Cyber officials look to toughen up reporting requirements

The head of CISA told lawmakers that federal breach disclosure rules should be accompanied by compliance mechanisms, including fines.

 

The Biden administration is increasingly looking to require disclosure on the part of cyberattack victims, especially in critical infrastructure sectors. In some instances, as with federal contractors and with certain regulated industrial sectors, such requirements can be authorized by the executive branch, but a wide ranging breach disclosure mandate would need legislation.

Thus far, efforts to create a federal standard to replace the more than 50 state-based and territorial disclosure laws have failed to gain traction, but that could change in the wake of the Colonial Pipeline ransomware attack and other well publicized recent breaches.

At a Senate hearing on Thursday, top cybersecurity officials pressed lawmakers to pass legislation to supersede the patchwork of state laws and make sure that federal investigators have the latest information about ongoing threats. A bill to do just that was introduced in the Senate in July.

In addition, Sen. Gary Peters (D-Mich.), the chairman of the Senate Homeland Security and Government Affairs Committee, announced in his opening remarks that he and ranking member Sen. Rob Portman (R-Ohio) are offering legislation to require entities that make payments to ransomware hackers and critical infrastructure companies who suffer breaches, to disclose that information to the Cybersecurity and Infrastructure Security Agency.

"It's long past time to get cyber incident reporting legislation out there," CISA Director Jen Easterly told lawmakers on the committee. "It's very important for us to both be able to render assistance to any entity that suffers an attack, but to be able to analyze that information and to share it more widely, because we know that in today's world, everything is connected, everything is interdependent, and thus everything is vulnerable."

Easterly said in her testimony that any legislation will need some way to get private companies to cooperate with disclosure requirements in the heat of an ongoing attack.

"I do think a compliance and enforcement mechanism is very important here. I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines…. I just came from four and a half years in the financial services sector where fines are a mechanism that enable compliance and enforcement."

Easterly also spoke to the importance of establishing CISA as the "operational lead" in federal cybersecurity as part of any update of the Federal Information Systems Modernization Act, while also "holding departments and agencies specifically accountable for the investments that they make in their cybersecurity teams," adding that, "we need to move from this compliance and box checking to true operational risk management"

TMF awards coming soon

Federal Chief Information Security Officer Chris DeRusha told the committee that the Technology Modernization Fund board is preparing to release the first awards under the $1 billion emergency funding that was added under pandemic relief legislation. DeRusha said that 75% of funding requests were for cybersecurity improvements.

National Cyber Director Chris Inglis the told lawmakers that his responsibilities extended to reviewing TMF awards to make sure "each of the awards [are] consistent with our overall cyber strategy."