Senate Intelligence Committee Chairman Mark Warner (D-Va.) said the committee is working on bipartisan legislation that would require some level of mandatory reporting on cyber vulnerabilities.
Warner, speaking Tuesday at a virtual event hosted by the U.S. Chamber of Commerce, said the committee is working closely with the intelligence community and Anne Neuberger, the White House’s deputy national security adviser for cyber and emerging technology.
The legislation would grant limited immunity to give companies an incentive to report, and require these disclosures to anonymize personally identifiable information. Warner said these disclosures would provide an “early warning system” across government and private-sector owners of critical infrastructure.
“We need to focus on, can we create a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure that doesn’t get to the full data breach negotiations,” Warner said, adding that negotiations over data breach requirements have been a major hurdle in getting more robust vulnerability disclosure legislation done.
While the private sector remains wary of sharing this information with federal cyber and law enforcement agencies, Warner said there is an “evolving belief” that the 2015 voluntary reporting structure under the 2015 Cybersecurity Information Sharing Act is no longer robust enough to protect agencies and industry from the latest wave of cyber threats.
“People a couple of years ago who said, ‘No way I want additional mandatory obligation put on me’ are now coming back and saying, ‘If we align the incentives that make me want to report, even though it’s mandatory, I want to affirmatively get this information out,” he said.
The stakes of strengthening vulnerability disclosure are high, Warner said, because private enterprise runs the vast majority of critical infrastructure in the U.S. The SolarWinds breach demonstrated how a compromised IT product can cause a ripple effect among its federal customers.
The SolarWinds breach has compromised the networks of at least nine agencies.
“This attack on SolarWinds demonstrated when a first-tier adversary brings its A team against any entity, public-sector or private-sector, it really is hard to keep the bad guys out,” Warner said. “That doesn’t mean we should move away from good cyber hygiene, but it does mean any sole entity on its own, no matter how good their firewalls may be, it is hard to provide 100% assurance of protection.”
Cyberspace Solarium members seek $400M increase for CISA’s growing mission
The Cybersecurity and Infrastructure Security Agency plays a central role in managing these cyber threats, but may need more funds to meet its growing mission.
Cyberspace Solarium Commission members Reps. Jim Langevin (D-R.I.) and Mike Gallagher (R-Wis.) urged House Appropriations Committee leadership, in a letter last Friday, to increase CISA’s budget by $400 million. The agency currently has an annual budget of more than $2 billion.
The lawmakers said CISA played a “central role” in the interagency response to the SolarWinds and Microsoft Exchange Server compromises. In addition, CISA must also stand up 27 of the commission’s recommendations that passed as part of the 2021 National Defense Authorization Act.
The defense policy bill requires CISA to stand up a Joint Cyber Planning Office and conduct a force structure and resource requirement assessment. It also grants the agency the authority to hunt for threats on Federal agency networks.
“As CISA’s statutory mission set grows, appropriations must grow to match the mandate,” the lawmakers wrote.
While Congress gave CISA an additional $650 million in the latest COVID-19 spending bill, Mark Montgomery, the executive director of the Cyberspace Solarium Commission, said that money mostly gives the agency more bandwidth to address the immediate cyber threats.
“A lot of it was about directly getting at the impact and damage or preventing a future SolarWinds or Microsoft Exchange [breach] … We recognize a lot of CISA’s budget needs to be about building the public-private collaboration,” Montgomery said.
Despite CISA’s central role in cyber response, the agency is barely three years old. After retiring its old name, the National Protection and Programs Directorate, Montgomery said CISA has taken on a host of new responsibilities, but is still a work in progress.
CISA’s force structure and resource assessment, he added, would likely demonstrate that the agency needs more money to do its job.
“I’m confident that we’re going to find that their $2 billion budget is significantly underfunding the need, and that, four or five years from now, their budget could easily be between $3-4 billion, if we want CISA to run correctly,” Montgomery said.