WASHINGTON, D.C. — Today, U.S. Congressman Dan Crenshaw (R-TX-02) a member of the House Permanent Select Committee on Intelligence, and Rep. Seth Magaziner a member of the House Committee on Homeland Security introduced H.R. 8775, the Contingency Plan for Critical Infrastructure Act. This bipartisan piece of legislation will create a public report for Members of Congress to assess the manual operations of critical infrastructure during a cyber-attack.
The potential damage of cyber-attacks against critical infrastructure like the electricity grid, water systems, pipelines, and other infrastructure from adversarial nations and non-state actors has increased in recent years. America’s adversaries like China, Russia, Iran, and North Korea along with state-linked groups pose serious threats to our national and economic security.
On January 31,2024, Federal Bureau of Investigation Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party, warning Members of Congress that Chinese government-backed hackers are working “to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous.”
One component of responding to the threat posed by America's adversaries is understanding the challenges of operating critical infrastructure manually in the event of a catastrophic cyber-attack and how the government can better assist operators in such a situation.
“Cyber-attacks are the number one threat to America’s critical infrastructure, and it’s not a problem any one government agency can solve or even protect against,” said Congressman Crenshaw. “The private sector must be more involved, especially when it comes to our water, our energy, our transportation, and our communications. We need a comprehensive assessment of what more can be done to make critical infrastructure more resilient to future cyber-attacks, and we need it immediately.”
“We need to ensure that the infrastructure Americans depend on to keep the lights on, the water running and commerce flowing, are protected from cyber attacks,” said Rep. Magaziner. “This bipartisan bill will help ensure that Americans are protected from criminals and adversarial nations who target our country in cyberspace on a daily basis.”
The Contingency Plan for Critical Infrastructure Act would require The Director of the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Administrator of the Federal Emergency Management Agency (FEMA) and other sector risk management agencies, to deliver a joint sector-by-sector assessment to Congress.
The Assessment would include:
- Evaluation of how the National Cyber Incident Response Plan addresses the risk posed to critical infrastructure when they cannot swiftly transition to manual operation.
- Assessment of CISA’s capacity and obligations, including remediation and response of cyber incidents and supporting critical infrastructure operators in sustaining operations of essential systems.
- Assessment of FEMA’s National Response Framework and how they are equipped to assist critical infrastructure owners and operators in transitioning to manual operating mode during cyber incidents.
- Examination of the potential costs and challenges associated with mandating sectors to shift to manual operating mode in the event of a cyber incident. This includes considering financial implications, logistical hurdles, and operational impacts.
- Development of policy recommendations aimed at ensuring the continuous operation of critical infrastructure in scenarios where there is a widespread cyber incident affecting critical systems.
Additionally, this bill requires that Federal Emergency Management Agency update their Planning Considerations for Cyber Incidents. Their Planning considerations would include:
- Best practices and guidelines for essential personnel of critical infrastructure owners and operators.
- Steps that critical infrastructure owners and operators should take to respond effectively to different levels of degradation in their systems.
- Identification of Federal, State, and local resources that are available to support owners and operators of critical infrastructure in the event that they need to transition to manual operating mode.
- Specific guidelines on how to respond to and remediate the effects of cyber incidents on industrial control devices.