Agencies designated for managing risk in particular sectors have work ahead of them to hammer out details with the Cybersecurity and Infrastructure Security Agency.
Legislation requiring owners of U.S. critical infrastructure to report ransomware payments and other cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency is not about holding companies’ feet to the fire and will in turn help create a stronger defense against adversaries like Russia, according to Senate Intelligence Committee Chair Mark Warner, D-Va.
Warner started highlighting the need for incident reporting legislation in hearings that followed the massive hacking campaign generally referred to as SolarWinds. U.S. officials have attributed what they described as an espionage campaign to Russia’s Foreign Intelligence Service. But the breaches that resulted, which compromised nine federal agencies, including the Department of Homeland Security, only came to light because of voluntary reporting from the third-party cybersecurity firm FireEye, which was itself a victim of the campaign.
Policymakers fear—absent enforcement of a legal requirement—that cyber incidents go widely unreported, depriving cyber defenders of valuable information about adversary techniques that could be disseminated to bolster the defenses of other potential victims and avoid cascading consequences.
President Joe Biden is soon expected to sign the bill into law as part of an overdue measure to fund the federal government that also ups funding for CISA’s activities amid the threat of cyber “spillover” from Russia’s attack on its neighbor’s sovereignty.
“Finally, finally, finally we have mandatory cyber reporting,” Warner said. “That will require mandatory reporting to CISA if you are the victim of a cyber attack. We'll give the company immunity. We don't want to hold the company accountable. We do want to be able to go after malware actors.”
He spoke at a virtual event the Center for Strategic and International Studies hosted Monday on the cyber component to Russia’s invasion of Ukraine.
“[it’s] a big win in the budget bill for those of us who are concerned about the cyber domain,” Warner said. “We know we can't be 100% effective in our defense but we have to have resilience. I think this is a giant giant step forward, both in terms of the challenges vis-à-vis Ukraine, but on a broader basis. [Incident reporting legislation] over the long haul will give us a much greater tool to have that reporting to CISA, again, mostly so that we can then share it with our other private sector partners.”
The legislation shields companies who report their cybersecurity incidents as required to CISA from being sued in court but with some important caveats. Among those: “The liability protections provided … shall only apply to or affect litigation that is solely based on the submission of a covered cyber incident report or ransom payment report to [CISA],” the legislation reads.
Sector-specific-risk-management agencies, such as the Treasury Department and Health and Human Services, which also collect reports on cybersecurity incidents for regulatory and enforcement purposes, must now work out with CISA exactly how the information needed to fulfill their various roles should be collected, according to the legislation.