Rep. Mark Green (R-Tenn.), the new chairman of the House Homeland Security Committee, on Wednesday met with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to discuss how the panel can best support the agency with its existing authorities but also stated his concerns that the Biden administration is transitioning to a regulatory approach toward cybersecurity in the private sector.
“As I discussed with Director Easterly, our goal will be to best position CISA to execute its preexisting authorities and requirements to strengthen the cybersecurity of Federal Civilian Executive Branch and private sector networks while being responsible stewards of American taxpayer dollars,” Green said Thursday in a statement.
The Biden administration has been openly discussing its forthcoming national cybersecurity strategy that will begin emphasizing mandatory cybersecurity requirements for the private sector versus the largely voluntary measures currently used by companies in certain critical infrastructures A shift has occurred toward more cybersecurity regulations, including the pipeline, rail and aviation sectors, which are regulated in part by the Transportation Security Administration (TSA).
TSA has had cybersecurity regulatory authorities but began to use them more aggressively following a ransomware attack against pipeline operator Colonial Pipeline in the spring of 2021 that led the company to briefly shutdown operations, an action that crimped gas supplies in areas of the country. The administration believes that the voluntary measures have been inadequate.
Green signaled that Republicans, at least in the House, are not onboard with expanding cybersecurity mandates.
“Furthermore, the federal government has enough regulators and I remain concerned over the Biden administration’s aggressive regulatory approach,” he stated. My mission will be to strengthen CISA as an information enabler rather than as a regulatory agency. We are not here to overly burden industry, but we are here to ensure companies are doing their part to secure their system and protect against the cascading and devastating impact one vulnerability can have on an entire network.”
Voluntary information sharing between CISA and the private sector about cybersecurity threats and incidents has been the key ingredient in the agency’s partnership with industry to bolster the nation’s cybersecurity posture. However, in the wake of the Colonial Pipeline and other incidents, many in the administration and in Congress, including Democrats and Republicans, believe that voluntary reporting about threats and incidents hasn’t been timely or robust enough.
In 2022, Congress approved and President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that requires CISA to develop and implement regulations for critical infrastructure entities to report “covered” cybersecurity incidents and ransomware payments to the agency. The agency has until March 2024 to publish a Notice of Proposed Rulemaking to implement CIRCIA.
Green also highlighted a legislative roadmap committee Republicans released in December that outlines their goals for CISA during the next two years. The “tenets” of the CISA 2025 Overview include optimizing the agency’s organization, leveraging partnerships across government and industry, advance technology to strengthen cyber resilience, growing the agency’s workforce, and centralizing visibility across federal civilian networks.