Critical Infrastructure and Cybersecurity Legislation: America’s Cybersecurity Problem

Marisa Polowitz

Associate Editor

Loyola University Chicago School of Law, JD 2023

Long gone are the days when cybersecurity concerns existed solely in the domain of technology teams. Various organizations, from schools to government entities (at every level), to private companies alike have fallen prey to cyberattacks. May 2021’s Colonial Pipeline attack caused chaos and a temporary gas frenzy that brought awareness of the vulnerabilities of the technology we rely on to even the least technically minded American. Cybersecurity, and more specifically, the security of critical infrastructure immediately became an issue that the U.S. Government is taking very seriously.

The worsening threat landscape

The Cybersecurity & Infrastructure Security Agency (“CISA”) stated in February that cybersecurity authorities in the U.S., Australian, and the United Kingdom agreed that sophistication of ransomware threat actors was increasing. CISA is the organization charged with leading national efforts to coordinate cybersecurity between government and private industry. CISA is also responsible for the coordination of national critical infrastructure security. In February 2022, CISA issued an alert warning that within the U.S., fourteen of the sixteen U.S. critical infrastructure sectors were targets of “incidents involving ransomware” in 2021. Information Technology, Emergency Services, Food and Agriculture, Government Facilities, and the Defense Industrial Base (“DIB”) were amongst those critical infrastructure sectors listed.  The U.K. specifically identified ransomware as the “biggest cyber threat” it faces.

As Russia’s invasion of Ukraine continues, there is a growing concern of increased cyberattack attempts against the U.S. by Russian actors, possibly in response to increased U.S. sanctions against Russia. The Biden Administration began calling attention to the possibility of Russian cyber-based aggression prior to Russia’s physical invasion of Ukraine. Russian hackers successfully took down Ukraine’s power grid in 2015, the first confirmed hack to do so. The notable Solar Winds attack, which targeted multiple American federal agencies and private companies, is widely believed to have been perpetrated by Russian actors, as well. Even more recently, Russian actors were responsible for the early February disruption of Ukrainian government agencies and bank websites. Cyberattacks on major energy providers launched in the weeks immediately preceding the invasion were determined to have gained access to current and former employees’ devices across twenty-one companies.

In reaction to Russia’s attacks on Ukraine and the cyberactivity already occurring in 2021, CISA posted a “Shields Up” advisory, warning that Russia’s invasion could impact American organizations as well. CISA’s advisory encourages all U.S. organizations to be on alert and provides security guidance for all U.S. federal agencies and critical infrastructure companies. This heightened vigilance comes on the heels of the Department of Defense (“DOD”) Inspector General’s released findings that some contractors to the DIB failed to comply with DOD and federal cybersecurity requirements for protecting sensitive information. Some of the requirements identified which organizations failed to satisfy are considered basic cybersecurity practices for ensuring network and system security, such as multi-factor authentication, requiring strong passwords, monitoring network traffic, and disabling inactive users.

Government action to protect critical infrastructure

Just last week, Congress passed the Cyber Incident Reporting Act. (“The Act”), which was signed into law by President Biden on March 15, 2022. The new legislation requires all companies considered critical to U.S. national interests to report “any substantial cyber incident” to the federal government within three days and to report payment of ransomware within twenty-four hours. This includes companies that deal with water, wastewater, nuclear waste, hospitals and healthcare organizations, the DIB, and more.

The Act primarily focuses on reporting requirements for critical infrastructure entities – it appoints CISA as the central information point for incident reporting, and formalizes communications pathways for better, and faster, national threat awareness and threat information exchange. This advancement is a major step in the right direction – clear, formal, and coordinated channels for communicating threats, as well as requiring critical organizations to report incidents, are both essential in mitigating the effects of cyberattacks. The longer a threat goes unnoticed, the more damage it can produce. This new legislation is partially in response to the Biden Administration’s inclusion of cybersecurity in its list of “top priorities.” Enhanced cybersecurity for American critical infrastructure has support across the political spectrum, and is increasingly understood to be a national security concern. President Biden’s National Security Council is the first to include a Deputy National Security Advisor for Cyber and Emerging Technology. In January 2022, the Administration’s focus on cybersecurity was again made evident with the signing of a National Security Memorandum, which aims to enhance cybersecurity measures in National Security, DOD, and Intelligence Community Systems. Bipartisan support for enhancing U.S. cybersecurity protections is clearly evident in Congress, which allocated $2.59 billion to CISA in its government funding bill – millions of dollars beyond the Biden Administration’s proposed budget.

While international cybersecurity cooperation, K-12 educational institutions, the water sector, and even cybersecurity awareness are other areas where the Biden Administration has focused its attention, a concerted government focus on cybersecurity, specifically in critical infrastructure, has been desperately needed for years. Unfortunately, the benefits of The Act won’t be felt immediately, as it will not go into effect until the final rules are promulgated – and allows for a 24-month time frame in which to publish a proposed rulemaking. In conjunction with the many other initiatives to enhance security, the U.S. is making headway in augmenting its security posture and creating cohesive cybersecurity protections. However, it remains to be seen if the forthcoming enhancements will come soon enough.