Incident reporting provisions are being considered as part of the annual defense bill.
Three of the nation’s top cybersecurity leaders asked lawmakers to use fines in crafting legislation that would require private-sector entities to report incidents like ransomware and other cyberattacks.
“I do think a compliance and enforcement mechanism is very important here,” said Cybersecurity and Infrastructure Security Agency Director Jen Easterly. I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines.”
Easterly testified before the Senate Homeland Security and Governmental Affairs Committee Thursday along with Federal Chief Information Security Officer Chris DeRusha and National Cyber Director Chris Inglis. Inglis and DeRusha agreed with Easterly’s comments in response to Committee Chairman Gary Peter, D-Mich., who asked the witnesses to weigh in on the best way to ensure companies submit reports in line with legislation he’s drafting in partnership with Committee Ranking Member Rob Portman, R-Ohio.
“What we're looking at here is mandating companies to submit these reports but we have to make sure they actually comply with that to get this information, so let me hear your thoughts,” Peters said.
The effort to mandate some form of incident reporting for companies gained momentum after a string of major breaches, including those at government contractor SolarWinds—where nine federal agencies were affected—and at Colonial Pipeline, which temporarily upended fuel supply to much of the East Coast as ransomware attackers held their systems hostage.
The comments from Easterly and the other cyber leaders contrast with those of industry representatives testifying on a House version of the proposal during a Sept. 1 hearing. Representatives from the information technology, communications, finance and pipeline sectors praised the measure for favoring subpoenas over fines.
The House on Wednesday approved the legislation, proposed by Rep. Yvette Clarke, D-N.Y., as an amendment to the National Defense Authorization Act of 2022, which is soon expected to get a floor vote.
“Fines are obviously used across industries,” said Easterly, who was most recently leading resilience efforts at Morgan Stanley. “I just came from four and a half years in the financial services sector, where fines are a mechanism that enables compliance and enforcement. I realize this is a complicated issue, and I really look forward to working through it with you because I think it is important that we are able to get the information that we need in a timely way.”
An alternate cyber incident reporting proposal from Sen. Mark Warner, D- Va., does employ fines as the main enforcement mechanism, but other aspects of the bill have received criticism from both industry and some House counterparts.