SPEED BUMP — Since major lobbying groups from the banking sector announced their opposition to a provision in the House draft of the NDAA that would establish a system of enhanced protections and oversight for the nation’s systemically important critical infrastructure, SICI has stood on thin ice.
But any hope that lawmakers could agree on a slimmed-down version of the proposal came to a sudden halt last week, when Congress unveiled the (mostly) final text of the behemoth defense bill. Unlike other controversial cyber provisions scrapped at the deadline, lawmakers couldn’t even compromise on a study to iron out the proposed SICI tradeoff between “benefits and burdens” by next year.
With SICI’s congressional future uncertain, responsibility for the effort now falls to the CISA, which recently indicated it will get to work on its own project to identify and secure a shortlist of Jenga-like assets large swathes of the economy rely on.
While three former CISA officials who spoke with MC praised the agency’s steadfast commitment to a project they view as, well, critical, each expressed doubts it will be able to move the needle on national cyber defense so long as Congress sticks to the sidelines. Here’s why.
Herding cats — Without lawmakers’ support, CISA could also face internal resistance to the effort, observed Bryan Ware, former assistant director of CISA’s cybersecurity division.
Information CISA needs to get this work right is held by sector risk management agencies. However, they won’t necessarily pony up support to a CISA-led effort, said Ware, who cited the NSA’s recent resistance to the joint collaborative environment as one example of why SICI isn’t CISA’s alone to manage.
“It’s not like the rest of the federal government is going to just jump in and support CISA in doing this,” said Ware.
The Grinch that stole SICI — Ware, Spaulding and Kolasky couched their reservations about CISA’s ability to go it alone as disappointment in Congress and exasperation with a decades-old reliance on the volunteer model of public-private cooperation, as opposed to any lack of faith in the agency itself.
“I’m encouraged to hear that CISA will pursue these partnerships in the absence of legislation,” said Ware. “However…experience shows that a legal framework is needed to compel some companies to engage, to set clear expectations of the partnership, and to compel other parts of the government to work cooperatively with CISA.”