[Congressional Record Volume 168, Number 105 (Tuesday, June 21, 2022)]
[House]
[Pages H5689-H5691]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




         INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY TRAINING ACT

  Mr. SWALWELL. Madam Speaker, I move to suspend the rules and pass the 
bill (H.R. 7777) to amend the Homeland

[[Page H5690]]

Security Act of 2002 to authorize the Cybersecurity and Infrastructure 
Security Agency to establish an industrial control systems 
cybersecurity training initiative, and for other purposes, as amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 7777

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Industrial Control Systems 
     Cybersecurity Training Act''.

     SEC. 2. ESTABLISHMENT OF THE INDUSTRIAL CONTROL SYSTEMS 
                   TRAINING INITIATIVE.

       (a) In General.--Subtitle A of title XXII of the Homeland 
     Security Act of 2002 (6 U.S.C. 651 et seq.) is amended by 
     adding at the end the following new section:

     ``SEC. 2220D. INDUSTRIAL CONTROL SYSTEMS CYBERSECURITY 
                   TRAINING INITIATIVE.

       ``(a) Establishment.--
       ``(1) In general.--The Industrial Control Systems 
     Cybersecurity Training Initiative (in this section referred 
     to as the `Initiative') is established within the Agency.
       ``(2) Purpose.--The purpose of the Initiative is to develop 
     and strengthen the skills of the cybersecurity workforce 
     related to securing industrial control systems.
       ``(b) Requirements.--In carrying out the Initiative, the 
     Director shall--
       ``(1) ensure the Initiative includes--
       ``(A) virtual and in-person trainings and courses provided 
     at no cost to participants;
       ``(B) trainings and courses available at different skill 
     levels, including introductory level courses;
       ``(C) trainings and courses that cover cyber defense 
     strategies for industrial control systems, including an 
     understanding of the unique cyber threats facing industrial 
     control systems and the mitigation of security 
     vulnerabilities in industrial control systems technology; and
       ``(D) appropriate consideration regarding the availability 
     of trainings and courses in different regions of the United 
     States; and
       ``(2) engage in--
       ``(A) collaboration with the National Laboratories of the 
     Department of Energy in accordance with section 309;
       ``(B) consultation with Sector Risk Management Agencies; 
     and
       ``(C) as appropriate, consultation with private sector 
     entities with relevant expertise, such as vendors of 
     industrial control systems technologies.
       ``(c) Reports.--
       ``(1) In general.--Not later than one year after the date 
     of the enactment of this section and annually thereafter, the 
     Director shall submit to the Committee on Homeland Security 
     of the House of Representatives and the Committee on Homeland 
     Security and Governmental Affairs of the Senate a report on 
     the Initiative.
       ``(2) Contents.--Each report under paragraph (1) shall 
     include the following:
       ``(A) A description of the courses provided under the 
     Initiative.
       ``(B) A description of outreach efforts to raise awareness 
     of the availability of such courses.
       ``(C) Information on the number and demographics of 
     participants in such courses, including by gender, race, and 
     place of residence.
       ``(D) Information on the participation in such courses of 
     workers from each critical infrastructure sector.
       ``(E) Plans for expanding access to industrial control 
     systems education and training, including expanding access to 
     women and underrepresented populations, and expanding access 
     to different regions of the United States.
       ``(F) Recommendations on how to strengthen the state of 
     industrial control systems cybersecurity education and 
     training.''.
       (b) Clerical Amendment.--The table of contents in section 
     1(b) of the Homeland Security Act of 2002 is amended by 
     inserting after the item relating to section 2220C the 
     following new item:

``Sec. 2220D. Industrial Control Systems Cybersecurity Training 
              Initiative.''.

  The SPEAKER pro tempore. Pursuant to the rule, the gentleman from 
California (Mr. Swalwell) and the gentlewoman from Iowa (Mrs. Miller-
Meeks) each will control 20 minutes.
  The Chair recognizes the gentleman from California.


                             General Leave

  Mr. SWALWELL. Madam Speaker, I ask unanimous consent that all Members 
may have 5 legislative days in which to revise and extend their remarks 
and include extraneous material on this measure.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentleman from California?
  There was no objection.
  Mr. SWALWELL. Madam Speaker, I yield myself such time as I may 
consume.
  Madam Speaker, I thank the chairman and ranking member of the 
Committee on Homeland Security for their support for moving my bill, 
H.R. 7777, the Industrial Control Systems Cybersecurity Training Act, 
through committee. I thank the Speaker and majority leader for bringing 
this measure to the floor today.
  Madam Speaker, H.R. 7777 is not only a winning number on a slot 
machine; it is a winning formula for bringing cyber hygiene to our 
industrial control systems across America.
  Every day, we rely on critical infrastructure to power our homes, 
fuel our cars, and connect us online. One essential component of 
critical infrastructure is industrial control systems, also known as 
ICS, which digitally manage operations of these vital systems.
  As Congress considers legislation to address cybersecurity threats to 
America's interests, my legislation would help to secure vulnerable ICS 
at every level of our economy and our government. H.R. 7777 would make 
permanent an existing education initiative within the Cybersecurity and 
Infrastructure Security Agency, also known as CISA.
  This initiative, the ICS training initiative, provides free virtual 
and in-person cybersecurity training to public and private security 
entities, including critical infrastructure administrators, national 
laboratories, and even small businesses.
  This training equips technology professionals across all levels with 
the tools and expertise necessary to secure themselves against advanced 
persistent threats.
  When threats turn into successful attacks, it impacts the daily lives 
of every American, including sowing discord into our electoral 
processes, as we have seen election after election; shutting down our 
pipelines; or breaking down supply chains that provide essential food 
and other materials.
  That means virtually everything that is connected to a network has a 
potential vulnerability, or what we would refer to as a left-of-boom 
vulnerability, the vulnerability that exists before the attack occurs. 
Every person, small business, or government database is a potential 
target.
  In 2021 alone, cybercrimes inflicted approximately $6 trillion in 
damages across the world. Attacks on industrial networks account for a 
significant portion of that number, and it is only going to get worse 
in the future.
  These threats often emerge from sophisticated state actors, like 
Russia and China, that have the ability to exploit vulnerabilities to 
disrupt and destroy the systems that make our way of life possible.
  As Putin and his regime become increasingly isolated because of a 
successful sanctions regime and the effort that we are prosecuting to 
help keep Ukraine in the fight, we should expect the Kremlin to 
progressively target the United States and our allies with 
unconventional cyberattacks on our election systems and critical 
infrastructure. Any success that Russia has in exploiting 
vulnerabilities will inevitably be closely watched by other countries, 
particularly China.
  In sum, we know this threat is real and that malignant actors will 
persistently probe our systems to find additional weaknesses to 
exploit, which would cause real harms, harms to Americans that would 
blunt innovation, steal American secrets, and destroy America's small 
businesses.
  In my district, cybersecurity professionals deal with threats to ICS 
every single day. I specifically note two major Federal research 
centers, Sandia and Lawrence Livermore National Laboratories, which 
play a critical role in protecting against worldwide cyber threats. 
They are in the heart of my district in Livermore, California.
  This support is leveraged every day by numerous Federal agencies, 
including CISA, which sit on the front lines of protecting our 
infrastructure from bad actors. We in Congress must do everything we 
can to equip our security protectors with the resources they need to 
continue the fight, and that is what this legislation does.
  Resources must include proactive ways to help cybersecurity-focused 
entities retain a competitive workforce. The training programs in my 
legislation will equip technology professionals with the skills, 
expertise, and resources they need to build resilience against threats 
to some of our most sensitive facilities.

[[Page H5691]]

  I applaud CISA for increasing these trainings, which H.R. 7777--which 
I love saying--would make permanent. This commonsense program is an 
easy solution to build resilience against cyberattacks for our most 
vulnerable systems.
  Madam Speaker, I urge my House colleagues to support this 
legislation, and I reserve the balance of my time.
  Mrs. MILLER-MEEKS. Madam Speaker, I yield myself such time as I may 
consume.
  Madam Speaker, I rise today in support of H.R. 7777, the Industrial 
Control Systems Cybersecurity Training Act.
  In policy discussions following recent cyber incidents, like 
SolarWinds and Colonial Pipeline, one constant area of concern to 
Congress and our cyber defenders, like the Cybersecurity and 
Infrastructure Security Agency, CISA, has been improving the Nation's 
workforce pipeline for cybersecurity and other STEM-related fields.
  As the interconnectivity of our daily lives continues to grow, the 
estimated worldwide cost of cybercrime has risen to $6 trillion 
annually. Despite this alarming and growing threat, some estimates say 
that the cybersecurity workforce is currently short about 1 to 3 
million qualified professionals.
  A recent Center for Strategic and International Studies, CSIS, study 
of IT decisionmakers across eight countries found that 82 percent of 
employers report a shortage of cybersecurity skills, and 71 percent 
believe this talent gap causes direct and measurable damage to their 
organization.

                              {time}  1415

  Federal agencies have been working to bridge the gap in skills 
required to prepare a future cyber workforce.
  CISA is collaborating closely with organizations like the National 
Institute of Standards and Technology, NIST, to identify cyber 
knowledge deficits on a sector-by-sector basis. One example is the 
National Initiative for Cybersecurity Education framework, which serves 
as a useful precursor for directing Federal resources into education 
and research priorities.
  H.R. 7777 would require that CISA provide resources for the purpose 
of training cyber operators that are fluent across multiple segments of 
the cyber domain, not only information technology but also operational 
technology, like manufacturing systems and industrial control systems, 
which are commonplace within critical infrastructure sectors and are 
increasingly exposed to cyber risk.
  We must continue to do all we can to improve our Nation's cyber 
posture and focus on policy that can help make our government and 
private sector critical infrastructure operations more resilient and 
prepared for future events.
  Madam Speaker, I urge Members to join me in supporting H.R. 7777, and 
I yield back the balance of my time.
  Mr. SWALWELL. Madam Speaker, I yield myself the balance of my time.
  I appreciate the bipartisan, cooperative effort here to make sure 
that our cyber professionals across America are ready to meet the 
growing threats from Russia, China, and even nonstate cyber actors. 
That is exactly what H.R. 7777 seeks to do, by authorizing CISA's ICS 
cybersecurity training program and directing CISA to report to Congress 
annually about the initiative.
  Improving the state of our cybersecurity workforce will be an ongoing 
effort, and these reports will help Congress continue to strengthen 
this program in the future.
  Passing this bill will help us continue to move forward in developing 
the cybersecurity workforce we need to defend against the growing cyber 
threats that we face. In particular, this will help strengthen small 
businesses, particularly those in critical infrastructure, who do not 
yet today have cybersecurity defense forces receiving that training.
  Madam Speaker, I urge my colleagues to support H.R. 7777, and I yield 
back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentleman from California (Mr. Swalwell) that the House suspend the 
rules and pass the bill, H.R. 7777, as amended.
  The question was taken.
  The SPEAKER pro tempore. In the opinion of the Chair, two-thirds 
being in the affirmative, the ayes have it.
  Mr. ROY. Madam Speaker, on that I demand the yeas and nays.
  The SPEAKER pro tempore. Pursuant to section 3(s) of House Resolution 
8, the yeas and nays are ordered.
  Pursuant to clause 8 of rule XX, further proceedings on this motion 
are postponed.

                          ____________________