Critical Infrastructure Security
DHS Says National Security at Risk as Key Authorities Expire
DHS Secretary Alejandro Mayorkas Urges Congress to Reauthorize Key Security Powers.The U.S. Cybersecurity and Infrastructure Security Agency right now can't inspect high-risk facilities containing dangerous chemicals that could be weaponized by terrorists due to an expiration of critical authorities, Homeland Security Secretary Alejandro Mayorkas told Congress.
See Also: ON-DEMAND WEBINAR: Secure Your Applications: Learn How to Prevent AI-Generated Code Risks
Chemical Facility Anti-Terrorism Standards, the first regulatory program in the country specifically tasked with ensuring cyber and physical security at high-risk chemical facilities, ceased operations earlier this year when Congress allowed CISA's statutory authorities for the program to expire in July.
Federal officials have been unable to conduct more than 450 inspections since then, Mayorkas said in his Tuesday testimony before the Senate Committee on Homeland Security and Governmental Affairs. Historically, more than one-third of inspections have identified at least one security gap at high-risk facilities, he said. The Department of Homeland Security identifies more than 3,200 communities across the country as being in proximity to chemical facilities at high risk for potential terrorist attacks.
"An attack on one of these U.S. sites could be as lethal as a nuclear blast," Mayorkas said, adding that government planners and first responders are "forced to rely on out-of-date information" as cybersecurity and physical security measures are being allowed to lapse.
The CFATS program was established in 2006 after then-Homeland Security Secretary Michael Chertoff requested the regulatory authority to implement risk-based security performance standards for high-risk chemical facilities. A preceding Government Accountability Office report identified the facilities as attractive targets for terrorist attacks and called on Congress to provide the agency with the additional authorities required to coordinate federal security efforts.
CISA began overseeing the CFATS program after the nation's cyber defense agency was officially formed under DHS in 2018, conducting site inspections and providing compliance assistance to covered facilities. The agency also required facilities to implement comprehensive security plans and regularly report critical information about their chemical usage. Facilities covered in the program are required to implement access control measures and critical cybersecurity measures, including network monitoring, firewall protection and encryption. DHS has also previously worked with facilities to establish insider threat mitigation programs and other cybersecurity initiatives.
A statement on CISA's website says the agency "cannot enforce compliance with the CFATS regulations at this time."
Mayorkas said that DHS was set to lose additional anti-terrorism authorities in the coming weeks. If Congress does not act, the agency will lose its counter-drone authorities on Nov. 18, and the Countering Weapons of Mass Destruction Office - tasked under a recent White House executive order with mitigating the potential for artificial intelligence to be used in weapons of mass destruction - is set to expire in December.
The expiration of authorities would result in the loss of over $130 million in grants to support state and local security initiatives and training, according to the secretary. DHS also stands to lose the key provisions of its intelligence collection authorities under the Foreign Intelligence Surveillance Act, which is set to expire at the end of the year.
"Renewing each of these four authorities is common sense, bipartisan, and critical to our national security," Mayorkas said.