Yesterday Sen TJ Kong (R,GA) introduced SB 4569, the COVID Cyber Protection Act. The bill would require any company that accepts federal money for the production, distribution or dispensing of a vaccine for the SARS-COV-19 virus to allow the Critical Infrastructure Security Operations Center (CI-SOC) full access to any computer network involved in getting the vaccine to the citizens of the United States. A press release from Kong’s office notes that the bill was drafted in response to the recent ransomware attack on Mengele Pharma that resulted in millions of doses of their COVID-19 vaccine being destroyed.
According to Kong, while the original SI-SOC authorizing legislation provided for private sector companies to voluntarily place themselves under the cyber protection of the CI-SOC, this bill would mandate participation of manufacturers of COVID-19 vaccines, transportation companies, storage facilities and clinics that administer the COVID-19 vaccine to the public in the CI-SOC protective regimen.
General Buck Turgidson, Director of the CI-SOC, told reporters this morning that his staff had worked with the Senator’s staff in the crafting of the legislation. “We have staff and facilities available to start protecting the vaccine manufacturers in the United States,” Kong said; “Providing coverage to transportation and storage organizations will require a substantial expansion of staff and equipment. That is the reason that bill includes a $1.5 million spending authorization. We do not currently know how many clinics would need cybersecurity coverage.”
An unnamed source at the CI-SOC tells me that there is plenty of room in the facility for the staff expansion expected to support the demands set forth in SB 4569. There would have to be some expansion of the communications capabilities, but the initial facility design included provisions for that addition as the CI-SOC operations expanded.
Clark Stanley, spokesperson for the Federal Drug Administration, responded to email questions about the bill. He reported that the agency had been in communication with the Senator’s office about the proposed legislation. “We have also been talking with CI-SOC about the requirements for expanding cybersecurity support for vaccine manufacturers. We are very concerned about the attack on Mengele Pharma and want to ensure that no further cyberattacks interfere with getting the vaccines produced and distributed.”
An unnamed staffer at Kong’s Washington Office told me that the Senator does not expect that the Senate will actually have time to take-up the bill in the days left in the 116th Congress. “We are working to try to get added to the omnibus spending bill that will be introduced later this week,” the staffer said; “If that does not happen, we expect to get the bill introduced in the opening days of the 117th Congress. Hopefully we would be able to see quick action on the bill in the opening weeks of the session.”
Wolfgang Gerhard, President of Mengele Pharma, has said that his company does not want any cybersecurity assistance from CI-SOC. “We have no need to provide unrestricted access to CI-SOC to our computer infrastructure,” Gerhard told reporters last week; “We do not want to provide anyone with access to our proprietary research and manufacturing software systems. A large portion of our profitability and innovation capability rests on these unique, in-house developed systems. We cannot afford to have them compromised by any outside agency not under our control.”
Gerhard reported that those systems had not been involved in last month’s ransomware attack. “We have those systems completely isolated from our IT systems and they are not accessible from the Internet,” he explained; “We did not provide CI-SOC investigators access to these systems during their investigation of the attack and we will not do so in the future.”
No comments:
Post a Comment