The Cybersecurity and Infrastructure Security Agency is set to get new authorities from another round of defense legislation this year, reflecting lawmakers’ desire to position the fledgling agency as central to U.S. cyber defenses.
The defense authorization measure passed by the House last week includes multiple CISA-related provisions, including language that would grant the agency the power to compel certain private companies to report cyber attacks to the government.
The legislation continues a trend of passing CISA legislation through the defense authorization process, according to Chris Cummiskey, a former Department of Homeland Security senior official.
Insight by Carahsoft: Learn from IT experts as they outline the significant impacts cloud and 5G have on implementing zero trust architecture in this exclusive executive briefing.
Last year’s defense bill, for instance, authorized CISA to do threat hunting on .gov networks and granted the agency the ability to issue administrative subpoenas to Internet Service Providers in order to contact them when threats are detected on their networks.
“In the absence of a Homeland Security Authorization Act, the NDAA has become the vehicle of choice in recent years to enhancing DHS’s cyber authorities through CISA,” Cummiskey said. “These measures continue the trend of further establishing CISA as the lead cyber agency for federal civilian [agencies].”
The incident reporting bill was led by House Homeland Security Chairman Bennie Thompson (D-Md.) and Ranking Member John Katko (R-N.Y.), as well as Cybersecurity Subcommittee Chairwoman Yvette Clarke (D-N.Y.). It would require critical infrastructure operators to report significant cyber incidents to a new “Cyber Incident Review Office” at CISA within 72 hours.
The Senate has yet to finalize its version of the defense bill. But Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) are expected to release a cyber incident reporting bill of their own in the coming weeks.
(EDITOR’S NOTE: After initial publication of this story, Peters and Portman released their incident reporting bill)
Sen. Mark Warner (D-Va.) and other members of the Senate Intelligence Committee have also released a broad cyber incident reporting bill that would apply to not just critical infrastructure, but to government agencies and contractors as well. It would require entities report cyber attacks to CISA within 24 hours of discovery. The bill was referred to the Homeland Security Committee.
“The truth is CISA is kind of the new kid on the block in cybersecurity, and, frankly, we’ve got to put more emphasis there, because it is that first line of defense,” Warner said during Amazon Web Services’ Summit in Washington today. “Generally speaking, people when they think about going into cyber in the government, they think NSA or maybe FBI. We need to make sure from a recruitment and resourcing standpoint, we up the game at CISA.”
Warner said he thinks his incident reporting bill will “merge or collaborate” with the Homeland Security Committee’s forthcoming legislation.
During a separate discussion at the AWS Summit, CISA Director Jen Easterly said incident reporting is “hugely important,” as the agency can use the information to not merely help the victim, but make sure others don’t get hacked by the same exploit.
She endorsed the broad nature of Warner’s bill to include critical infrastructure companies, government agencies, federal companies and cybersecurity vendors in the reporting requirements.
But she also said “it doesn’t make sense” to require reports with 24 hours.
“It doesn’t make sense to say 24 hours from detection, because you will flood us with noise,” she said. “We need signal. So we don’t want to be overburdened with noise. And we don’t want to overburden industry under duress, trying to manage an incident. And so what we want is to work with industry through a rulemaking period to make sure that we get this right.”
Beyond incident reporting, Peters and Portman are also looking to update the law that lays out federal roles and responsibilities for cybersecurity issues, the Federal Information Security Modernization Act of 2014. Easterly has said the reform bill should acknowledge CISA as the lead for operational cybersecurity matters on the civilian side of government.
Meanwhile, the House is considering adding $865 million to CISA’s coffers as part of the bipartisan infrastructure package. That would be on top of the $2.4 billion included in the House Appropriations Committee’s version of the fiscal year 2022 homeland security appropriations bill.
The House-passed defense bill also carried forward a number of other significant CISA-related measures, including an amendment that would codify CISA’s “CyberSentry” program in law.
CISA launched CyberSentry as a voluntary pilot last year to deploy sensors on the networks of critical infrastructure owners and operators. The sensors monitor traffic between critical infrastructure control systems and corporate networks. The agency deployed sensors on the networks of five “CyberSentry partners” in fiscal year 2021, according to budget documents.
The bill would also amend the Cybersecurity Information Sharing Act of 2015 to allow CISA to “disseminate protocols to counter cybersecurity vulnerabilities, including in circumstances in which such vulnerabilities exist because software or hardware is no longer supported by a vendor.”
And it carried an amendment from Rep. Elissa Slotkin (D-Mich.) to establish a National Cyber Exercise Program at CISA to evaluate the National Cyber Incident Response plan.
The exercise program would be designed “to simulate the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident,” according to the legislation. The idea is to provide a “systematic evaluation of cyber readiness and enhance operational understanding of the cyber incident response system and relevant information sharing agreements.”
The exercises are likely to complement CISA’s plans for its new Joint Cyber Defense Collaborative, which was another program authorized by last year’s NDAA. The JCDC is aimed at bringing together agencies and private companies under the umbrella of one organization to share information and do cyber defense planning.
“We don’t want the government on private sector networks,” Easterly said at the AWS Summit. “But what we do want is to be able to partner with companies that have so much visibility, such as our cloud service providers, our [Internet Service Providers]. So if you look at the plank holders, it really is ISPs and CSPs and cybersecurity vendors who have that massive global visibility, and can provide anonymized information about trends so that we can hopefully create that picture, see the dots, connect the dots, and then drive collective action at scale.”