A series of high-profile cyber incidents at the beginning of 2021 catapulted the 117th Congress into action. Across chambers and party lines, and with steadfast leadership from the Biden-Harris administration, we came together to enact enormously consequential cybersecurity policy. This Congress also ushered in a new era of collaboration with the private sector, which has come to the table to work with the federal government to develop sound policies to advance improved cybersecurity and resilience. In the remaining days of this Congress, and as we look ahead to the next one, we must chart a new course forward that builds on our successes.
The SolarWinds attack revealed significant blind spots in the government’s understanding of malicious cyber activity on domestic networks. In response, I introduced the Cyber Incident Reporting for Critical Infrastructure Act of 2021 (CIRCIA). The successful bipartisan, bicameral push to get this mandatory cyber incident reporting legislation enacted into law this Congress would not have been possible without unprecedented cooperation from the private sector. Thanks to our efforts, Cybersecurity and Infrastructure Security Agency (CISA) will soon receive cyber incident information that will enable the government and its partners to detect and disrupt malicious cyber campaigns earlier, and invest more strategically in cyber defenses. I am encouraged that the rulemaking process is underway with robust stakeholder input, and am hopeful that with the right resources, CISA will issue a final rule well ahead of schedule. As the process progresses, I have two priorities. First, I am committed to doing everything in my power to ensure CISA is positioned to operationalize and enhance the value of information collected from incident reports for the stakeholder community. Second, I will continue working to make federal cyber incident reporting requirements as streamlined as possible to ensure CIRCIA is a low-cost, high-value program for the private sector. If implemented quickly and effectively, CIRCIA will be a game changer for security.
The Colonial Pipeline Ransomware attack served as a call to action across the government to accelerate efforts to secure operational technology (OT), particularly industrial control systems. Although the ransomware targeted Colonial’s information technology (IT) networks, the company shut down 5,500 miles of pipeline along the East Coast. The incident and subsequent remedial measures exposed long-standing visibility gaps on OT networks and the need for segmentation between OT and IT networks, among other things. For my part, I worked with my partners across the aisle to authorize CISA’s CyberSentry program, whereby OT asset owners voluntarily deploy sensors on their networks to detect malicious activity and raise CISA’s visibility around threats. Activity detected through these tools can inform the security decisions of asset owners and improve the timeliness and quality of CISA alerts and advisories. Moving forward, I will work with CISA to grow its capacity to help improve the security of federal and private sector OT assets, incentivize adoption of CISA Cross Sector Cybersecurity Performance Goals, and continue to build the OT security workforce.
A surge of ransomware attacks against state and local governments, small businesses, and hospitals revealed the high cost of underinvesting in cybersecurity. For too long, many high-value targets were on their own to develop and invest in cybersecurity plans, and too many lost productivity and money after falling victim to relatively unsophisticated attacks. To help defend state and local networks and build resilience, I introduced a bipartisan bill to make a $1 billion federal investment in cybersecurity for state and local networks — the State and Local Government Cybersecurity Improvement Act. I was pleased that the bipartisan infrastructure package included language to provide such critical funding and that grants will soon be available to state and local governments. Though this investment is significant, we must recognize that it is merely a down payment on what will be required to secure state and local networks. I will continue to fight for funding in the future and work with my colleagues in Congress and across the administration to identify new ways to improve the cybersecurity posture of other under-resourced sectors.
Despite the progress we have made, much work remains. For example, various efforts to address vulnerabilities in open source software and software supply chains have stalled this Congress, and will need to be reevaluated in the next Congress. The Cyber Safety Review Board has the potential to harness important lessons learned from cyber incidents; we will need to decide whether to formally authorize it and what authorities it should have. I am excited by the possibilities that emerging technologies, such as quantum computing, offer, but we must consider the security implications of these advancements. Already, CISA is working to prepare critical infrastructure owners to transition to post-quantum cryptography. I am eager to help CISA advance those efforts. As the election approaches, it is clear the threats to our democracy have not gone away — they have intensified. For the sake of our democracy, we will have to come together to help the public identify mis and dis-information, put an end to threats to election officials and voter intimidation, and continue to secure election infrastructure. I have been proud of my role in helping CISA’s budget and authorities grow over the past two years and am committed to its success. Toward that end, I will continue to support efforts to strengthen CISA’s mission-enabling capabilities.
For as long as I have served in this chamber, cybersecurity has benefited from its status as a largely bipartisan issue. This Congress, under the leadership of Homeland Security Chairman Bennie Thompson (D-Miss.) and Ranking Member John Katko (R-N.Y.), cybersecurity has been one of the Committee on Homeland Security’s top priorities. Given its criticality to our economy and national security, I am confident that it will remain that way moving forward.
Yvette Clarke is Chair of the Homeland Security Committee Cybersecurity, Infrastructure Protection, and Innovation Subcommittee.