CISA chief: Cyber incident reporting can't become a burden
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, stressed the importance of cyber incident reporting but said mandates should be careful of potentially overburdening companies -- and CISA -- with "reporting noise."
CISA Director Jen Easterly speaks at Aspen Cyber on Sept. 29, 2021.
Mandatory cyber incident reporting is gaining traction, and the Department of Homeland Security's cyber chief said the key to any legislative mandates is keeping down the bureaucratic "noise."
Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency, stressed the importance of cyber incident reporting during the Aspen Cyber Summit Sept. 29, but she said mandates should be careful of potentially overburdening companies -- and CISA -- with "reporting noise."
"We are a voluntary and partnership agency ... our whole goal is to build trusted partnerships so that companies that are impacted by cyber attacks report information, and we do have that," Easterly said. "But as the Congress has recognized, it is critically important that we get more and more information, given the complex threat environment that we're all facing."
Easterly called CISA's privacy shielding, information-sharing authorities a "super power" and said that cyber threat reporting in any form was crucial to preventing damage in future attacks.
"Whether it's voluntary, or whether it's mandatory, we need to get that information as rapidly as possible so that we can share it to prevent others from suffering an attack," Easterly said.
The CISA director's comments come after Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced a bill that would require critical infrastructure companies and operators to report cyberattacks to CISA and for most entities to report ransomware payments.
Easterly said such information sharing is important when dealing with ransomware, but reporting requirements should take care not to overburden CISA or industry.
"That's why it's really important to have this rulemaking period, where we can figure out the scope of the reporting entity ... when they would need to report rapidly ... and then how you make sure that you can do enforcement," Easterly said. "Because at the end of the day, it really is to the benefit of the whole ecosystem if we can get information out rapidly to protect others."
Incident reporting is only part of the threat landscape. Rob Joyce, the director for the National Security Agency's cybersecurity directorate, said during his panel discussion that one of his biggest concerns is "tech debt" and being able to retroactively secure aging technologies still in use.
"There's a lot of things we know need to be modernized, upgraded, changed, but it's getting the resources and the will to put the investment in there," he said.
Joyce said his priorities for the office include improving threat intelligence sharing and shoring up weapons systems.
"We've had a number of years, working counterterrorism, counterinsurgency as a as a nation -- that was the top priority. We weren't thinking about the near-peer challenges of China and Russia. And in that we weren't always modernizing the weapons and the capabilities of the department to the level we need," Joyce said.
"These things are often wings with computers strapped to them, floating computers, flying computers, exploding computers, and we haven't always treated them as things that we had to protect like computer networks. And so now, the instrumentation, the protection, the modernization is really a high priority."