U.S. cybersecurity officials are seeking to put their stamp on cyber incident reporting legislation, wading into debates on Capitol Hill about questions like how swiftly companies must report attacks to federal agencies — and what happens if they don’t.
The head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency testified at a Senate hearing Thursday in favor of requiring critical infrastructure owners and operators, federal contractors and agencies to report attacks to CISA within 24 hours of detection.
There are three leading proposals in Congress, each with a different timeframe for reporting attacks.
The leaders of the Senate Intelligence Committee favor a 24-hour deadline. A draft bill from leaders of the Senate Homeland Security and Governmental Affairs Committee would set the range at between 72 hours and seven days, as determined by CISA. And a draft from leading members of the House Homeland Security Committee proposes leaving the decision up to CISA but requiring reports no earlier than 72 hours.
“The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” CISA Director Jen Easterly told the Senate Homeland Security and Governmental Affairs Committee.
Easterly’s testimony comes days after DHS Secretary Alejandro Mayorkas also told senators that he favors reporting mandates. And it follows Wednesday’s release of voluntary DHS and Commerce Department “performance goals” for critical infrastructure cybersecurity in a push to pressure companies into improving their safeguards.
The testimonies are the latest steps in an ongoing dance in the legislative and executive branches between demanding and requesting that the private sector take action on cybersecurity, triggered by last year’s sweeping SolarWinds hack and a host of damaging ransomware attacks.
At Thursday’s hearing, Easterly further advocated for CISA and the Justice Department to decide what kinds of companies would have to meet the reporting requirements, rather than writing them specifically into the bill. She also advocated fines, rather than subpoenas, to compel companies to obey the reporting requirements.
“My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors,” Easterly said of subpoenas.
National Cyber Director Chris Inglis, testifying at the same hearing, said he agreed with Easterly’s preferences.
Senate Homeland Security Chairman Gary Peters, D-Mich., solicited the testimony for legislation that he and top panel Republican Rob Portman of Ohio are formulating.
“There is currently no national requirement for all critical infrastructure owners and operators to report to the federal government when they have been hit with a significant attack,” Peters said. “That needs to change.”
Meanwhile, the nine performance goals that DHS and the Commerce Department released Wednesday have no enforcement mechanism. The idea behind the memo that President Joe Biden signed in July directing their creation was to send “clear guidance” on administration expectations.
The goals cover subjects like supply chain risk management, incident response and recovery, training, risk management and ongoing monitoring.
“It is vital that critical infrastructure owners and operators immediately take steps to strengthen their cybersecurity posture toward these high-level goals,” Mayorkas and Commerce Secretary Gina Raimondo said in a joint statement.