WASHINGTON–Two bank trade groups are objecting to language related to online security in the proposed defense bill before Congress, arguing it will actually endanger cybersecurity.
“Providing [the Cybersecurity and Infrastructure Security Agency] with details of supply chain risk management practices and ‘identifying critical assets, systems, suppliers, technologies, software, services, processes or other dependencies’ could expose firms to risk if it is inappropriately disclosed or stolen in a breach,” reads the letter from the American Bankers Association and the Bank Policy Institute, which was sent to the chair and ranking member of both the Senate Armed Services Committee and the Senate Homeland Security and Governmental Affairs Committee. “This information would be highly valuable to malicious actors, because it would provide a roadmap for how to attack a firm or disrupt a critical system or service.”
The two organizations said a provision attached to the National Defense Authorization Act during floor votes in the House, where the bill has been passed, was not included in legislation filed by the Senate Armed Services Committee two weeks ago.
Headed for September Vote
As CUToday.info has been reporting, with the NDAA now before the Senate and then headed to conference, negotiations in Congress mean numerous changes could still be included in the legislation. The NDAA is not expected to come before the Senate for a vote until September.
The language that concerns the bankers’ groups was included as an amendment by Rep. Jim Langevin (D-RI) and would initiate an interagency process at the Department of Homeland Security to identify no more than 200 entities which would be designated “systemically important entities,” according to Nextgov.com. As such, they would be required to report certain information to CISA, in exchange for closer collaboration with intelligence agencies and assistance in responding to incidents, the report added.
Lack of Specifics Cited
According to the legislation, the information required “shall directly support the department’s ability to understand and prioritize mitigation of risks to national critical functions.”
But the bankers’ letter says the legislation doesn’t “specify what CISA would do with such information, [or] how it would be shared or protected against disclosure,” according to Nextgov.com
“As the Senate considers the National Defense Authorization Act for Fiscal Year 2023, we urge you to oppose language creating a designation for Systemically Important Entities (SIEs) that was added to the House bill as floor amendment 554,” the letter reads. “Financial institutions are supportive of efforts to improve the identification and risk assessment of critical infrastructure but believe the provision, as written, would duplicate existing designations without addressing gaps in government efforts to help protect private critical infrastructure from national security threats.”