“Cyber is the Team sports, and the Department of Justice and the FBI are major players, ”Vorndran continued. “The time has come for legislation to reflect that reality.”
The Biden government’s stance throws a key at the last minute into years of efforts to require key companies to disclose cyberattacks.
The House of Representatives’ annual defense law draft contains wording requiring critical infrastructure operators and government contractors to notify CISA if they are hacked. Similar wording is likely to make it into the Senate version of the bill. The provision – the result of weeks of negotiations between the leaders of the Senate Homeland Security and Intelligence bodies – would be the most comprehensive cyber regulation ever imposed on the private sector.
One of the biggest problems government cyber defenders face is their lack of visibility into many of the digital attacks on private businesses. Unlike some other countries, the US does not directly monitor or defend most critical private sector networks. This means government agencies rely on companies to voluntarily disclose hacks so they can get a complete picture of the threat environment and develop appropriate security recommendations.
Following the high profile ransomware attacks on Colonial Pipeline, meat processing giant JBS and IT software provider Kaseya, officials from the Biden government insisted that Congress mandate cyber incident reporting for key companies in the country.
“The sooner CISA, the federal control center for asset response, receives information about a cyber incident, the faster we can carry out urgent analyzes and exchange information in order to protect other potential victims.” CISA Director Jen Easterly told the Senate Homeland Security Committee in September.
But while CISA leads the government’s “asset response” work by addressing specific vulnerabilities and helping victims update their networks, the FBI oversees the “threat response” mission by identifying and deterring the hackers. For this reason, Justice Department and FBI officials want quick access to all incident reports.
“We urge Congress to establish a national standard for reporting major cyber incidents and to require that reported information be immediately passed on to the Justice Department,” Attorney General Merrick Garland said during a November 8 press conference in action against Ransomware gangs were announced.
Lisa Monaco, the deputy attorney general, also called for an obligation to report in a CNBC Op-Ed dated Oct. 6.
The government’s request for simultaneous reporting to CISA and the FBI could undo efforts to incorporate incident reporting language into defense law unless lawmakers quickly embraced the idea.
Rep. Yvette Clarke (DN.Y.), chair of the House of Representatives’ Cyber Homeland Security Subcommittee and main sponsor of her chamber’s reporting mandate, said she was not in favor of changing the program.
“We took seriously the different but complementary roles that authorities play across the federal government,” she said. “But ultimately, we believe that CISA … should lead the federal government’s cyber incident reporting program.”
Spokespersons for the other main sponsors of the reporting law did not comment on the government’s request for changes to the law.
It is also unclear whether the bureau’s position reflects a burden between the FBI and CISA, which have sought to establish close working relationships in the three years since CISA was founded.
Also unclear: whether an obligation to report to the FBI would trigger fierce opposition from the private sector.
#FBI #put #Cyber #Attack #Reporting #Act #loop