Finance sector looks to block cyber reporting rules for critical industry in House defense bill

WASHINGTON, DC - JULY 26: Rep. Jim Langevin (D-RI), founder and co-chair of the Bipartisan Disabilities Caucus, speaks to an attendee at a reception to celebrate the 32nd anniversary of the passing of the Americans With Disabilities Act on July 26, 2022 in Washington, DC. Rep. Langevin is the first quadriplegic person to serve in Congress.

WASHINGTON, DC - JULY 26: Rep. Jim Langevin (D-RI), founder and co-chair of the Bipartisan Disabilities Caucus, speaks to an attendee at a reception to celebrate the 32nd anniversary of the passing of the Americans With Disabilities Act on July 26, 2022 in Washington, DC. Rep. Langevin is the first quadriplegic person to serve in Congress. Anna Rose Layden / Getty

Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

Congress will return from the August recess faced once again with the challenge of building cybersecurity policy for private providers of critical infrastructure faster than industry can tear it down.

Legislation to advance a landmark agreement between government and industry for securing critical infrastructure from an increasing array of cyberattacks is getting criticism from an unexpected source: the finance sector.

A key policy leader says the banking industry—which is already subject to regulations for cybersecurity—is inexplicably shooting itself in the foot by opposing inclusion in “must-pass” legislation this fall of a provision that would address enforcement gaps in an increasingly interdependent ecosystem of critical infrastructure.

The provision was attached as an amendment to the House-passed FY 2023 National Defense Authorization Act. It was  not included in legislation filed by the Senate Armed Services Committee, but there is still ample room in the NDAA process for changes when the bill is expected to come to the Senate floor in September. 

“Ironically, the language they have been fighting states that any regulation already in effect would be the standard for that industry,” Mark Montgomery, told Nextgov. “So they are just impacting every other industry that is not well regulated, and which they rely on: satellites, cloud service providers, water, pipelines, etc.”

Montgomery served as executive director of the Cyberspace Solarium Commission, a congressionally mandated body with representation from lawmakers across the political spectrum and top private-sector executives. Congress created the commission by passing the 2019 NDAA, named for the late Sen. John McCain, R-Ariz. Montgomery was policy director of the Senate Armed Services Committee under McCain’s chairmanship. He is now the lead for cybersecurity and technology innovation at the Foundation for Defense of Democracies think tank, from which he continues to advocate for the government’s adoption of the Solarium Commission’s proposals.

The grand bargain of the commission was that companies controlling the most important of the nation’s critical infrastructure should receive certain benefits—such as priority access to government resources and a liability shield in case of incidents—in exchange for shouldering certain burdens, such as the verifiable implementation of appropriate security measures. The recommendation to end a longstanding hands-off approach going back to the Obama administration was documented along with a host of others the commission issued in its March 2020 report.  

The amendment in the NDAA now being negotiated was introduced by Rep. Jim Langevin, D-R.I., who was a Cyber Solarium commissioner. It would lay the groundwork for executing the group’s proposal, instructing the secretary of the Homeland Security Department to work with sector risk management agencies and the Office of the National Cyber Director to identify no more than 200 systemically important entities. 

Those entities would then be required to report certain information to the Cybersecurity and Infrastructure Security Agency,  which the legislation says, “shall directly support the department’s ability to understand and prioritize mitigation of risks to national critical functions,” including through closer collaboration with intelligence agencies.

With explicit directions that look to eliminate duplicative requirements, Langevin’s provision would also create an interagency council—to be co-chaired by the CISA director and the national cyber director—to determine “cross-sector and sector-specific cybersecurity performance goals.” These would “serve as clear guidance for critical infrastructure owners and operators about the cybersecurity practices and postures that the American people can trust and should expect for essential services,” the provision reads.

Opposition to the amendment from critical sectors of industry not currently regulated for cybersecurity—most notably providers of foundational information and communications technology—is not surprising. The Information Technology Industry Council was among those successfully opposing the inclusion of related Solarium-commission recommendations for Defense contractors in the 2021 NDAA, for example.

On Thursday, Henry Young, policy director for BSA | The Software Alliance, told Nextgov Langevin’s amendment for the current NDAA, “certainly proposed for all the right reasons, increases complexity and uncertainty.”  

“To the extent it adds an additional category and attendant requirements,” Young said of the amendment, “it misses a better opportunity to improve cybersecurity: simplifying requirements and providing certainty, which will allow organizations to focus on developing innovative cybersecurity solutions and less on compliance.”

But Montgomery is baffled, and irritated, by the financial sector’s opposition to the Langevin amendment, which would more likely target sectors lacking appropriate oversight. 

“This current version is only a partial attempt at the [Solarium] objective, but industry lobbyists can't pretend they embraced previous, more comprehensive, versions of the bill, as they have been consistently unhelpful in this effort,” he said. “The financial services opposition is especially galling since they operate under the misguided premise that this bill is not needed since they are ‘already regulated enough’, when the clear intent of this legislation is to identify the critical infrastructures which, unlike financial services, don't have sufficient cyber security guidance or resources in place, and then remediate that problem.”

Both BSA and the trade associations for the banking industry cited presidential policy directive 21—a 2013 edict from the Obama White House—to argue that the Langevin legislation risks duplicating a process for designating systemically important entities. But while the secretary of Homeland Security has assigned a regulator—the Treasury Department—to the financial sector under PPD-21, a corresponding executive order expressly forbade the secretary from designating commercial information technology as critical infrastructure for potential cybersecurity regulation.

In July, 2021, President Joe Biden issued a national security memorandum that picked up where the Obama order left off, instructing the Department of Homeland Security, working with the National Institute of Standards and Technology and other appropriate agencies, to develop and issue performance goals for the sector-specfic infrastructure as well as for infrastructure that cuts across multiple agencies. CISA has published that work and the administration is already using its power to issue cybersecurity requirements for the water, rail and pipeline sectors, but the White House is still looking for statutory reinforcement of its agenda in other areas.

In April, as the wheels started turning on the NDAA vehicle once more, Nextgov reported on Langevin and other lawmakers considering the need to designate cloud service providers critical infrastructure, given the degree to which they underpin modern digital life. They were looking to address the issue in legislation to implement the Solarium Commission’s recommendations regarding systemically important critical infrastructure.

To aid prioritization and risk management efforts, the Langevin amendment instructs the Homeland Security secretary to consider reporting from systemically important entities by asking them to, for example, “identify critical assets, systems, suppliers, technologies, software, services, processes, or other dependencies that would inform the Federal Government’s understanding of the risks to national critical functions present in the entity’s supply chain.”

Pressed to explain what seemed like a contradiction in their criticism of the Langevin amendment—that the provision would be both redundant and require the submission of new data to CISA–a banking industry source told Nextgov the opposition was ultimately about uncertainty over how that data would be used and the potential for its exposure to adversaries. 

“You need to have a clear objective that you're trying to meet when you're crafting [legislation], the source said, and we don't see that reflected in this draft today.”

Montgomery said, “certainly it would be optimal if all the benefits and burdens could be included,” to fully demonstrate the intent of the legislation.  But he also dismissed the industry’s stated concerns over data sensitivity as farcical. 

“At a minimum, the charge that the government is an unsafe place to store data is crazy,” he said. “Does [the Bank Policy Institute] recommend everyone not pay taxes because the [Internal Revenue Service] might get attacked and your data compromised? Of course not.” 

NEXT STORY: Misinformation campaigns and threats are undermining confidence in U.S. elections, official says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.