[Congressional Record Volume 168, Number 105 (Tuesday, June 21, 2022)]
[House]
[Pages H5689-H5691]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT
Mr. SWALWELL. Madam Speaker, I move to suspend the rules and pass the
bill (H.R. 7777) to amend the Homeland
[[Page H5690]]
Security Act of 2002 to authorize the Cybersecurity and Infrastructure
Security Agency to establish an industrial control systems
cybersecurity training initiative, and for other purposes, as amended.
The Clerk read the title of the bill.
The text of the bill is as follows:
H.R. 7777
Be it enacted by the Senate and House of Representatives of
the United States of America in Congress assembled,
SECTION 1. SHORT TITLE.
This Act may be cited as the ``Industrial Control Systems
Cybersecurity Training Act''.
SEC. 2. ESTABLISHMENT OF THE INDUSTRIAL CONTROL SYSTEMS
TRAINING INITIATIVE.
(a) In General.--Subtitle A of title XXII of the Homeland
Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by
adding at the end the following new section:
``SEC. 2220D. INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY
TRAINING INITIATIVE.
``(a) Establishment.--
``(1) In general.--The Industrial Control Systems
Cybersecurity Training Initiative (in this section referred
to as the `Initiative') is established within the Agency.
``(2) Purpose.--The purpose of the Initiative is to develop
and strengthen the skills of the cybersecurity workforce
related to securing industrial control systems.
``(b) Requirements.--In carrying out the Initiative, the
Director shall--
``(1) ensure the Initiative includes--
``(A) virtual and in-person trainings and courses provided
at no cost to participants;
``(B) trainings and courses available at different skill
levels, including introductory level courses;
``(C) trainings and courses that cover cyber defense
strategies for industrial control systems, including an
understanding of the unique cyber threats facing industrial
control systems and the mitigation of security
vulnerabilities in industrial control systems technology; and
``(D) appropriate consideration regarding the availability
of trainings and courses in different regions of the United
States; and
``(2) engage in--
``(A) collaboration with the National Laboratories of the
Department of Energy in accordance with section 309;
``(B) consultation with Sector Risk Management Agencies;
and
``(C) as appropriate, consultation with private sector
entities with relevant expertise, such as vendors of
industrial control systems technologies.
``(c) Reports.--
``(1) In general.--Not later than one year after the date
of the enactment of this section and annually thereafter, the
Director shall submit to the Committee on Homeland Security
of the House of Representatives and the Committee on Homeland
Security and Governmental Affairs of the Senate a report on
the Initiative.
``(2) Contents.--Each report under paragraph (1) shall
include the following:
``(A) A description of the courses provided under the
Initiative.
``(B) A description of outreach efforts to raise awareness
of the availability of such courses.
``(C) Information on the number and demographics of
participants in such courses, including by gender, race, and
place of residence.
``(D) Information on the participation in such courses of
workers from each critical infrastructure sector.
``(E) Plans for expanding access to industrial control
systems education and training, including expanding access to
women and underrepresented populations, and expanding access
to different regions of the United States.
``(F) Recommendations on how to strengthen the state of
industrial control systems cybersecurity education and
training.''.
(b) Clerical Amendment.--The table of contents in section
1(b) of the Homeland Security Act of 2002 is amended by
inserting after the item relating to section 2220C the
following new item:
``Sec. 2220D. Industrial Control Systems Cybersecurity Training
Initiative.''.
The SPEAKER pro tempore. Pursuant to the rule, the gentleman from
California (Mr. Swalwell) and the gentlewoman from Iowa (Mrs. Miller-
Meeks) each will control 20 minutes.
The Chair recognizes the gentleman from California.
General Leave
Mr. SWALWELL. Madam Speaker, I ask unanimous consent that all Members
may have 5 legislative days in which to revise and extend their remarks
and include extraneous material on this measure.
The SPEAKER pro tempore. Is there objection to the request of the
gentleman from California?
There was no objection.
Mr. SWALWELL. Madam Speaker, I yield myself such time as I may
consume.
Madam Speaker, I thank the chairman and ranking member of the
Committee on Homeland Security for their support for moving my bill,
H.R. 7777, the Industrial Control Systems Cybersecurity Training Act,
through committee. I thank the Speaker and majority leader for bringing
this measure to the floor today.
Madam Speaker, H.R. 7777 is not only a winning number on a slot
machine; it is a winning formula for bringing cyber hygiene to our
industrial control systems across America.
Every day, we rely on critical infrastructure to power our homes,
fuel our cars, and connect us online. One essential component of
critical infrastructure is industrial control systems, also known as
ICS, which digitally manage operations of these vital systems.
As Congress considers legislation to address cybersecurity threats to
America's interests, my legislation would help to secure vulnerable ICS
at every level of our economy and our government. H.R. 7777 would make
permanent an existing education initiative within the Cybersecurity and
Infrastructure Security Agency, also known as CISA.
This initiative, the ICS training initiative, provides free virtual
and in-person cybersecurity training to public and private security
entities, including critical infrastructure administrators, national
laboratories, and even small businesses.
This training equips technology professionals across all levels with
the tools and expertise necessary to secure themselves against advanced
persistent threats.
When threats turn into successful attacks, it impacts the daily lives
of every American, including sowing discord into our electoral
processes, as we have seen election after election; shutting down our
pipelines; or breaking down supply chains that provide essential food
and other materials.
That means virtually everything that is connected to a network has a
potential vulnerability, or what we would refer to as a left-of-boom
vulnerability, the vulnerability that exists before the attack occurs.
Every person, small business, or government database is a potential
target.
In 2021 alone, cybercrimes inflicted approximately $6 trillion in
damages across the world. Attacks on industrial networks account for a
significant portion of that number, and it is only going to get worse
in the future.
These threats often emerge from sophisticated state actors, like
Russia and China, that have the ability to exploit vulnerabilities to
disrupt and destroy the systems that make our way of life possible.
As Putin and his regime become increasingly isolated because of a
successful sanctions regime and the effort that we are prosecuting to
help keep Ukraine in the fight, we should expect the Kremlin to
progressively target the United States and our allies with
unconventional cyberattacks on our election systems and critical
infrastructure. Any success that Russia has in exploiting
vulnerabilities will inevitably be closely watched by other countries,
particularly China.
In sum, we know this threat is real and that malignant actors will
persistently probe our systems to find additional weaknesses to
exploit, which would cause real harms, harms to Americans that would
blunt innovation, steal American secrets, and destroy America's small
businesses.
In my district, cybersecurity professionals deal with threats to ICS
every single day. I specifically note two major Federal research
centers, Sandia and Lawrence Livermore National Laboratories, which
play a critical role in protecting against worldwide cyber threats.
They are in the heart of my district in Livermore, California.
This support is leveraged every day by numerous Federal agencies,
including CISA, which sit on the front lines of protecting our
infrastructure from bad actors. We in Congress must do everything we
can to equip our security protectors with the resources they need to
continue the fight, and that is what this legislation does.
Resources must include proactive ways to help cybersecurity-focused
entities retain a competitive workforce. The training programs in my
legislation will equip technology professionals with the skills,
expertise, and resources they need to build resilience against threats
to some of our most sensitive facilities.
[[Page H5691]]
I applaud CISA for increasing these trainings, which H.R. 7777--which
I love saying--would make permanent. This commonsense program is an
easy solution to build resilience against cyberattacks for our most
vulnerable systems.
Madam Speaker, I urge my House colleagues to support this
legislation, and I reserve the balance of my time.
Mrs. MILLER-MEEKS. Madam Speaker, I yield myself such time as I may
consume.
Madam Speaker, I rise today in support of H.R. 7777, the Industrial
Control Systems Cybersecurity Training Act.
In policy discussions following recent cyber incidents, like
SolarWinds and Colonial Pipeline, one constant area of concern to
Congress and our cyber defenders, like the Cybersecurity and
Infrastructure Security Agency, CISA, has been improving the Nation's
workforce pipeline for cybersecurity and other STEM-related fields.
As the interconnectivity of our daily lives continues to grow, the
estimated worldwide cost of cybercrime has risen to $6 trillion
annually. Despite this alarming and growing threat, some estimates say
that the cybersecurity workforce is currently short about 1 to 3
million qualified professionals.
A recent Center for Strategic and International Studies, CSIS, study
of IT decisionmakers across eight countries found that 82 percent of
employers report a shortage of cybersecurity skills, and 71 percent
believe this talent gap causes direct and measurable damage to their
organization.
{time} 1415
Federal agencies have been working to bridge the gap in skills
required to prepare a future cyber workforce.
CISA is collaborating closely with organizations like the National
Institute of Standards and Technology, NIST, to identify cyber
knowledge deficits on a sector-by-sector basis. One example is the
National Initiative for Cybersecurity Education framework, which serves
as a useful precursor for directing Federal resources into education
and research priorities.
H.R. 7777 would require that CISA provide resources for the purpose
of training cyber operators that are fluent across multiple segments of
the cyber domain, not only information technology but also operational
technology, like manufacturing systems and industrial control systems,
which are commonplace within critical infrastructure sectors and are
increasingly exposed to cyber risk.
We must continue to do all we can to improve our Nation's cyber
posture and focus on policy that can help make our government and
private sector critical infrastructure operations more resilient and
prepared for future events.
Madam Speaker, I urge Members to join me in supporting H.R. 7777, and
I yield back the balance of my time.
Mr. SWALWELL. Madam Speaker, I yield myself the balance of my time.
I appreciate the bipartisan, cooperative effort here to make sure
that our cyber professionals across America are ready to meet the
growing threats from Russia, China, and even nonstate cyber actors.
That is exactly what H.R. 7777 seeks to do, by authorizing CISA's ICS
cybersecurity training program and directing CISA to report to Congress
annually about the initiative.
Improving the state of our cybersecurity workforce will be an ongoing
effort, and these reports will help Congress continue to strengthen
this program in the future.
Passing this bill will help us continue to move forward in developing
the cybersecurity workforce we need to defend against the growing cyber
threats that we face. In particular, this will help strengthen small
businesses, particularly those in critical infrastructure, who do not
yet today have cybersecurity defense forces receiving that training.
Madam Speaker, I urge my colleagues to support H.R. 7777, and I yield
back the balance of my time.
The SPEAKER pro tempore. The question is on the motion offered by the
gentleman from California (Mr. Swalwell) that the House suspend the
rules and pass the bill, H.R. 7777, as amended.
The question was taken.
The SPEAKER pro tempore. In the opinion of the Chair, two-thirds
being in the affirmative, the ayes have it.
Mr. ROY. Madam Speaker, on that I demand the yeas and nays.
The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution
8, the yeas and nays are ordered.
Pursuant to clause 8 of rule XX, further proceedings on this motion
are postponed.
____________________