Biden cybersecurity officials back mandate to report breaches

The head of the US cybersecurity enforcement agency “is a big supporter” of bipartisan legislation to force operators of critical infrastructure to report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she supports the Senate Committee on Homeland Security and Government Affairs bill requiring certain private companies, federal agencies and government contractors to report cyber attacks to the agency.

The proposed legislation is in part in response to a wave of major cyber attacks that have targeted critical government agencies and industries, including Colonial Pipeline Co. and meat producer JBS SA. The hacks have increased pressure on the Biden administration to bolster U.S. cyber defenses and fueled calls for federal legislation requiring companies to share incidents with the federal government to help with response and recovery.

Panel chairman Michigan Democrat Gary Peters told Bloomberg he hoped to incorporate the comments from the hearing and bring forward the bill in the coming weeks. Meanwhile, similar legislation has been added to the mandatory defense clearance measure due to be passed in the House this week.

“The sooner CISA, the federal asset response manager, receives information about a cyber incident, the sooner we can perform urgent analysis and share information to protect other potential victims,” ​​Easterly said in written testimony. for the committee hearing on Thursday.

An increase in cyber attacks, especially ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.

Reporting of cyber incidents should be timely, said Easterly, “ideally within 24 hours of detection.” A bill from Peters and top Republican Rob Portman of Ohio proposed a 72-hour deadline for reporting.

Incident reports should also be “broad and not limited to type or sector,” Easterly said, adding that the CISA and the US Department of Justice should have joint authority over the review of operator reports. critical infrastructure as well as federal and government agencies. entrepreneurs. The mandatory report should include digital supply chain and ransomware attacks, she said.

Chris Inglis, the country’s national cyber director, said at the hearing that reporting cyber incidents would be “deeply helpful” and would be helpful in preventing future cyber attacks.

Easterly and Inglis said they support fines on companies as an enforcement mechanism to not report cyber attacks.

Easterly, however, expressed skepticism about the idea of ​​using subpoenas for execution, as proposed in the Peters bill.

“My personal view is that this is not a sufficiently nimble mechanism for us to get the information you need to share it as quickly as possible to avoid other potential victims.” , she said.

Copyright 2021 Bloomberg.

The subjects
Cyber