Updates to the Critical Infrastructure Information Act are long overdue

The health of the U.S. economy and well-being of our citizens relies on secure critical infrastructure but the Critical Infrastructure Information Act of 2002 h...

The health of the U.S. economy and well-being of our citizens relies heavily on secure and resilient critical infrastructure. In the past year, we have witnessed an increasing number of cyberattacks on critical infrastructure entities, including the attacks on the Colonial Pipeline, SolarWinds and JBS, as well as attacks on California and Florida water systems. The list is only growing. It’s clear that the government has placed increased focus on protecting critical infrastructure, establishing the Cybersecurity and Infrastructure Security Agency (CISA) in 2018, passing legislation like the Strengthening American Cybersecurity Act of 2022 and issuing the executive order to improve the nation’s cybersecurity. Additionally, councils like the the President’s National Infrastructure Advisory Council and the Homeland Security Advisory Council have been created and include cybersecurity executives who have boots on the ground. Most recently, the Department of State created a federal bureau focused on including cyber protection to foreign policy initiatives.

The Critical Infrastructure Information Act of 2002, which seeks to facilitate greater sharing of critical infrastructure information (CII) between critical infrastructure organizations and government agencies, has not been updated since it was first introduced in the early 2000s. But a lot has changed in the last 20 years, including best practices for protecting critical infrastructure. As threats evolve and increase for this sector, what else can the federal government do to ensure the security of the nation’s critical infrastructure?

How the CII Act of 2002 is being implemented today

Accurate CII is an essential resource for national security efforts in protecting critical infrastructure from a variety of hazards, natural disasters, internal threats and direct attacks. But because critical infrastructure is widely privately owned, this information is considered sensitive and proprietary, and disclosed reluctantly.

The CIIA Act of 2002 established the Protected Critical Infrastructure Information (PCII) Program that allows public and private sectors to voluntarily submit information. The program seeks to protect U.S. infrastructure by offering protections to validated information and enhancing the flow of information between the private sector and all areas of the government focused on national security. This created a partnership between the government and the private sector to help build protective measures.

Through PCII, government agencies with homeland security responsibilities can develop advisories, alerts and warnings for public notification that are timely for state, local and federal governments. PCII enables public and private entities to monitor and work together to design solutions for their unique security needs and assess vulnerabilities. PCII helps understand challenges in protecting critical infrastructure and the security risks faced by the sector, aiding recovery efforts and preparedness for critical infrastructure in case of any kind of disruption.

Looking forward for CII Act of 2002

There’s no doubt that critical infrastructure has evolved since 2002, especially from the adoption of modern technologies that open doors for new vulnerabilities. This evolution requires the federal government to take a close look at the CIIA Act of 2002 and the PCII program to ensure it continues to provide the most useful information to effectively protect critical infrastructure.

While the CII Act of 2002 has not been updated since it was first introduced, recent mandates from the federal government represent solid steps towards modernizing safeguards within the government including critical infrastructure. Most recently, Congress passed the Cyber Incident Reporting Mandate in March 2022 that requires critical infrastructure providers to report security incidents, marking a good step forward in improving rapid information sharing. Companies are often reluctant to share cybersecurity incident details affecting critical infrastructure due to privacy laws and regulatory concerns. While it’s not a free pass to not comply with regulatory obligations, the mandate alleviates worry about unintended exposure of confidential and proprietary information. Other recent initiatives like the zero trust mandate from January 2022 crafted to move the government toward a zero trust approach to cybersecurity and an August 2021 memorandum that provides tiered instruction on logging requirements for federal agencies provide additional focus to securing critical infrastructure.

As global conflict heightens with the Russian-Ukraine crisis, we see the real-world implications of the compounding effect of physical and cyber conflict on critical infrastructure. The conflict highlights the wider humanitarian implications of disruptions in production and transport of oil, gas, nuclear and traditional energy. When the stakes of an attack change from monetary and financial loss to the health and welfare of human lives, the cost of cyberattacks move into an immeasurable and morose gray space. In this space, the call to action and the cost to protect shouldn’t be calculated in traditional financial transactions. Successfully defending against the rampant cyber threats the critical infrastructure sector is facing today requires proper preparation and protection. To defend against cyberattacks, the federal government must continue to analyze the current threat landscape for critical infrastructure and take a security-first approach.

Andrew Hollister is the chief information security officer of LogRhythm.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Getty Images/iStockphoto/maxkabakov

    Cyber Safety Review Board’s first report gives CISA thumbs up for Log4j response

    Read more