Executives Advocate for Legislation to Unite Government and Private Cybersecurity
WASHINGTON — A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years.
He testified to a House Homeland Security subcommittee as it considers a legislative proposal that would make reporting cyberattacks to the Homeland Security Department a matter of federal law rather than a good idea.
Currently, reporting of computer breaches by federal agencies can be disjointed, according to previous Homeland Security Department investigations. Major corporations that operate critical infrastructure are asked but not always required to report cyberattacks.
The Cyber Incident Notification Act of 2021 being considered in Congress would make the Cybersecurity and Infrastructure Security Agency a one-stop shop for reporting all computer security breaches by private companies and government agencies. CISA is overseen by the Homeland Security Department.
“This whole-of-community approach is critical to increasing capacity to prevent and deter future cyberattacks,” said Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.
FireEye Mandiant gained notoriety for a February 2013 report that documented widespread cyber espionage by China’s People’s Liberation Army against the United States and worldwide.
More recently, the company revealed in December 2020 the SolarWinds cyberattack by Russia against U.S. government agencies and major corporations. Last May, FireEye Mandiant assisted the U.S. government in trying to control the ransomware attack against Colonial Pipeline that briefly shut down fuel shipments from Texas to the East Coast.
The Cyber Incident Notification Act is supposed to be the government’s updated response to cyberattacks.
It would require government agencies, contractors and critical infrastructure operators to notify CISA in as little as 72 hours after a computer security breach.
The government could use subpoenas — or court orders — to seek information about cybersecurity breaches, rather than the current fines that sometimes compel companies to hide the incidents. Companies that come forward to report the breaches would be given immunity from prosecution for their voluntary compliance.
Prompt reporting would help CISA put a stop to breaches before they cause damage that can spread throughout U.S. computer infrastructure, Bushar said. He mentioned the SolarWinds attack as an example.
The FBI reported in March that it received a record number of complaints last year about cybercrimes, costing Americans about $4.2 billion in losses. The FBI’s Internet Crime Complaint Center received 791,790 complaints in 2020, up by 69% over 2019.
Bushar cautioned lawmakers that threats to computer systems are getting more serious.
“Any legislation on this matter should take into consideration the evolving cyber threat landscape, the increasingly sophisticated tactics, techniques and procedures used by adversaries,” Bushar said.
Rep. Sheila Jackson Lee, D-Texas, said in recognition of emerging threats to computer networks, “This is a new world.”
John S. Miller, vice president of policy for the Information Technology Industry Council, said he hoped any new legislation would not force companies to make hurried reports that later prove to be inaccurate. His trade group represents technology companies.
He suggested a deadline of no less than three days before companies are required to report computer breaches to CISA.
“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller told the subcommittee on cybersecurity, infrastructure protection and innovation. “In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan.”
The proposed legislation stands a good chance of winning approval in Congress based on bipartisan support.
Andrew Garbarino, R-N.Y., said, “The fact of the matter here is that something must change.”
The cybersecurity subcommittee held its hearing a day after the FBI published an advisory suggesting that private organizations remain vigilant during the upcoming Labor Day weekend. Cybercriminals often assume security becomes lax during holidays, thereby giving them an opportunity for a ransomware attack, the FBI warned.