Congress must pass a law requiring private companies that operate critical infrastructure and other computer networks to notify the U.S. government when they suffer a cyberattack, Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency said Thursday.
To meet its goal of protecting U.S. critical infrastructure from cyberattacks, CISA needs “information from victims of cyber incidents so that we can share that information and raise the baseline of cybersecurity,” Wales said at an event organized by the George Washington University School of Media & Public Affairs and the Howard Baker Forum.
“But to do that, we need Congress to take certain actions to require cyber incident notification,” Wales said, adding that Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, and other lawmakers appear to be working on such legislation.
Such a bill would not be onerous on private companies but would create a uniform requirement for notification, Wales said.
The question of what information private companies that suffer a cyberattack share with CISA and other government agencies was highlighted this week when Colonial Pipeline, which suffered a ransomware attack and shut down its network of gasoline pipelines on the East Coast, informed the FBI about the attack, but not CISA.
Wales told the Senate Homeland Security and Governmental Affairs Committee earlier this week that the FBI in turn notified CISA. While the FBI typically investigates a cyberattack to find the culprits, the job of understanding how an attack unfolded and alerting others to it falls to CISA.
Although the breach at Colonial Pipeline was discovered late last week, CISA has yet to publish details of how the breach occurred, or what tools and techniques were used by the criminals, so that the agency can alert operators of other critical infrastructure to be on the lookout.
Wales said details of how the attack on Colonial Pipeline unfolded and measures to prevent such an attack would be released later Thursday.
In February, the Senate Intelligence Committee held a hearing to examine the SolarWinds breach, which probably began in July 2020 but wasn’t discovered until December 2020 and only came to light after FireEye, a cybersecurity company, notified the U.S. government.
The fact that no one detected or reported the attack for months and several likely victims had not reported they were affected suggested that U.S. law must require such notification, Warner said at the time.
“I would ask if we shouldn’t have mandatory reporting systems, even if it requires some liability protection, so we can better understand and better mitigate future such attacks,” Warner said. “Do we need something like the National Transportation Safety Board or a public-private entity that can immediately examine major breaches to see if we have a systemic problem as we seem to in this case?”
Private companies have said they are concerned about being sued by customers or shareholders if they reveal that they have been victims of a cyberattack.
The United States has no federal data breach notification law but there are separate state laws. In 2012, Congress failed to pass a bill backed by then Sens. Joe Lieberman, Jay Rockefeller, and Sen. Susan Collins, R-Maine, that would have required U.S. companies to notify customers and the government of breaches.
It’s time to consider a federal notification law, Brad Smith, president of Microsoft told lawmakers at the February hearing this year.
“I think the time has come to go in that direction,” Smith said. “We should notify a part of the U.S. government that would be responsible for aggregating threat intelligence and make sure that it is put to good use to protect the country.”
While Congress moves toward new legislation, President Joe Biden on Wednesday signed an executive order that requires federal agencies to adopt several measures to strengthen cybersecurity and spells out a plethora of tight deadlines to meet those goals.
The Trump administration also issued several executive orders aimed at tightening cybersecurity, but the Biden administration is “going to be a lot more diligent in follow up” to ensure federal agencies meet the goals set out in the order, Wales said.
The Office of Management and Budget intends to use the “power of the purse to push agencies in a positive direction,” Wales said.
Biden’s order requires federal agencies that have contracts with private companies to remove contractual barriers that would stop the private companies from sharing details of a cyberattack on their network.
Agencies are required to draw up a plan to operate their networks under a so-called zero trust environment, which means that all access to a network would be considered suspicious unless authenticated. All agencies also are required to adopt multi-factor authentication and encryption of data.
The order spells out other steps agencies must take and together the Biden administration has set out an aggressive plan, Wales said.
“It’s ambitious because what we have seen is we don’t have time to continue to wait,” Wales said. “The White House is seized by that urgency and this executive order reflects it.”