Simple Cyber Reporting Will Enable Better Governmentwide Response, Lawmaker Argues

U.S. government digital systems and infrastructure can adjust to a changing cyber threat landscape with a centralized incident reporting structure to incentivize incident reporting. 

Speaking during a panel hosted by the Information Technology Industry Council on Wednesday, Sen. Gary Peters, D-Mich., discussed the important role federal agencies play in supporting cybersecurity efforts nationwide. 

Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee, emphasized the high volume of domestic and international threats against American digital networks, such as extremists and state-sanctioned Russian actors. 

“There's no question that cyber is probably one of our biggest threats to the homeland, and so we have to be focused on this constantly,” he said. “We know the bad guys are constantly figuring out ways to change their tactics as we respond.”

While Peters and his congressional colleagues have focused on strengthening cybersecurity protocols for critical infrastructure like hospitals and schools, in addition to government networks, he also noted that smaller entities and organizations should take the same precautions.

“It's not just critical infrastructure—as important as that is, and we know the impact that that can have—but it's also small businesses, so the bad guys will always go for the softest target,” Peters said. Advancing protections for smaller enterprises and organizations is a legislative priority for Peters and his colleagues. 

Citing his Cyber Incident Reporting for Critical Infrastructure Act that was signed into law in March, Peters said that designating a singular federal entity to mandate and streamline cyber incident reporting will help fortify the broader cybersecurity landscape in the U.S. by alerting all entities to potential threats.

“If we don't have that information, we can't have a coordinated response and prepare for that and, also importantly, warn others that this is happening,” he said. “This is about protecting our industry partners all across the country saying hey, these attacks are occurring.”

Peters said his legislation establishes the Cybersecurity and Infrastructure Security Agency as a focal point and resource for public and select private entities to turn to if they suffer a cyber attack. 

He cited a Senate committee hearing where officials from both CISA and the FBI estimated that only 30% of cyberattacks are documented by law enforcement, resulting in an inaccurate picture of the volume of cyberattacks on U.S. systems. 

While the cyber incident reporting law calls for a single-agency path to reporting cyberattacks, Peters also vocalized the importance of multiple federal agencies to collaborate in cyber protection initiatives, especially in helping the private sector prepare for and prevent ransomware attacks. 

“I want to be clear that I support…the mission of other cyber or other agencies that are engaged in cybersecurity. And certainly the Department of Justice and the FBI play a critical mission, and it is about deterrence,” he said. 

Peters aims for CISA to disseminate information about cyberattacks with other relevant federal agencies, while protecting sensitive information for organizations reporting attacks. 

Aside from initially routing cyber reporting to one agency, Peters added that his next short term goal is to see legislation codifying the FedRAMP cloud security standardization program and the Federal Information Security Modernization Act, or FISMA. 

“We're in discussions with the House right now. And we're very close, I think, to coming up to an agreement to be able to put these two together, and I'm hoping we can get it passed as quickly as possible,” he said.