Sunday, October 10, 2021

Review - HR 5491 Introduced - Systemically Important Critical Infrastructure

Last week, Rep Katko (R,NY) introduced HR 5491, the Securing Systemically Important Critical Infrastructure Act. The bill adds a new §2220A to the Homeland Security Act of 2002. The bill requires CISA to designate certain elements of critical infrastructure as systemically important critical infrastructure (SICI). Then the bill would require CISA’s Joint Cyber Planning Office to give priority to such designated elements in their cyber defense planning, joint cyber operations, cybersecurity exercises, and information-sharing practices. There is no spending authorized in this bill.

Katko and one of his cosponsors {Rep Garbarino (R,NY)} are both members of the House Homeland Security Committee. This means that there may be sufficient influence to see this bill considered in Committee. I see nothing that would engender any organized opposition to this bill. I suspect that the Committee would favorably report the bill if considered. There should be enough bipartisan support for the bill that it could be considered in the House under the suspension of the rules process.


This bill could be a way for Congress to look like it is directing CISA to take action on critical infrastructure cybersecurity without actually requiring the regulation of critical infrastructure. The services being offered to the listed critical infrastructure entities without regulatory constrictions could ensure that business interests support this legislation, especially in face of the current movement to institute reporting requirements.

While this bill requires CISA to develop a list of SICI, that list is to be based upon a poorly defined universe of critical infrastructure. The current definitions for CI are vague. The question becomes, how does CISA amass a list of that incohesive starting point to create their list. This bill provides no guidance on that process. Anyone would be able to provide a short list of grand critical infrastructure; refineries, electric generation, pipelines, water treatment facilities, etc. But do you include pharmaceutical manufacturers? If so, which? How about pharmaceutical precursor chemical producers? Again, which? Automotive manufacturers, steel producers, communications firms, financial institutions, or internet service providers? The list gets longer and longer.

These limitations are at least partially addressed in the subsection (g) requirements for a report to Congress. The crafters of this legislation were firmly aware of how broad the requirements of this section could be but were uncertain about where or if the lines should be drawn to restrict the expansion of SICI. The report to Congress would provide in-process information about how much of industry would willing to actually accept the designation. Widespread acceptance would encourage Congress to expand the reach of SICI. Lack of acceptance could force Congress to consider the need for a more aggressive regulatory approach to cybersecurity oversight.

For more details about the specific provisions of this bill, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */