Loading...

Executives Advocate for Legislation to Unite Government and Private Cybersecurity

September 1, 2021 by Tom Ramstack
Executives Advocate for Legislation to Unite Government and Private Cybersecurity
Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

WASHINGTON — A cybersecurity expert told a congressional panel Wednesday that private industry alone cannot be expected to effectively confront the kinds of cyberattacks that have wreaked havoc on U.S. computer networks in recent years.

He testified to a House Homeland Security subcommittee as it considers a legislative proposal that would make reporting cyberattacks to the Homeland Security Department a matter of federal law rather than a good idea.

Currently, reporting of computer breaches by federal agencies can be disjointed, according to previous Homeland Security Department investigations. Major corporations that operate critical infrastructure are asked but not always required to report cyberattacks.

The Cyber Incident Notification Act of 2021 being considered in Congress would make the Cybersecurity and Infrastructure Security Agency a one-stop shop for reporting all computer security breaches by private companies and government agencies. CISA is overseen by the Homeland Security Department.

“This whole-of-community approach is critical to increasing capacity to prevent and deter future cyberattacks,” said Ronald Bushar, government chief technology officer for the cybersecurity firm FireEye Mandiant.

FireEye Mandiant gained notoriety for a February 2013 report that documented widespread cyber espionage by China’s People’s Liberation Army against the United States and worldwide.

More recently, the company revealed in December 2020 the SolarWinds cyberattack by Russia against U.S. government agencies and major corporations. Last May, FireEye Mandiant assisted the U.S. government in trying to control the ransomware attack against Colonial Pipeline that briefly shut down fuel shipments from Texas to the East Coast.

The Cyber Incident Notification Act is supposed to be the government’s updated response to cyberattacks.

It would require government agencies, contractors and critical infrastructure operators to notify CISA in as little as 72 hours after a computer security breach.

The government could use subpoenas — or court orders — to seek information about cybersecurity breaches, rather than the current fines that sometimes compel companies to hide the incidents. Companies that come forward to report the breaches would be given immunity from prosecution for their voluntary compliance.

Prompt reporting would help CISA put a stop to breaches before they cause damage that can spread throughout U.S. computer infrastructure, Bushar said. He mentioned the SolarWinds attack as an example.

The FBI reported in March that it received a record number of complaints last year about cybercrimes, costing Americans about $4.2 billion in losses. The FBI’s Internet Crime Complaint Center received 791,790 complaints in 2020, up by 69% over 2019.

Bushar cautioned lawmakers that threats to computer systems are getting more serious.

“Any legislation on this matter should take into consideration the evolving cyber threat landscape, the increasingly sophisticated tactics, techniques and procedures used by adversaries,” Bushar said.

Rep. Sheila Jackson Lee, D-Texas, said in recognition of emerging threats to computer networks, “This is a new world.”

John S. Miller, vice president of policy for the Information Technology Industry Council, said he hoped any new legislation would not force companies to make hurried reports that later prove to be inaccurate. His trade group represents technology companies.

He suggested a deadline of no less than three days before companies are required to report computer breaches to CISA.

“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller told the subcommittee on cybersecurity, infrastructure protection and innovation. “In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan.”

The proposed legislation stands a good chance of winning approval in Congress based on bipartisan support.

Andrew Garbarino, R-N.Y., said, “The fact of the matter here is that something must change.”

The cybersecurity subcommittee held its hearing a day after the FBI published an advisory suggesting that private organizations remain vigilant during the upcoming Labor Day weekend. Cybercriminals often assume security becomes lax during holidays, thereby giving them an opportunity for a ransomware attack, the FBI warned.

In The News

Health

Voting

Cybersecurity

T-Mobile Says Data on 37M Customers Stolen

BOSTON (AP) — The U.S. wireless carrier T-Mobile said Thursday that an unidentified malicious intruder breached its network in late... Read More

BOSTON (AP) — The U.S. wireless carrier T-Mobile said Thursday that an unidentified malicious intruder breached its network in late November and stole data on 37 million customers, including addresses, phone numbers and dates of birth. T-Mobile said in a filing with the U.S. Securities and... Read More

October 31, 2022
by Dan McCue
DOE Cybersecurity Office to Brief New Report on Electric Grid

WASHINGTON — Federal officials will brief a new report outlining the key cybersecurity recommendations for clean energy integration, grid modernization... Read More

WASHINGTON — Federal officials will brief a new report outlining the key cybersecurity recommendations for clean energy integration, grid modernization and distributed energy resources on Monday, Nov. 7. The report was prepared by the Department of Energy’s Office of Cybersecurity, Energy Security and Emergency Response and... Read More

September 16, 2022
by Dan McCue
FEC Clears Path for Warren to Spend Campaign Funds on Cybersecurity

WASHINGTON — Sen. Elizabeth Warren, D-Mass., can use campaign funds to pay for the cost of reasonable cybersecurity measures to... Read More

WASHINGTON — Sen. Elizabeth Warren, D-Mass., can use campaign funds to pay for the cost of reasonable cybersecurity measures to protect her home network, the Federal Election Commission announced on Friday. The decision came in response to an advisory opinion request on behalf of Warren Democrats... Read More

September 9, 2022
by Madeline Hughes
CISA Looking to Change Cybercrime Reporting Rules

WASHINGTON — As cybercrimes are on the rise, the Cybersecurity and Infrastructure Security Agency is asking people, businesses and other... Read More

WASHINGTON — As cybercrimes are on the rise, the Cybersecurity and Infrastructure Security Agency is asking people, businesses and other organizations for feedback on what its new reporting rules should look like. The agency released the eight-page request for information Friday asking people how the agency... Read More

July 13, 2022
by Madeline Hughes
Atlantic Council Offers New Approach to Cybersecurity  

WASHINGTON — The Atlantic Council outlined Tuesday how the U.S. government and businesses can work together to protect the nation’s... Read More

WASHINGTON — The Atlantic Council outlined Tuesday how the U.S. government and businesses can work together to protect the nation’s power grid from cyberattacks. The United States’ power grid is increasingly reliant on digital technology and the internet. This is especially true as the country moves... Read More

July 6, 2022
by Reece Nations
National Computer Forensics Institute Reauthorization Critical to Security

HOOVER, Ala. — As the National Computer Forensics Institute comes up for congressional reauthorization, forensics and cybersecurity experts told The... Read More

HOOVER, Ala. — As the National Computer Forensics Institute comes up for congressional reauthorization, forensics and cybersecurity experts told The Well News how the institute’s standardized curriculum is critical to contemporary law enforcement activities. Having a centralized hub for preparing police for handling incidents related to... Read More

News From The Well