Executives Advocate for Legislation to Unite Government and Private Cybersecurity

September 1, 2021 by Tom Ramstack
Executives Advocate for Legislation to Unite Government and Private Cybersecurity
Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

WASHINGTON — A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years.

He testified to a House Homeland Security subcommittee as it considers a legislative proposal that would make reporting cyberattacks to the Homeland Security Department a matter of federal law rather than a good idea.

Currently, reporting of computer breaches by federal agencies can be disjointed, according to previous Homeland Security Department investigations. Major corporations that operate critical infrastructure are asked but not always required to report cyberattacks.

The Cyber Incident Notification Act of 2021 being considered in Congress would make the Cybersecurity and Infrastructure Security Agency a one-stop shop for reporting all computer security breaches by private companies and government agencies. CISA is overseen by the Homeland Security Department.

“This whole-of-community approach is critical to increasing capacity to prevent and deter future cyberattacks,” said Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

FireEye Mandiant gained notoriety for a February 2013 report that documented widespread cyber espionage by China’s People’s Liberation Army against the United States and worldwide.

More recently, the company revealed in December 2020 the SolarWinds cyberattack by Russia against U.S. government agencies and major corporations. Last May, FireEye Mandiant assisted the U.S. government in trying to control the ransomware attack against Colonial Pipeline that briefly shut down fuel shipments from Texas to the East Coast.

The Cyber Incident Notification Act is supposed to be the government’s updated response to cyberattacks.

It would require government agencies, contractors and critical infrastructure operators to notify CISA in as little as 72 hours after a computer security breach.

The government could use subpoenas — or court orders — to seek information about cybersecurity breaches, rather than the current fines that sometimes compel companies to hide the incidents. Companies that come forward to report the breaches would be given immunity from prosecution for their voluntary compliance.

Prompt reporting would help CISA put a stop to breaches before they cause damage that can spread throughout U.S. computer infrastructure, Bushar said. He mentioned the SolarWinds attack as an example.

The FBI reported in March that it received a record number of complaints last year about cybercrimes, costing Americans about $4.2 billion in losses. The FBI’s Internet Crime Complaint Center received 791,790 complaints in 2020, up by 69% over 2019.

Bushar cautioned lawmakers that threats to computer systems are getting more serious.

“Any legislation on this matter should take into consideration the evolving cyber threat landscape, the increasingly sophisticated tactics, techniques and procedures used by adversaries,” Bushar said.

Rep. Sheila Jackson Lee, D-Texas, said in recognition of emerging threats to computer networks, “This is a new world.”

John S. Miller, vice president of policy for the Information Technology Industry Council, said he hoped any new legislation would not force companies to make hurried reports that later prove to be inaccurate. His trade group represents technology companies.

He suggested a deadline of no less than three days before companies are required to report computer breaches to CISA.

“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller told the subcommittee on cybersecurity, infrastructure protection and innovation. “In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan.”

The proposed legislation stands a good chance of winning approval in Congress based on bipartisan support.

Andrew Garbarino, R-N.Y., said, “The fact of the matter here is that something must change.”

The cybersecurity subcommittee held its hearing a day after the FBI published an advisory suggesting that private organizations remain vigilant during the upcoming Labor Day weekend. Cybercriminals often assume security becomes lax during holidays, thereby giving them an opportunity for a ransomware attack, the FBI warned.

A+
a-
  • Cyber Incident Notification Act
  • FireEye Mandiant
  • House Homeland Security subcommittee
  • John S. Miller
  • Ronald Bushar
  • Sheila Jackson
  • In The News

    Health

    Voting

    Cybersecurity

    Americans Reporting Nationwide Cellular Outages From AT&T, Cricket Wireless and Others

    A number of Americans are dealing with cellular outages on AT&T, Cricket Wireless, Verizon, T-Mobile and other service providers, according... Read More

    A number of Americans are dealing with cellular outages on AT&T, Cricket Wireless, Verizon, T-Mobile and other service providers, according to data from Downdetector. AT&T had more than 73,000 outages around 9:30 a.m. ET, in locations including Houston, Atlanta and Chicago. The outages began at approximately... Read More

    States and Congress Wrestle With Cybersecurity at Water Utilities Amid Renewed Federal Warnings

    HARRISBURG, Pa. (AP) — The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international... Read More

    HARRISBURG, Pa. (AP) — The tiny Aliquippa water authority in western Pennsylvania was perhaps the least-suspecting victim of an international cyberattack. It had never had outside help in protecting its systems from a cyberattack, either at its existing plant that dates to the 1930s or the... Read More

    December 6, 2023
    by Dan McCue
    HHS Unveils Next Steps to Enhance Cybersecurity of Health Care Records

    WASHINGTON — The bad guys in cyberspace want your health care records.  Between 2018 and 2022, there was a 93%... Read More

    WASHINGTON — The bad guys in cyberspace want your health care records.  Between 2018 and 2022, there was a 93% increase in large breaches in the health care sector, with a 278% increase in large breaches involving ransomware, according to the Department of Health and Human... Read More

    Insider Q&A: Pentagon AI Chief on Network-Centric Warfare, Generative AI Challenges

    The Pentagon's chief digital and artificial intelligence offer, Craig Martell, is alarmed by the potential for generative artificial intelligence systems... Read More

    The Pentagon's chief digital and artificial intelligence offer, Craig Martell, is alarmed by the potential for generative artificial intelligence systems like ChatGPT to deceive and sow disinformation. His talk on the technology at the DefCon hacker convention in August was a huge hit. But he's anything... Read More

    October 31, 2023
    by Tom Ramstack
    US Workforce Unprepared for AI, Technology Experts Tell Senate

    WASHINGTON — President Joe Biden’s executive order Monday setting regulatory standards for artificial intelligence prompted witnesses at a Senate hearing... Read More

    WASHINGTON — President Joe Biden’s executive order Monday setting regulatory standards for artificial intelligence prompted witnesses at a Senate hearing Tuesday to say it is only a first step in a process likely to transform American workplaces. “Artificial intelligence will not only disrupt lives, it will... Read More

    July 18, 2023
    by Tom Ramstack
    Congress Told AI Holds Great Risks and Benefits for US Military

    WASHINGTON — Artificial intelligence experts warned Tuesday during a congressional hearing of ominous dangers for the United States if it... Read More

    WASHINGTON — Artificial intelligence experts warned Tuesday during a congressional hearing of ominous dangers for the United States if it falls behind in developing the technology but a bright future by taking the lead. One of the greatest risks would be defending against a foreign enemy... Read More

    News From The Well
    scroll top