HENRICO, V.A.  — U.S. Rep. Abigail Spanberger this week led the introduction of bipartisan legislation to protect systemically important critical infrastructure (SICI) from cyberattacks.

Even in the wake of recent cyberattacks on critical infrastructure, like the DarkSide attack on the Colonial Pipeline, the United States lacks a truly comprehensive understanding of what constitutes “systemically important critical infrastructure.” As a result, the federal government does not have a formal process for identifying and strengthening protections for this subset of critical infrastructure that — if disrupted — would have a debilitating effect on America’s national security, economy, public health, or supply chains.

The Securing Systemically Important Critical Infrastructure Act would help establish a transparent process for designating SICI and direct the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize meaningful benefits to SICI owners and operators without any additional burden. Spanberger is co-leading this effort with U.S. Representative John Katko (R-NY-24), Ranking Member of the U.S. House Homeland Security Committee.

“Earlier this year, Central Virginia families and businesses felt the serious impacts of the cyberattack on the Colonial Pipeline. In our communities, we saw how critical infrastructure — such as the Colonial Pipeline — plays a fundamental role in our daily lives and in the day-to-day success of our regional economy,” said Spanberger. “As we look to protect the American people from future threats and keep our economy competitive, I am proud to join my colleague, Ranking Member Katko, in introducing this timely legislation. Our bipartisan bill would help us identify the critical infrastructure that is particularly foundational and systemically important to our economy and national security, and it would help prioritize protecting these systemically important systems from the serious consequences cyberattacks can have on public safety and health, as well as on our supply chains.”

“Over the past year, we’ve seen the devastating real-world impacts of sophisticated cyber attacks on our nation’s critical infrastructure. To mitigate risks to our economic and national security going forward, we need a clear process for identifying which infrastructure constitutes systemically important critical infrastructure. Disruption to this infrastructure – ranging from pipelines to software – could have an outsized impact on our homeland security. The owners and operators of SICI naturally demand deeper cyber risk management integration with the federal government. In recent months, we have collaborated extensively with industry to codify a transparent, well-understood, stakeholder-involved process for identifying SICI,” said Katko. “Our goal is to understand the single points of failure and layers of systemic risk in our economy, because if everything is critical, nothing is. This effort is complementary to bipartisan incident reporting legislation that recently passed the House. As cyber attackers continue to act with impunity and disrupt our critical infrastructure, time is of the essence. I look forward to working with Chairman Thompson and the Committee Majority to advance this critical legislation.”

Specifically, the Securing Systemically Important Critical Infrastructure Act would:

• Authorize the CISA Director to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure, or SICI.
• Require CISA to consult with Sector Risk Management Agencies (SRMAs) and stakeholders in establishing a methodology and criteria for determining what critical infrastructure qualifies as SICI. 
• Provide CISA with clear guidance and parameters for establishing the criteria for SICI.
• Require CISA to provide SICI owners and operators with the option to take part in prioritized cybersecurity services, including:
• Front-of-the-line access to CISA’s key cybersecurity programs, including technical assistance, and voluntary programs to continuously monitor and detect cybersecurity risks;
• Prioritized representation in CISA’s newly established Joint Cyber Defense Collaborative (JCDC);
• Prioritized applications of SICI owners and operators for security clearances, as appropriate. 

Click here to view a one-pager on the bill, and click here for the full bill text.

BACKGROUND

Spanberger has long focused on emergency preparedness and protecting critical infrastructure. Within the first days of the 117^th Congress, she reintroduced her bipartisan Analyzing Disaster Vulnerabilities and Applicable National Capabilities for Emergencies (ADVANCE) Act, which would improve the federal government’s ability to simulate the impact of natural disasters and public health crises on critical infrastructure.

She has also demonstrated a commitment to tackling the rising issue of cybercrime in Virginia and across the country. Earlier this year, Spanberger introduced her bipartisan Better Cybercrime Metrics Act, which would improve how the federal government tracks, measures, analyzes, and prosecutes cybercrime. This week, the National Fraternal Order of Police backed this bipartisan and bicameral bill. And last month, Spanberger penned an op-ed in The Hill outlining the need for her legislation.

In May 2021, Spanberger urged President Joe Biden to recognize the vulnerabilities revealed by the foreign-based ransomware attack that shut down the Colonial Pipeline. Additionally, she called on the President to create an interagency strategy that can increase cybersecurity collaboration between government agencies and the private sector, strengthen protections for American supply chains, and deter hackers from attacking in the future.

###