Loading...

Executives Advocate for Legislation to Unite Government and Private Cybersecurity

September 1, 2021 by Tom Ramstack
Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

WASHINGTON — A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years.

He testified to a House Homeland Security subcommittee as it considers a legislative proposal that would make reporting cyberattacks to the Homeland Security Department a matter of federal law rather than a good idea.

Currently, reporting of computer breaches by federal agencies can be disjointed, according to previous Homeland Security Department investigations. Major corporations that operate critical infrastructure are asked but not always required to report cyberattacks.

The Cyber Incident Notification Act of 2021 being considered in Congress would make the Cybersecurity and Infrastructure Security Agency a one-stop shop for reporting all computer security breaches by private companies and government agencies. CISA is overseen by the Homeland Security Department.

“This whole-of-community approach is critical to increasing capacity to prevent and deter future cyberattacks,” said Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

FireEye Mandiant gained notoriety for a February 2013 report that documented widespread cyber espionage by China’s People’s Liberation Army against the United States and worldwide.

More recently, the company revealed in December 2020 the SolarWinds cyberattack by Russia against U.S. government agencies and major corporations. Last May, FireEye Mandiant assisted the U.S. government in trying to control the ransomware attack against Colonial Pipeline that briefly shut down fuel shipments from Texas to the East Coast.

The Cyber Incident Notification Act is supposed to be the government’s updated response to cyberattacks.

It would require government agencies, contractors and critical infrastructure operators to notify CISA in as little as 72 hours after a computer security breach.

The government could use subpoenas — or court orders — to seek information about cybersecurity breaches, rather than the current fines that sometimes compel companies to hide the incidents. Companies that come forward to report the breaches would be given immunity from prosecution for their voluntary compliance.

Prompt reporting would help CISA put a stop to breaches before they cause damage that can spread throughout U.S. computer infrastructure, Bushar said. He mentioned the SolarWinds attack as an example.

The FBI reported in March that it received a record number of complaints last year about cybercrimes, costing Americans about $4.2 billion in losses. The FBI’s Internet Crime Complaint Center received 791,790 complaints in 2020, up by 69% over 2019.

Bushar cautioned lawmakers that threats to computer systems are getting more serious.

“Any legislation on this matter should take into consideration the evolving cyber threat landscape, the increasingly sophisticated tactics, techniques and procedures used by adversaries,” Bushar said.

Rep. Sheila Jackson Lee, D-Texas, said in recognition of emerging threats to computer networks, “This is a new world.”

John S. Miller, vice president of policy for the Information Technology Industry Council, said he hoped any new legislation would not force companies to make hurried reports that later prove to be inaccurate. His trade group represents technology companies.

He suggested a deadline of no less than three days before companies are required to report computer breaches to CISA.

“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller told the subcommittee on cybersecurity, infrastructure protection and innovation. “In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan.”

The proposed legislation stands a good chance of winning approval in Congress based on bipartisan support.

Andrew Garbarino, R-N.Y., said, “The fact of the matter here is that something must change.”

The cybersecurity subcommittee held its hearing a day after the FBI published an advisory suggesting that private organizations remain vigilant during the upcoming Labor Day weekend. Cybercriminals often assume security becomes lax during holidays, thereby giving them an opportunity for a ransomware attack, the FBI warned.

Cybersecurity

October 22, 2021
by Reece Nations
Commerce Department Tightens Export Controls on Cybersecurity Items

WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls... Read More

WASHINGTON — The Department of Commerce’s Bureau of Industry and Security announced on Wednesday it would institute new export controls over cybersecurity items such as cyber intrusion software that can be used maliciously. The department’s new policy also creates a new license exception for authorized cybersecurity... Read More

October 14, 2021
by Victoria Turner
Cybersecurity Experts Point to More Investment Needed in Detection, Response

WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing... Read More

WASHINGTON -- If everyone were to employ proper cyber hygiene like multi-factor authentication or not clicking on links in phishing emails, more than 85% of cyberattacks would be prevented, said Sen. Angus King, I-Maine, Thursday.  “The best hack is the one that doesn’t happen,” King said... Read More

October 5, 2021
by Victoria Turner
Cybersecurity Minimum Standards Needed to Keep North America Secure

North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based... Read More

North American governments should come together to create a trilateral strategy to assess and address threats in a holistic risk-based approach to cybersecurity that includes a minimum set of standards, said three experts yesterday. As much as the pandemic has accelerated the rate in which governments... Read More

September 29, 2021
by Victoria Turner
Aspen Cyber Summit Explores Collective Defense in a Digital World

WASHINGTON -- The Cybersecurity Infrastructure and Security Agency has met President Biden’s cybersecurity executive order’s “highly aggressive deadlines so far,”... Read More

WASHINGTON -- The Cybersecurity Infrastructure and Security Agency has met President Biden’s cybersecurity executive order’s “highly aggressive deadlines so far,” but there is “still a lot of work to do,” said CISA Director Jen Easterly Wednesday.  Kicking off the 6th annual Aspen Cyber Summit, Exploring Collective... Read More

September 22, 2021
by Victoria Turner
Identity Authentication Key Piece of Cybersecurity Puzzle

WASHINGTON -- Identity authentication is taking a front-and-center role in the administration's approach to ensuring robust cybersecurity across the U.S.... Read More

WASHINGTON -- Identity authentication is taking a front-and-center role in the administration's approach to ensuring robust cybersecurity across the U.S. government, according to Carole House, director of cybersecurity and secure digital Innovation at the White House National Security Council.  It “sits at the heart of zero... Read More

September 1, 2021
by Tom Ramstack
Executives Advocate for Legislation to Unite Government and Private Cybersecurity

WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront... Read More

WASHINGTON -- A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years. He testified to a House Homeland Security subcommittee as it considers... Read More

News From The Well
Exit mobile version