05/21/2021 | Press release | Distributed by Public on 05/21/2021 03:21
Yesterday, Rapid7 sent a group letter urging the Biden Administration and Congress to work together to integrate cybersecurity into infrastructure legislation. The letter was signed by 19 companies, industry associations, and nonprofit groups who collaborated on the recommendations. The letter comes as US critical infrastructure faces considerable cybersecurity risks, and as Congress is negotiating the details of major infrastructure modernization legislation.
The group letter is available here, and the text is pasted below.
Updating US infrastructure is needed to strengthen our global competitiveness and quality of life, but integrating cybersecurity will be key to reducing the vulnerability of our critical infrastructure to malicious actors and adversary nations. Building out new critical infrastructure without incorporating cybersecurity would be like building a house on a shaky foundation, placing the structure and inhabitants chronically at risk. We see a glimpse of the consequences of critical infrastructure attacks today with healthcare ransomware attacks, compromise of multiple government agencies, the shutdown of a major fuel pipeline. Yet many entities in critical infrastructure sectors are under-resourced to deal effectively with the threats they face.
Through this letter, Rapid7 and our partners urge Congress and the Administration to include cybersecurity-specific resources and minimum standards in new infrastructure efforts such as the American Jobs Plan. We express support for the energy sector security items recently announced by the White House, and urge similar action for the other critical infrastructure sectors, such as water, healthcare, and critical manufacturing. We also urge extension of key government cybersecurity assessment programs to industrial control systems and operational technology.
Strengthening cybersecurity in national critical infrastructure is an investment in American businesses that depend on that infrastructure for operations and growth. Rather than compound existing problems by expanding infrastructure without addressing cybersecurity weaknesses, Congress and the Administration should take steps to ensure modernized critical infrastructure is more resilient from attack so that we may rely on it for many years to come.
------------
Copy of the letter:
Chairman Peters
Ranking Member Portman
Committee on Homeland Security and Governmental Affairs
U.S. Senate
Chairwoman Cantwell
Ranking Member Wicker
Committee on Commerce, Science, and Transportation
U.S. Senate
Chairman Thompson
Ranking Member Katko
Committee on Homeland Security
U.S. House of Representatives
Chairman DeFazio
Ranking Member Graves:
Committee on Transportation and Infrastructure
U.S. House of Representatives
The Honorable Shalanda Young
Director of the Office of Management and Budget
May 20, 2021
We the undersigned respectfully urge Congress and the Administration to ensure cybersecurity is integrated into planned infrastructure modernization efforts such as the American Jobs Plan. We recommend incorporating cybersecurity-specific funding, incentives, and risk-based minimum standards into infrastructure legislation and its implementation to ensure we are not building next-generation infrastructure with last-generation security.
The White House recently announced cybersecurity funding and standards will be incorporated into the American Jobs Plan.[1] We support the items outlined by the White House, urge their inclusion in the final legislation, and encourage the Administration and Congress to take additional steps to secure all types of critical infrastructure in the American Jobs Plan.
Updating the United States' critical infrastructure is essential to long term economic prosperity, global competitiveness, and job growth. However, these benefits will be significantly undermined, and the US will face prolonged risks to health, safety, and national security, if cybersecurity is not a high priority for new infrastructure projects at the start. The past six months alone provide several reminders of the sobering risks US critical infrastructure faces: ransomware leading to the temporary shutdown of a crucial US fuel pipeline, ongoing attacks against healthcare providers, the incident at the Florida water treatment facility, election security threats, multiple supply chain attacks, and severe compromises to government systems.
Upgrading our smart infrastructure will substantially increase our technology footprint. Without strong security, this will make existing unaddressed weaknesses even more dangerous by creating a larger attack surface for malicious actors and adversary nations. It will be more difficult to bolt security onto critical infrastructure after the fact than to modernize infrastructure with security in mind from the beginning. Enhancing breach notification or cyber incident reporting requirements for affected companies may aid threat intelligence, but will not prevent those incidents from occurring as effectively as integrating security safeguards and processes early on.
The need for funding, incentives, and minimum standards applies to federal, state, local, and privately held infrastructure. Upgrading the security of government agencies and contractors is crucial, but strengthened cybersecurity should also be prioritized for privately held critical infrastructure (which is the overwhelming majority of US critical infrastructure). Yet many critical infrastructure entities are under-resourced and, in some cases, have security maturity that is not commensurate with the risks and threats they face.
We strongly recommend that the infrastructure modernization legislation, and implementation of this legislation, include cybersecurity-specific funding for federal, state, local, and privately held infrastructure. This may include grants and other resources specifically dedicated to strengthening critical infrastructure entities' security processes, workforce, and technology, so that the funds are not allocated for other priorities. We also recommend tying baseline cybersecurity processes and safeguards, such as the NIST Framework to Improve Critical Infrastructure Cybersecurity, to new mandated critical infrastructure projects and modernization funds. To ensure security is accounted for while providing adequate flexibility for businesses, cybersecurity requirements for critical infrastructure should be based on risks, tailored to the specific sector, aligned with existing standards, and be neither unduly burdensome nor unnecessary.
We commend the Administration for making clear to Congress that cybersecurity must be a priority in the American Jobs Plan.[2] We support inclusion of the items announced by the White House in the legislation, though note that these items relate largely to the energy sector. Bolstered energy sector and electric grid resilience is crucial to US security and competitiveness, but cybersecurity should also be prioritized for the other critical infrastructure sectors - such as water, critical manufacturing, and healthcare.[3]
We suggest the Administration consider taking additional steps to detail how the Administration intends to integrate cybersecurity into the implementation of the American Jobs Plan:
In addition to the Administration's actions, we suggest that Congress integrate the following into infrastructure modernization legislation:
We the undersigned respectfully encourage Congress and the Administration to work together urgently to ensure US critical infrastructure sectors have the resources, incentives, and standards necessary to modernize securely. Strengthened cybersecurity will be an investment in US businesses that rely on critical infrastructure, and help government entities to be more modern and efficient. Thank you for your consideration.
Rapid7
Alliance for Digital Innovation
Avast
Broadcom
Bugcrowd
Cybereason
Cybersecurity Coalition
Cyber Threat Alliance
Disclose.io
Global Cyber Alliance
GRIMM
ICS Village
Institute for Security and Technology
Luta Security
McAfee
SCYTHE
SecurityScorecard
Tenable
Cc:
The Honorable Alejandro Mayorkas
The Honorable Ron Klain
The Honorable Susan Rice
The Honorable Jake Sullivan
Majority Leader Schumer
Minority Leader McConnell
Speaker Pelosi
Minority Leader McCarthy
------------
Endnotes -