WASHINGTON, D.C. — Today, U.S. Congressman Dan Crenshaw (R-TX-02), a member of the House Permanent Select Committee on Intelligence, and Rep. Seth Magaziner, a member of the House Committee on Homeland Security, introduced H.R. 8775, the Contingency Plan for Critical Infrastructure Act. This bipartisan legislation aims to create a public report for Members of Congress to evaluate the manual operations of critical infrastructure during cyber-attacks.
The potential damage from cyber-attacks against critical infrastructure such as electricity grids, water systems, and pipelines has increased in recent years. Adversarial nations like China, Russia, Iran, and North Korea pose significant threats to national and economic security.
On January 31, 2024, Federal Bureau of Investigation Director Christopher Wray testified before the House Select Committee on the Chinese Communist Party. He warned that Chinese government-backed hackers are working "to find and prepare to destroy or degrade the civilian critical infrastructure that keeps us safe and prosperous."
One aspect of responding to these threats is understanding how to operate critical infrastructure manually during catastrophic cyber-attacks and determining how the government can assist operators in such situations.
"Cyber-attacks are the number one threat to America’s critical infrastructure," said Congressman Crenshaw. "The private sector must be more involved, especially when it comes to our water, energy, transportation, and communications. We need a comprehensive assessment of what more can be done to make critical infrastructure more resilient to future cyber-attacks."
"We need to ensure that the infrastructure Americans depend on is protected from cyber attacks," said Rep. Magaziner. "This bipartisan bill will help ensure that Americans are protected from criminals and adversarial nations who target our country in cyberspace daily."
The Contingency Plan for Critical Infrastructure Act requires The Director of the Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Administrator of the Federal Emergency Management Agency (FEMA) and other sector risk management agencies, to deliver a joint sector-by-sector assessment to Congress.
The Assessment would include:
- Evaluation of how the National Cyber Incident Response Plan addresses risks posed when critical infrastructures cannot swiftly transition to manual operation.
- Assessment of CISA’s capacity and obligations regarding remediation and response during cyber incidents.
- Assessment of FEMA’s National Response Framework's capability in assisting critical infrastructure owners during transitions to manual operating modes.
- Examination of potential costs and challenges associated with mandating sectors shift to manual operations during cyber incidents.
- Development of policy recommendations aimed at ensuring continuous operation during widespread cyber incidents affecting critical systems.
Additionally, this bill mandates that FEMA update their Planning Considerations for Cyber Incidents including:
- Best practices for essential personnel managing critical infrastructures.
- Steps for effective responses by owners/operators facing system degradation.
- Identification of available Federal, State, and local resources supporting transitions to manual operations.
- Specific guidelines on responding to and remediating effects on industrial control devices.