Lawmakers roll out bill to protect critical infrastructure after Florida water hack

A group of bipartisan House lawmakers on Thursday introduced legislation intended to protect critical infrastructure from cyberattacks after an unsuccessful hack of a Florida water treatment facility.  

The Department of Homeland Security (DHS) Industrial Control Systems Enhancement Act, spearheaded by House Homeland Security Committee ranking member John Katko (R-N.Y.), would give more authority to the Cybersecurity and Infrastructure Security Agency (CISA) to protect critical systems against attacks.

The CISA director would be required to maintain the ability to detect and respond to attacks on industrial control systems, and also be able to provide assistance to critical infrastructure groups. 

The director would also be required to collect and distribute information on vulnerabilities in systems to owners and operators.  

Lawmakers rolled the bill out a month after officials in Oldsmar, Fla., announced that a hacker had unsuccessfully attempted to tamper with systems at the town’s water treatment facility to poison the water.

The legislation is also being introduced as CISA continues to grapple with two major cyber espionage incidents likely involving Russian and Chinese hackers that have potentially compromised thousands of U.S. government and private sector troops.  

The bill’s co-sponsors include a range of key House cybersecurity leaders, including House Homeland Security Committee Chairman Bennie Thompson (D-Miss.), cybersecurity subcommittee Chairwoman Yvette Clarke (D-N.Y.), cybersecurity subcommittee ranking member Andrew Garbarino (R-N.Y.), and Rep. Jim Langevin (D-R.I.), chair of the House Armed Services Committee’s cybersecurity subcommittee. 

Other co-sponsors are Reps. Don Bacon (R-Neb.), Kat Cammack (R-Fla.), Carlos Gimenez (R-Fla.), and John Rutherford (R-Fla).

Katko on Thursday emphasized the need to strengthen CISA in the face of evolving threats and as it works to respond to several recent major cyberattacks.

“As I have said consistently, we need to continue to build centralized cybersecurity capacity with CISA where possible for the entire critical infrastructure community to voluntarily benefit from,” Katko said in a statement. “This important piece of legislation will solidify CISA’s lead role in protecting our nation’s critical infrastructure from cyber threats, particularly to our industrial control systems.” 

The House Homeland Security Committee and the House Oversight and Reform Committee are in the midst of an investigation into what has become known as the SolarWinds hack.  

The incident, discovered in December, involved sophisticated Russian hackers successfully compromising at least nine federal agencies and 100 private sector companies for around a year through exploiting software from IT group SolarWinds, among other methods. 

Top CISA officials discussed both the SolarWinds hack and recently uncovered vulnerabilities in Microsoft Exchange Servers exploited by Chinese hackers during a House subcommittee hearing earlier this week.  

Acting CISA Director Brandon Wales testified that $650 million approved by the House on Wednesday for CISA as part of the COVID-19 relief package would not be enough to fully confront current and future threats. 

“$650 million … is a down payment. It accelerates some of these efforts, but this is going to require sustained investment,” Wales testified to the House Appropriations Homeland Security Subcommittee.