US Cyber Security Chiefs Support Mandatory Incident Reporting

The US government’s top cyber security officials have endorsed the idea of new legislation that would make private sector companies report when they have been hacked. “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly (pictured) said during a Senate Homeland Security Committee hearing.

The Director of the US cyber security enforcement agency “is a huge supporter” of bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyber attacks to the agency.

The proposed legislation is partly in response to a surge of major cyber attacks that targeted government agencies and critical industries.

The hacks increased pressure on the Biden administration to bolster U.S. cyber defences and fuelled calls for federal legislation to require companies to share incidents with the federal government to assist in response and recovery.
The panel’s chairman, Michigan Democrat Gary Peters, told Bloomberg that he hopes to incorporate feedback from the hearing and introduce the bill in the coming weeks.

An increase in cyber attacks, particularly from ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.

Meanwhile, similar legislation has been added to the must-pass defence authorisation measure scheduled to pass the House this week. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s hearing.

The mandatory report should include digital supply chain and ransomware attacks, Easterly said said.

  • Cyber incident reporting should be timely, Easterly said, “ideally within 24 hours of detection.” This is in contrast to a  draft bill from thee Republican party which proposes a 72-hour time frame for reporting.
  • Incident reporting should also be “broad-based and not limited to type or sector,” Easterly said, adding that CISA and the US
  • The Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors.

Chris Inglis, the former NSA chief and newly installed US National Cyber Director, said at the hearing that cyber incident reporting would be “profoundly useful” and would be helpful in preventing future cyberattacks.

Both Easterly and Inglis said they supported fines on companies as an enforcement mechanism for not reporting cyber attacks.

Easterly, though, expressed scepticism towards the idea of using subpoenas for enforcements as proposed in the Republican bill. “My personal view is that it is not an agile enough mechanism to allow us to get the information that you need to share it as rapidly as possible to prevent other potential victims,” she said.

The Record:   Bloomberg;     Bloomberg:     Insurance Journal:      Image: CISA

You Might Also Read:

Australia Implements Mandatory Data Breach Reporting:

 

« Incident Response In The AWS Cloud
Webinar: How to build a secure access service edge (SASE) model in the AWS Cloud »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Echelon

Echelon

Echelon Company is a provider of information security services specializing in certification of security software and hardware products in Russia.

FaceFirst

FaceFirst

FaceFirst provide face recognition technology solutions to detect and deter real time threats,

Credence Security

Credence Security

Credence Security (previously ARM) the regions speciality distribution company, specializes in IT security, Forensics and Incident Response.

Positive Technologies

Positive Technologies

Positive Technologies is a leading global provider of enterprise security solutions for vulnerability and compliance management, incident and threat analysis, and application protection.

Salient CRGT

Salient CRGT

Salient CRGT is a leading provider of health, data analytics, cloud, agile software development, mobility, cyber security, and infrastructure solutions.

Balbix

Balbix

Balbix BreachControl™ is the industry’s first system to leverage specialized AI to provide comprehensive and continuous predictive assessment of breach risk.

Grupo CFI

Grupo CFI

Grupo CFI is the largest Spanish network of data protection and cybersecurity professionals.

Incognito Forensic Foundation Lab (IFF Lab)

Incognito Forensic Foundation Lab (IFF Lab)

IFF Lab is a premier cyber and digital forensics lab in India that offers forensic services and solutions, cyber security analysis and assessment, IT support, training and consultation.

IT Security Jobs

IT Security Jobs

IT Security Jobs is a dedicated portal for everything related to IT professionals looking for IT Security jobs.

Valid Network

Valid Network

Valid Network DSP is blending traditional cyber security methodologies with blockchain transactions to achieve trust, internal and federated between organizations and stake holders.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

eSec Forte Technologies

eSec Forte Technologies

eSec Forte Technologies is a CMMI Level-3 ISO 9001-2008, 27001-2013 certified global consulting and implementation company focused on Information Security and Cyber Security.

PreCog Security

PreCog Security

PreCog Security is a US based cybersecurity risk mitigation company. We specialize in helping you find, minimize and manage vulnerability risk within your product, network and process.

North West Cyber Resilience Centre (NWCRC)

North West Cyber Resilience Centre (NWCRC)

The North West Cyber Resilience Centre is a trusted, not-for-profit venture between Greater Manchester Police and Manchester Digital.

NACVIEW

NACVIEW

NACVIEW is a Network Access Control solution. It allows to control endpoints and identities that try to access the network - wired and wireless, including VPN connections.