Committee Considers Follow On Legislation To Cyber Incident Reporting Bill (Free Preview)

Committee Considers Follow On Legislation To Cyber Incident Reporting Bill (Free Preview)
Photo by Clem Onojeghuo on Unsplash

This is the free version of yesterday's post on a hearing on how Congress should next address public-private collaboration on cybersecurity.

Subscribe today for all the paywalled material posted on The Wavelength. Subscriptions are available for $250 a month and less for an annual subscription. I think you'll find the value to cost ratio is high with The Wavelength.

You can find previously posted content on technology policy, politics, and law on Substack and my blog.

The United States (U.S.) House Homeland Security Committee’s Cybersecurity, Infrastructure Protection, & Innovation Subcommittee will hold a hearing titled “Mobilizing our Cyber Defenses: Maturing Public-Private Partnerships to Secure U.S. Critical Infrastructure.” The subtext of the hearing was what legislation should the subcommittee seek to get enacted now that cyber incident reporting bill was passed as part of the FY 2022 omnibus appropriations act in March (see here for more detail and analysis.) Apparently, the subcommittee is giving consideration to the notion of a systemically important critical infrastructure designation system that would ideally allow the United States (U.S.) government focus on the most important and highest risk cyber critical infrastructure.

In its 2020 final report, the Cyberspace Solarium Commission (CSC) recommended that Congress enact new authority that would allow the U.S. government to designate the most important entities as “systemically important critical infrastructure” “whereby entities responsible for systems and assets that underpin national critical functions are ensured the full support of the U.S. government and shoulder additional security requirements consistent with their unique status and importance.” This recommendation may well have been modeled on Dodd-Frank’s "systemically important" designation that allows financial regulators to impose heightened standards for some entities.

Legislation has been introduced that would codify the CSC’s recommendation in part. The “Securing Systematically Important Critical Infrastructure Act” (H.R.5491) would establish a process under which the Cybersecurity and Infrastructure Security Agency (CISA) would work with Sector Risk Management Agencies (SRMA), the agencies of the U.S. government with responsibility over sectors of critical infrastructure, to create a methodology for designating “systemically important critical infrastructure” and providing additional government resources. However, the bill does not place “additional security requirements” on designated entities. As a result, this bill would do little more than is currently done as CISA and the Department of Homeland Security already “identify a list of systems and assets that, if destroyed or disrupted, would cause national or regional catastrophic effects” through the “National Critical Infrastructure Prioritization Program.” To be fair, many stakeholders are unaware of this annual process, and the agency has some misgivings about the program as the Government Accountability Office detailed in a March 2022 report.

Other Developments

Photo by SIMON LEE on Unsplash

The United States (U.S.) Cybersecurity and Infrastructure Security Agency (CISA), the Department of Energy (DOE), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory (CSA), “warning that certain advanced persistent threat (APT) actors have exhibited the capability to gain full system access to multiple industrial control system (ICS)/supervisory control and data acquisition (SCADA) devices using custom-made tools.”

The Netherlands’ data protection authority, De Autoriteit Persoonsgegevens (AP), “imposed a fine of €3.7 million on the tax authorities…because of the years of illegal processing of personal data in the Fraud Signaling Facility (FSV)…[w]ith often major consequences for people who were wrongly on the list.”

Out-going Privacy Commissioner of Canada Daniel Therrien wrote an op-edon “[t]he evolution of privacy protection and the case for legislative reform,” in which he stated “[a]s my mandate draws to a close, I urge the government to move quickly to enact much-needed legislation to effectively protect the privacy rights of Canadians.”

Further Reading

Photo by Shunya Koide on Unsplash

Facebook ‘lacks willpower’ to tackle misinformation in Africa” by Jason Burke — The Guardian

Meet the 1,300 librarians racing to back up Ukraine’s digital archives” By Pranshu Verma — The Washington Post

One year in, Meta’s civil rights team still needs a win” By Issie Lapowsky — Protocol

Crypto Industry Helps Write, and Pass, Its Own Agenda in State Capitols” By Eric Lipton and David Yaffe-Bellany — The New York Times

The debate over a privacy bill is inching forward on Capitol Hill” By Cristiano Lima — The Washington Post