CISA, FBI Need Data from Cybercrime Victims to Support Policy

The federal entities at the forefront of policing cybercrime and ransomware within the U.S. are emphasizing the need for organizations to keep reporting cyber incidents to help fill existing “data gaps,” as recent executive actions call for a more stringent approach to penalizing ransomware incidents. 

Speaking at a May 5 Business and Policy Forum at George Washington University, leadership from the Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation discussed current government initiatives to continue countering and preventing zero-day cyber events. 

CISA’s Chief Strategy Officer Valerie M. Cofield and the FBI’s Cyber Division Section Chief David Ring both touched on an existing data gap in the larger image of the current cyber threat landscape, and discussed how sharing incident occurrences aids the larger national security goal to fortify digital networks. 

“Incident reporting is going to be really critical,” Cofield said. “The more that we have, the better it is that we can help protect our networks.”

Ring echoed that victim reporting is “critical” and that federal agencies overseeing cybercrime in the U.S. “still have a lot of work to do when it comes to closing the gap in terms of what's being reported, what we're actually seeing, versus what's actually happening out there.”

The recent passage of legislation that requires public and private sector entities to report any cyber event—specifically the Cyber Incident Reporting for Critical Infrastructure Act that became law in 2022—offers hope for CISA and the FBI’s efforts. Cofield noted that while this is a step in the right direction for gathering a more comprehensive and accurate picture of the cyber incident landscape in the U.S., it may take several years after the bill’s passage to actually acquire that data.

“We won't see the fruits of that legislation for a couple of years, but we're hoping that that will really help with some of the data gaps that we have,” she said. 

Past cultivating a strong reporting culture within the country, Ring specified that agency collaborations—such as those between CISA and the FBI—can also facilitate more data sharing and bring awareness to ransomware events and trends. 

“We need to not just collect our information from private sector through victim reporting, but through collaboration, through proactive two-way sharing, bidirectional sharing of… our organizations that all maintain responsibility for dealing with this threat,” Ring said. 

The FBI recently joined CISA in its Joint Cyber Defense Collaborative. The goal of this collective is to both share, analyze and act upon cybercrime and ransomware data throughout the public and private sectors.  

In addition to agency and victim participation, Cofield expressed a need for other key collaborators, including security researchers. She detailed how the JCDC is working in tandem with cybersecurity researchers in its Pre-Ransomware Notification Initiative, started earlier in 2023. 

“We've been working with cybersecurity researchers, and they've actually been tipping us on activity that they've seen right before an actor to encrypt,” she said.

This approach has helped CISA notify entities—ranging from towns to schools to hospitals—of potential vulnerabilities to fix before a cyberattack exploits it. It also helps support institutions Cofield refers to as “target rich but resource poor,” such as schools, hospitals and critical infrastructures that handle sensitive data but often lack the funding for a strong cybersecurity defense posture. 

“This is a success story of an initiative that we're really trying to grow and blossom, but it's from that…intelligence that the cybersecurity research community is out there collecting,” Cofield added.