On Tuesday, the U.S. House of Representatives voted to approve a bill that would reconfigure the Department of Homeland Security’s National Protection and Programs Directorate into the Cybersecurity and Infrastructure Security Agency (CISA). The House vote comes just a few weeks after the U.S. Senate approved the bill in late October.
If President Donald Trump signs the legislation, the new cyberagency could provide businesses and other cybersecurity stakeholders with a designated point of communication within the federal government and create a crucial new role for lawyers in the process.
“Many industry stakeholders may not be fully ready to expose their vulnerabilities to the federal government so they might see communicating through lawyers, law firms, as a way to protect the confidentiality but also advocate on their client’s behalf with respect to cybersecurity and infrastructure security,” said Jarno Vanto, a cybersecurity lawyer and stakeholder with Polsinelli.
As laid out in House Resolution 3359, CISA would operate under the umbrella of the DHS, where its assigned responsibilities would encompass operations, programs and associated policy pertaining to infrastructure and cybersecurity.
“Today’s vote is a significant step to stand up a federal government cybersecurity agency," Secretary of Homeland Security Kirstjen Nielsen said in a statement. "The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical."
Cybersecurity has historically provided at least some common ground for Republicans and Democrats, which may have helped this latest bill circumnavigate a politically contentious climate.
"I think cybersecurity is easily one of those issues where both parties are almost in full agreement that we need to do something about and I think that definitely one of the reasons why this new agency was created," Vanto said.
Corporations had previously experienced difficulties identifying who their counterpart was within the government, but CISA would coordinate with federal and nonfederal entities alike. Focusing all of the responsibilities pertaining to cybersecurity and infrastructure within a single agency could help streamline communications.
“I think the fact that now all of these stakeholders have a better avenue of communicating with the federal government, that plays a critical role in creating nationwide cybersecurity/infrastructure security responses, and probably, will lead down the line to improved security,” Vanto said.
The restructuring could also be seen as a signal to operators working both in and outside of the U.S. that the country is taking cybersecurity seriously, and provide another incentive for companies to keep the channels of communication open.
“The rise in geopolitical risk requires a forum for sharing actionable threat intelligence between public and private sectors. It is paramount for securing our critical infrastructure, as industry owns most critical information assets,” said Bill Conner, president and CEO of the network security company SonicWall.
Even the agency’s new moniker indicates that there’s a broad range of issues that could potentially be brought to the table.
Vanto believes that it’s especially important that the word “infrastructure” was made a featured element in the CISA acronym, citing critical vulnerabilities in the nation’s road, transportation and energy production networks that could use addressing.
“The systems that those infrastructure elements rely on are old, very old, and there are a lot of legacy systems supporting our infrastructure that are outdated so there’s a vital need to update those information systems supporting our infrastructure,” Vanto said.