WASHINGTON — Cybersecurity experts have implored Congress for years to act as criminal hackers and sophisticated intelligence operatives attacked computer networks at schools, local governments, critical infrastructure and federal agencies.
Lawmakers and the federal government needed not only a far greater understanding of attacks and threats but also to help local governments and school districts beef up defenses.
Washington has in the past six months finally begun to respond, passing a handful of bills to address cybersecurity that are waiting to be signed into law. A few more are in the pipeline.
Michigan Democrat Gary Peters, chairman of the Senate Homeland Security and Governmental Affairs Committee, who once described himself as “not a rock thrower,” has led efforts on the bills and collaborated with Ohio Republican Sen. Rob Portman to advance legislation that starts the process of defending against attacks.
“Cyberattacks are a persistent threat against both the government as well as the private sector, and we know that we have to build defenses against this threat,” Peters said in an interview. Building a defensive moat “is exactly how I look at it.”
President Joe Biden signed into law a fiscal 2022 omnibus spending bill in March that included legislation sponsored by Peters. The law requires critical infrastructure owners and operators to report a substantial cyberattack to the Cybersecurity and Infrastructure Security Agency, or CISA, within 72 hours and a ransomware payment within 24 hours.
“We could finally get more transparency as to what’s happening in the cyber domain,” said Peters, calling it one of the “most significant cyber bills in history.”
In the absence of such transparency, the federal government was aware of only about 30 percent of attacks on private networks, he said.
“You can’t fight an enemy if you don’t have situational awareness, and you need to know who’s attacking you and how they’re attacking you,” said Peters, a former lieutenant commander in the Navy Reserve.
A pair of attacks in late 2020 and early 2021 on software maker SolarWinds and Colonial Pipeline galvanized national and congressional action, especially in support of the requirement that private companies report attacks to CISA.
Peters championed legislation that requires CISA to study cybersecurity risks facing schools and propose guidelines for beefing up defenses.
Peters’ stamp is also on other measures that became law as part of the infrastructure spending bill, which provides $1 billion for grants to state and local governments to improve cybersecurity, creates a $100 million fund that the secretary of Homeland Security could use to assist federal and private sector entities reeling from a cyberattack, and requires the EPA to assess and identify public water systems that could be crippled in a cyberattack.
Peters’ approach to tackling cybersecurity needs through multiple bills is more effective than trying to achieve it through one big bill, said Tom Gann, chief public policy officer of cybersecurity research company Trellix.
Cybersecurity is a “vastly complex area, it’s global, it’s national, it’s local, it’s got many tentacles to it, so a one-size-fits-all-solution will never meet the objective of dramatically changing the cybersecurity landscape,” Gann said in an interview. “What’s needed is to address the different parts of the cybersecurity threat landscape in a piece-by-piece manner.”
Three more cybersecurity bills backed by Peters are awaiting Biden’s signature. The House cleared all three in May.
One piece of legislation would create a training program for federal employees to help them figure out if equipment and services they are buying would compromise the government’s cybersecurity.
Another would ensure that CISA provides support and assistance to state and local governments on cybersecurity.
A third one, a companion to the House bill, would ensure that federal cybersecurity experts can rotate from one agency to another.
Peters’ focus on training and rotating federal employees has drawn applause.
“They get really bogged down in the day-to-day work, and there isn’t always enough focus on training in the area of cyber, where there’s innovation every day,” Gann said.
The cyber pipeline
Peters said he has more cybersecurity-related legislation that has cleared his committee and is awaiting passage or is still in the draft stage.
Two bills that became part of a package (S 3600) would require federal agencies and contractors to report cyberattacks to CISA, and another measure would help federal agencies move to secure cloud-based services. The measures have passed the Senate and have yet to clear the House.
The Senate Homeland Security Committee in March approved a measure that requires CISA to consolidate cybersecurity recommendations for satellite operators on how to best secure their systems.
While many of the measures he has championed address different sectors and aspects of cybersecurity, Peters said that “small businesses are those that we worry most about.”
Unlike medium and large companies, small entities lack the hardware resources and cybersecurity expertise to protect and defend against cyberattacks, Peters said.