The publication is reproduced in full below:
ENSURING COORDINATION BETWEEN THE DEPARTMENT OF HOMELAND SECURITY AND
THE DEPARTMENT OF ENERGY IN ADDRESSING CYBERSECURITY THREATS TO THE
ENERGY SECTOR
______
HON. BENNIE G. THOMPSON
of mississippi
in the house of representatives
Friday, August 13, 2021
Mr. THOMPSON of Mississippi. Madam Speaker, while I agree with my colleagues about the importance of securing our Nation's energy infrastructure, I am concerned that--as currently written--H.R. 2931, H.R. 2928, and H.R. 3119 may weaken the core tenets of the U.S. Government's framework for protecting critical infrastructure.
That framework is currently laid out in Presidential Policy Directive 21 (PPD-21) and has been reinforced in numerous Federal policies and statutes enacted since 9/11. It has been embraced by Republican and Democratic administrations alike and by Congress. Earlier this year, Congress strongly reaffirmed its commitment to the PPD-21 framework in the FY2021 National Defense Authorization Act.
PPD-21 designates the Department of Homeland Security (DHS) as the lead Federal agency responsible for coordinating Federal efforts to secure critical infrastructure across all 16 sectors--while working hand-in-hand with Sector Risk Management Agencies (SRMAs).
I support enhancing the Department of Energy (DOE)'s capacity, as the SRMA for the energy sector, to engage with the sector as a liaison, trusted partner, and valuable source of sector-specific expertise.
That said, it is important that legislation authorizing such activity acknowledge the role that DHS, through the Cybersecurity and Infrastructure Security Agency (CISA), plays as the Nation's risk advisor and Federal civilian interface for private sector engagement and collaboration.
Congress has often reiterated that it expects CISA to use its authorities and cross-sector convening power to maintain a bird's eye view of threats across sectors--taking threat intelligence from one sector and integrating it into a broader threat context to help other owners and operators protect themselves.
But CISA can only do this if its SRMA partners work with it in a collaborative way that complements--rather than duplicates--the tools, services, resources CISA brings in support of these broader efforts.
Herein lies the issue with H.R. 2931, H.R. 2928, and H.R. 3119: the measures, as drafted, would authorize DOE to carry out responsibilities and develop capabilities that overlap with or duplicate those already housed within CISA, and there is no directive for DOE to do so in coordination with DHS.
There are several problems that could arise from this lack of coordination.
First, it runs the risk of creating a siloed, stovepiped approach to managing information about threats to the energy sector--a critically important, lifeline sector that has been under sustained attack for decades.
Congress has worked to break down these siloes since 9/11, which is why DHS was tasked as a ``central hub'' for critical infrastructure in the first place.
Second, having multiple Federal agencies carry out overlapping roles and responsibilities creates confusion among private sector stakeholders, who are not sure who to call during a crisis, or who to partner with during steady state.
This duplication also means that the Federal Government is forced to spread an already thin supply of cybersecurity experts and resources even thinner.
Finally, cybersecurity is rarely--if ever--a sector-specific problem.
Critical infrastructure is interconnected, and technologies used in one sector are often deployed throughout others, as are the vulnerabilities embedded in those technologies. Adversaries can use the distributed nature of these vulnerabilities to exploit owners and operators across industry lines, at scale.
Take, for instance, the recent SolarWinds campaign. Russian intelligence agencies were able to corrupt a software update deployed across the public and private sectors, then use it as a foothold to infiltrate an equally ubiquitous set of Microsoft tools and products to seize an untold amount of sensitive information.
Hostile foreign nations like China and Russia do not organize cyber operations one sector at a time. They wage simultaneous, parallel campaigns designed to yield the highest possible reward at the lowest possible cost.
It is not uncommon for attacks on the energy sector to coincide with, or foreshadow, similar attacks on other sectors. In 2018, DHS and the FBI warned about a ``multi-stage intrusion campaign'' by Russia that targeted ``U.S. government entities, as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.''
While cyberattacks against the energy sector have accelerated, the sector does not exist in a vacuum.
Though I am concerned about the possibility that these challenges may arise, it is not a foregone conclusion that they will. If DOE collaborates with CISA to forge a more productive and effective partnership, I believe many of these challenges can be overcome.
Last year, I came to the floor to ask the chairman of the Energy and Commerce Committee to confirm his intent that the activities authorized by this legislation be carried out in coordination with DHS. He responded it was ``absolutely'' his intent that these bills be carried out with DHS ``first and foremost.''
I also asked for clarification that these bills do not detract from, erode, or infringe upon any existing authorities or policies laid out in the Cybersecurity and Infrastructure Security Act of 2018, PPD-41, Executive Order 13636, or Executive Order 13691. He responded that
``nothing in these bills is intended to infringe, curtail, or otherwise affect authorities of [DHS] . . . in any way, shape, or form.''
I would like to reiterate these commitments from one year ago, and I look forward to working with the Committee on Energy and Commerce to conduct vigorous oversight to ensure that DOE is coordinating with DHS in a manner that reflects congressional intent.
____________________
SOURCE: Congressional Record Vol. 167, No. 146
The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
House Representatives' salaries are historically higher than the median US income.
Alerts Sign-up