A major software industry group sees legislation to codify “systemically important entities” as part of a larger trend to add more complexity into cyber requirements for the private sector and wants Congress to take a step back to determine the best path forward.
“Our cyber playbook is potentially getting so complicated by more and more laws, policies and programs that we risk losing track of maybe a more important component of cybersecurity, which is the operations. There are more gains to be had by doing the work together, industry and the government, rather than creating new laws, policies, programs, categories and requirements,” BSA-The Software Association’s Henry Young told Inside Cybersecurity.
Young said, “My advice would be try to reduce the complexity and focus on the real challenging work of cybersecurity. We don’t need more categories, we don’t need more complexity. We really do need to simplify things so we can work fast.”
Henry Young, Director, Policy, BSA | The Software Alliance
Young called for the Office of the National Cyber Director to lead on reducing complexity, while acknowledging that lawmakers are not pushing forward legislation to do so. Instead, Young argued for using more informal channels such as CISA’s Joint Cyber Defense Collaborative where he said industry and government can work side by side to address complex issues.
An amendment from Rep. Jim Langevin (D-RI) to codify “systemically important entities” at CISA was included in the House version of the fiscal 2023 National Defense Authorization Act. The SIE proposal is a revamped Solarium Commission recommendation from the 2020 landmark report to codify the term “systemically important critical infrastructure.”
Two large financial associations sent a letter last month to the Senate Homeland Security and Armed Services committees asking them to oppose inclusion of the amendment when the chamber considers its version of the NDAA on the floor.
The letter from the Bank Policy Institute and American Bankers Association says, “Adding yet another layer of reporting to a different set of agencies with different standards would detract significantly from financial institutions’ essential work defending against cyber threats.”
“We welcome efforts to mature how the government assesses risk and improve the private-public partnership; however, this provision requires discussion with industry and other Congressional Committees to ensure it meets these objectives,” the letter says.
The banking sector already has a number of “existing systemic designations and requirements” focused on security, the letter says, including the “Systemically Important Financial Institution (SIFI) designation” that “requires firms to adopt enhanced measures for security and resilience and includes additional oversight and examination by financial regulators.”
Banking firms are also included under the Section 9 process established under a 2013 executive order.
One of the biggest areas of concern in the SIE amendment is language that sets “specific requirements for firms to share what we view as extraordinarily sensitive information with CISA,” a banking industry source said. It includes “some details around supply chain risk management practices” asking entities to “identify critical asset systems, systems, suppliers, technology etc.,” the source said.
The source continued, “Those are important elements for firms to secure because if they are inappropriately disclosed it is in essence providing a roadmap for someone to attack you.” This information is typically “kept in the firm” and “not shared or distributed elsewhere,” they said.
The legislation “doesn’t clarify how that information will be used, how it will be protected, and those are really important elements for firms,” the source said.
Langevin started teasing his version of a bill to codify systemically important entities earlier this year. The amendment proposed in July was the first time his legislation was made public and it was quickly replaced by a substitute that made small changes.
The original amendment made the Office of the Director of Intelligence responsible for “intelligence sharing mechanisms,” the source said, and the revised version put the authority in the hands of the “Secretary of Homeland Security, which cannot dictate what the intelligence community is working on from a priorities and program perspective.” The banking industry doesn’t support the change.
Meanwhile, it is unclear whether the SIE amendment has momentum in the Senate for inclusion in the NDAA. Another industry source said Senate Homeland is more interested in passing legislation to modernize the Federal Information Security Management Act and the General Services Administration’s FedRAMP program this year.
The source noted that there is also confusion on whether Langevin’s SIE amendment has support from key leaders in the House Homeland Security Committee. His proposal wasn’t co-sponsored by ranking member John Katko (R-NY), cyber subcommittee ranking member Andrew Garbarino (R-NY) or Rep. Abigail Spanberger (D-VA), who introduced a bill to codify SICI in 2021.
CISA is moving forward with its own initiative to identify systemically important entities without express authorization from Congress. The source said, “The committees of jurisdiction are wrestling with” understanding this work, “CISA’s longer term strategy for SIE, and what their existing authorities and resources are to manage the new set.”
The SIE work builds on what CISA “has been doing for some time since the National Risk Management Center was established,” the source said, “and the national critical functions set is demonstrative of the direction CISA wants to take.”
The source said, “There are serious questions to whether it should be looked at in terms of assets or pure functions or the entities themselves. CISA is doing all this great work and Congress is figuring how best to support them as the agency continues to evolve how they are thinking about what they can do for critical infrastructure across the country. That’s what the committees are wrestling with.” -- Sara Friedman (firstname.lastname@example.org)