The FBI could be marginalized on new cybersecurity legislation, a senior bureau official told lawmakers Tuesday. And that would be a big problem, according to America’s most powerful law enforcement agency.
In a testimony to Congress, Bryan Vorndran, assistant director of the FBI’s cyber division, said the Biden administration was “concerned” by legislation proposed by the Senate and House Homeland Security committees that obliges a wide range of companies to do so To report burglaries to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, but not concurrently with the FBI.
“The incident reporting legislation currently under consideration does not recognize the critical expertise and role of the DOJ, including the FBI, in reporting cyber incidents,” Vorndran said in a statement made available to the House Oversight and Reform Committee was asked.
“Cyber is the Team sports, and the Department of Justice and the FBI are major players, ”Vorndran continued. “The time has come for legislation to reflect that reality.”
The Biden government’s stance throws a key at the last minute into years of efforts to require key companies to disclose cyberattacks.
The House of Representatives’ annual defense law draft contains wording requiring critical infrastructure operators and government contractors to notify CISA if they are hacked. Similar wording is likely to make it into the Senate version of the bill. The provision – the result of weeks of negotiations between the leaders of the Senate Homeland Security and Intelligence bodies – would be the most comprehensive cyber regulation ever imposed on the private sector.
One of the biggest problems government cyber defenders face is their lack of visibility into many of the digital attacks on private businesses. Unlike some other countries, the US does not directly monitor or defend most critical private sector networks. This means government agencies rely on companies to voluntarily disclose hacks so they can get a complete picture of the threat environment and develop appropriate security recommendations.
Following the high profile ransomware attacks on Colonial Pipeline, meat processing giant JBS and IT software provider Kaseya, officials from the Biden government insisted that Congress mandate cyber incident reporting for key companies in the country.
“The sooner CISA, the federal control center for asset response, receives information about a cyber incident, the faster we can carry out urgent analyzes and exchange information in order to protect other potential victims.” CISA Director Jen Easterly told the Senate Homeland Security Committee in September.
But while CISA leads the government’s “asset response” work by addressing specific vulnerabilities and helping victims update their networks, the FBI oversees the “threat response” mission by identifying and deterring the hackers. For this reason, Justice Department and FBI officials want quick access to all incident reports.
“We urge Congress to establish a national standard for reporting major cyber incidents and to require that reported information be immediately passed on to the Justice Department,” Attorney General Merrick Garland said during a November 8 press conference in action against Ransomware gangs were announced.
Lisa Monaco, the deputy attorney general, also called for an obligation to report in a CNBC Op-Ed dated Oct. 6.
The government’s request for simultaneous reporting to CISA and the FBI could undo efforts to incorporate incident reporting language into defense law unless lawmakers quickly embraced the idea. Homeland Security Committee leaders did not respond immediately to the government’s request for changes to the law.
It is also unclear whether the bureau’s position reflects a burden between the FBI and CISA, which have sought to establish close working relationships in the three years since CISA was founded.
Also unclear: whether an obligation to report to the FBI would trigger fierce opposition from the private sector.
#FBI #put #Cyber #Attack #Reporting #Act #loop