A series of recent cyber hacks and attacks impacting networks and industrial control systems have strengthened the resolve of Congress to make policy changes that the legislators generally have been reluctant to make previously, a Democratic staffer for the House Homeland Security Committee said on Tuesday.
"I think you're going to start seeing a higher risk tolerance for bolder policy changes and that goes from cyber incident reporting, which last year was sort of taboo when we tried to include it in the NDAA, and now it's a common priority," Moira Bergin director of the Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
The NDAA refers to the fiscal year 2021 National Defense Authorization Act that sets forth policy for the Defense Department and also included 27 cyber security provisions, some for DoD and others for the Department of Homeland Security. The provisions came from some of the legislative recommendations made a year ago by the bipartisan Cyberspace Solarium Commission (CSC) to strengthen the nation's cyber security posture.
Bergin said that in the past, many lawmakers were shy about cyber security issues given the technical complexity but that appears to be on the wane.
There is still "unfinished business" from the commission, Bergin said during a webinar on Women Leaders in Cybersecurity hosted by the DHS Cybersecurity and Infrastructure Security Agency.
Some of that unfinished business that Democratic and Republican lawmakers are discussing includes "systemically important critical infrastructure," the use of "federal market power to raise the bar on cyber security for technology and ICT products purchased in the non-government sector and I think you'll see bolder efforts to grow the cyber security workforce," she said. ICT refers to information and communications technology.
Despite various policy initiatives so far, the cyber workforce at the federal, state and local levels, and private sector continues to lag demand, Bergin said.
The willingness for "more bold action" is the result of three recent high-profile incidents. One, earlier this year, involved an attack on a water treatment facility in Florida that resulted in lye levels being raised to dangerous levels before it was discovered and rectified. In that instance, no users of the water supply were in jeopardy.
The other two incidents involved software supplied by Microsoft [MSFT] and SolarWinds Inc. [SWI] that resulted in nation-state actor breaching private and public sector networks.
"That answer is music to my ears," said Alexis Wales, associate director of CISA's Cybersecurity Division and moderator of the webinar. "As a longtime security professional and someone who takes the practice of risk management very seriously, I can tell you that bolder action in this space and an understanding that we cannot expect our entirety of the country to react with money out of their own pockets to defend against advanced persistent threats and things of that nature."