Senior Biden administration officials are backing congressional efforts to enact new cyber incident reporting requirements for critical infrastructure operators and other companies, as well as other efforts to further entrench the Cybersecurity and Infrastructure Security Agency at the center of the civilian executive branch’s digital security apparatus.
During a Senate Homeland Security and Governmental Affairs Committee hearing today, CISA Director Jen Easterly and National Cyber Director Chris Inglis offered support for incident reporting legislation put forth by Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio). The bill would require critical infrastructure operators to report significant cyber incidents on their networks to CISA.
Easterly said incident reporting is “absolutely critical” and called CISA’s “superpower” its ability to share cyber threat information across agencies and critical infrastructure sectors.
“What we could do with this information is not only render assistance to the victim and help them remediate and recover from the attack, but we can use that information, we can analyze it, and then we could share it broadly, to see whether in fact evidence of such intrusions were found across the sector, or across other sectors or across the federal civilian executive branch,” she said.
The Peters-Portman bill would also give CISA subpoena authority in the event a company refuses to comply with the reporting requirements. But Easterly said a subpoena “is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors.”
Instead, Easterly said lawmakers should look at using fines to enforce compliance.
“I just came from four and a half years in the financial services sector, where fines are a mechanism that enable compliance and enforcement,” she said.
White House National Cyber Director Chris Inglis also backed the idea of fines, but said there should additionally be incentives for reporting incidents to the government.
“We of course don’t want to impose an unfair burden on the victims,” Inglis said. “But this information is essential for the welfare of the whole. There should be rewards for good behavior. If you’ve performed well and thoughtfully in this, the benefit should be obvious, which is that we can provide better services both in response and preventing this in the future.”
In addition to Peters and Portman’s legislation, members of the Senate Intelligence Committee have introduced a cyber incident reporting bill that would mandate a tighter 24-hour window for reporting incidents. The Peters-Portman bill would establish a 72-hour reporting timelines as a minimum.
The bill endorsed by members of the intelligence committee would also cover a broader range of both incidents and reporting entities, including critical infrastructure, federal contractors, agencies, and cybersecurity service providers.
Meanwhile, House Homeland Security Cybersecurity Subcommittee Chairwoman Yvette Clarke (D-N.Y.) has successfully attached an incident reporting bill to the defense authorization bill. Clarke’s legislation is similar to the Peters-Portman bill in that it only applies to critical infrastructure operators and offers a 72-hour timeline as a starting point.
Lawmakers are also eyeing potential updates to the Federal Information Security Modernization Act of 2014. The FISMA reforms are aimed at sorting out roles and responsibilities for cybersecurity across the federal government.
Easterly said she hopes lawmakers will formally establish CISA as the “operational lead for federal cybersecurity” as part of FISMA reform legislation. She also advocated for making agencies “accountable” for investing in cybersecurity, as well as moving beyond “box checking” compliance to what she described as “true operational risk management.”
“I think instantiating all of that in FISMA reform will be incredibly important and helpful for our role,” Easterly added.
President Joe Biden may also issue a directive to clarify the role of the National Cyber Director and other cyber officials across government, according to Inglis, whose office is only a few months old.
“We’re actually taking our time, not because we’re complacent in any way, shape, or form, but taking our time to actually let experience, a modest amount of experience, drive our efforts to then clarify in writing what we believe is the right and proper way to describe that [organizational] chart in action,” he said.
Meanwhile, agencies are continuing to implement Biden’s May executive order on cybersecurity. CISA and the Office of Management and Budget have already released a federal definition for “critical software,” as well as new requirements for storing and sharing data, according to Chris DeRusha, federal chief information security officer at OMB.
OMB and the Department of Homeland Security have also developed recommendations for “new contract clauses that will enhance how the federal government and industry work together to address cyber threats,” according to DeRusha’s written testimony.
“These clauses will streamline the sharing of threat intelligence and notification of incidents,” he added.
During the hearing, DeRusha said OMB is additionally preparing new guidance for agencies on supply chain risk management.
Agencies are also likely to request new funding from Congress to implement the new cyber mandates. After Congress flushed the Technology Modernization Fund with $1 billion as part of the American Rescue Plan, agencies submitted more than 100 project proposals worth a collective $2.3 billion, with 75% of the proposals focused specifically on cybersecurity, according to DeRusha.
“We are focused and made a lot of progress already on baseline hygiene measures,” DeRusha said regarding the executive order. “We’ve also set in place a multi-year strategy and plan. And what we’re going to need from Congress is… some new resources to implement this plan.”
Warner says ‘time is now’ for cyber incident reporting legislation