Following this week’s ransomware attack against the Colonial Pipeline, U.S. Representative Elissa Slotkin (D-Holly) is introducing the CISA Cyber Exercise Act, a bipartisan bill that would create new ways for American businesses and governments to test their critical infrastructure against the threat of cyber attacks, and establish a National Cyber Exercise Program to test the U.S. response plan for major cyber incidents.
Slotkin introduced the bill after sending a letter to major pipeline owners and operators in Michigan, urging them to ramp up their cybersecurity defenses just days after the Colonial Pipeline was temporarily shut down, and inviting them to work with her to strengthen federal efforts to ensure the cybersecurity of critical infrastructure.
Earlier this week, the Colonial Pipeline, which supplies approximately 45% of the fuel consumed on the East Coast – was shut down for multiple days after suffering a ransomware attack, leading to gasoline shortages in a number of states.
“Cyber attacks like the ones launched against the Colonial Pipeline have the potential to devastate our economy and our way of life. Even if the intent behind an attack is only to steal money or hold data for ransom, the broader consequences can be enormous for our national and economic security, as we’ve seen from public panic and subsequent gas shortages in a number of states on the East Coast this week,” said Slotkin in a release.
“This week’s events have clearly shown that cybersecurity is no longer just a ‘tech’ issue — it’s at the very heart of protecting the systems that power our daily lives as Americans. We have to make sure the federal government is working hand-in-glove with state and local authorities and private industry to deter these attacks and minimize their impact. This bill can be a step in ramping up that coordination, ensuring that our government is preparing for the full range of cyber threats, and providing our communities and businesses the tools they need to be secure and resilient. The President’s Executive Order this week is an important step in the right direction for federal cybersecurity, and now Congress has to step up to the plate and address these emerging threats, as well.”
The CISA Cyber Exercise Act directs the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS) to build on its existing work by establishing a National Cyber Exercise Program, in order to test U.S. response plans for major cyber incidents. As part of the Program, the bill also directs CISA to include a set of model exercises — which could be readily used by state and local governments and private sector businesses to test the safety and security of their own critical infrastructure. The bill also requires CISA to help those entities design, implement and evaluate the exercises.
The CISA Cyber Exercise Act builds on a provision Slotkin introduced last year, creating a biannual national cyber exercise to test the resilience, response, and recovery of U.S. critical infrastructure, which was signed into law as part of the National Defense Authorization Act (NDAA) for Fiscal Year 2021. Codifying such an exercise was one of the recommendations of the bipartisan, Congressionally-created Cyberspace Solarium Commission.
Slotkin, a former CIA analyst and top Pentagon official, sits on the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation and Chairs the Subcommittee on Intelligence and Counterterrorism.
In her letter to major pipeline owners and operators in Michigan, sent Thursday, Slotkin pressed energy industry executives for details on what changes they will make to “security policies, response plans or exercises, practices for sharing cyber threat information with government and industry partners, and/or the structure of [their] IT and operational systems” in the wake of the disruptions caused by the Colonial Pipeline shutdown. She also invited them to meet with her to collaborate on efforts to improve public and private sector cybersecurity.
The lead co-sponsor of the CISA Cyber Exercise Act is U.S. Rep. Mike Gallagher (R-Wis.), with whom Slotkin co-chairs a bipartisan task force, through the Armed Services Committee, to strengthen and protect U.S. defense supply chains. Joining him as an original cosponsor are U.S. Reps. Jim Langevin (D-RI), Chair of the Subcommittee on Cyber, Innovative Technologies, and Information Systems on the Armed Services Committee, and Andrew Garbarino (R-NY), ranking member of the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
Gallagher and Langevin, who both served on the Solarium Commission, joined Slotkin in introducing the FY2021 NDAA national cyber exercise provision last year.