Katko: Must Get SICI Right
WASHINGTON, DC – In light of a series of high-profile ransomware attacks, Rep. John Katko (R-NY), Ranking Member of the House Committee on Homeland Security, released the following statement as Congress works to find solutions to protect Systemically Important Critical Infrastructure (SICI) from cyber attacks:
“When talking about cybersecurity risk management for the nation, we often hear the phrase, ‘if everything is critical, nothing is critical.’ This reality is punctuated by the fact that our digital world is increasingly an interdependent web of hardware, software, services, and other connected infrastructure. Single points of failure and layers of systemic importance across this ecosystem leave the potential for cascading impact if compromised. This is not a hypothetical concept – just look at SolarWinds and the Colonial Pipeline ransomware attack.
“The federal government has visibility into a shockingly small sliver of significant cyber incidents across the country. There is now widespread consensus that this needs to change. There are multiple bipartisan legislative efforts underway to fix this, and I’m very much supportive of thoughtful efforts to find the right combination of carrots and sticks to close the centralized visibility gap around cyber incident reporting.
“It’s critical that as we hammer out these important details on the ‘what,’ we don’t forget about providing clarity on the ‘who.’ This is where SICI, or Systemically Important Critical Infrastructure, enters the equation. First proposed through the Cyberspace Solarium Commission, I believe there’s real value in providing SICI clarity – if we do it right. With this in mind, the SICI concept increasingly feels complementary to related incident reporting legislative efforts.
“We need a transparent, well-understood, and stakeholder-involved process for identifying SICI, and I believe CISA is well positioned to lead on this. In fact, CISA has spent the better part of the last year standing up an effort to identify SICI entities. There’s lasting value in codifying this work and providing clarity around how industry and other Sector Risk Management Agencies will formally plug into this effort to ensure their feedback and insight is appropriately incorporated into the risk model.
“Further building on the SICI concept, the recent Executive Order on Improving the Nation’s Cybersecurity requires the identification of critical software. This is a natural extension of the work already underway at CISA, recognizing that systemically important critical infrastructure could range from a vital pipeline to widely used software – or everything in between.
“Conversations around requirements and benefits for SICI entities will be more effective if there’s front-end clarity and comfort with the process used to identify those entities. There’s an opportunity here for thoughtful legislating, and I look forward to working with industry and government to get this right.”