every day,” Easterly said Friday.

The new program at CISA is being explored as momentum builds on Capitol Hill to take action to guard against such attacks.

House Homeland Security Committee ranking member John Katko (R-N.Y.) and Rep. Abigail Spanberger (D-Va.) earlier this month introduced the Securing Systemically Important Critical Infrastructure Act. The bill would authorize CISA to set up a program to identify critical groups to protect, similar to what the agency is now undertaking. 

Easterly stressed Friday that while the legislation is similar, she still supported the need to sign it into law. 

“I think that signaling, that ending up in law, will be very helpful in continuing to bring the private sector to the table, because I think we are in a state now where our critical infrastructure is much more vulnerable than it should be, and frankly that’s what I worry about most every day,” Easterly said. 

Katko, speaking at the same event Friday, teased the potential for his legislation to be included in the annual National Defense Authorization Act, particularly as he is set to sit on this year’s conference committee on the defense package. 

“NDAA has become a very potent vehicle to get legislation passed that sometimes may struggle to get going on its own,” Katko said. “We are hopeful if and when it goes to conference, I’m going to be on that conference committee to make sure those bills stay in there, so yes it absolutely has become a potent ground for doing that.”

Efforts around identifying which organizations are critical have become increasingly important as Congress also considers various forms of legislation to mandate critical groups to report cyber incidents to the federal government.

In part, this is to address threats coming from countries including Russia and China, with multiple major cyberattacks over the past year linked to cyber criminals based in Russia. 

President Biden addressed this issue with Russian President Vladimir Putin earlier this year during their in-person summit in Geneva, handing the Russian leader a list of 16 entities that were off limits to attack.

While Biden has taken a series of other actions against Russia for cyber activities, including levying sanctions on the country in April in retaliation for the SolarWinds hack, both Easterly and Katko advocated Friday for going further, particularly as Russian cyberattacks continue. 

“It has to be all instruments of national power, and we have to be able to stand behind, when we say we are going to impose costs, when we say we are going to hold actors accountable, we have to be able to have tools that can effectively do that,” Easterly said. 

Katko advocated for more sanctions in response to malicious cyber activity.

“I think that we need to do more than we’re doing at a minimum,” Katko said. “We can’t have China acting with impunity attacking our systems, and malign actors within Russia acting under the perimeter of Putin to be going unchecked, and they largely have.”

“I think that we need to not do something that is going to start World War Three, but we need to do something to make them feel the pain,” he said.