US Cyber Security Chiefs Support Mandatory Incident Reporting

The US government’s top cyber security officials have endorsed the idea of new legislation that would make private sector companies report when they have been hacked. “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly (pictured) said during a Senate Homeland Security Committee hearing.

The Director of the US cyber security enforcement agency “is a huge supporter” of bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyber attacks to the agency.

The proposed legislation is partly in response to a surge of major cyber attacks that targeted government agencies and critical industries.

The hacks increased pressure on the Biden administration to bolster U.S. cyber defences and fuelled calls for federal legislation to require companies to share incidents with the federal government to assist in response and recovery.
The panel’s chairman, Michigan Democrat Gary Peters, told Bloomberg that he hopes to incorporate feedback from the hearing and introduce the bill in the coming weeks.

An increase in cyber attacks, particularly from ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.

Meanwhile, similar legislation has been added to the must-pass defence authorisation measure scheduled to pass the House this week. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s hearing.

The mandatory report should include digital supply chain and ransomware attacks, Easterly said said.

  • Cyber incident reporting should be timely, Easterly said, “ideally within 24 hours of detection.” This is in contrast to a  draft bill from thee Republican party which proposes a 72-hour time frame for reporting.
  • Incident reporting should also be “broad-based and not limited to type or sector,” Easterly said, adding that CISA and the US
  • The Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors.

Chris Inglis, the former NSA chief and newly installed US National Cyber Director, said at the hearing that cyber incident reporting would be “profoundly useful” and would be helpful in preventing future cyberattacks.

Both Easterly and Inglis said they supported fines on companies as an enforcement mechanism for not reporting cyber attacks.

Easterly, though, expressed scepticism towards the idea of using subpoenas for enforcements as proposed in the Republican bill. “My personal view is that it is not an agile enough mechanism to allow us to get the information that you need to share it as rapidly as possible to prevent other potential victims,” she said.

The Record:   Bloomberg;     Bloomberg:     Insurance Journal:      Image: CISA

You Might Also Read:

Australia Implements Mandatory Data Breach Reporting:

 

« Incident Response In The AWS Cloud
Webinar: How to build a secure access service edge (SASE) model in the AWS Cloud »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Versasec

Versasec

Versasec is a leader in identity and access management, providing customers with security solutions for managing digital identities.

HackCon Norway

HackCon Norway

HackCon is for the people who are interested in technology, psychology, IT and security, and who wants to improve their knowledge within these areas.

GraVoc

GraVoc

GraVoc is a technology-consulting firm committed to solving business problems for customers through the development, implementation, & support of technology-based solutions.

Anect

Anect

Anect is a leading provider of ICT security and services for hybrid and cloud solutions.

IUCC Cyber Unit - Israel

IUCC Cyber Unit - Israel

IUCC Cyber Unit safeguards Israel’s National Research & Education Network (NREN).

Trustonic

Trustonic

Trustonic is a leader in the device security market. Our mission is to protect apps, secure devices & enable trust.

Blockchain Reactor

Blockchain Reactor

Blockchain Reactor is a blockchain consultancy and implementation company providing cutting-edge blockchain solutions for start-ups and enterprises.

Get Indemnity

Get Indemnity

Get Indemnity are specialist insurance brokers with experience working on a wide range of innovative business insurance products that combine risk management, indemnity and incident response services.

Nu Quantum

Nu Quantum

Nu Quantum is developing quantum photonics hardware to power the quantum revolution in communications, sensing and computing.

Quantifind

Quantifind

Quantifind enables financial crimes/fraud analysts and investigators to make better decisions, faster, with intelligent automation.

Salt Cybersecurity

Salt Cybersecurity

Salt Cybersecurity offer a four-pronged approach to information security that includes Custom Security Policy, Vulnerability Assessment, Threat Detection, and Security Awareness Training.

Zeus Cloud

Zeus Cloud

Zeus Cloud provide clients with world-class web hosting services to businesses both big and small.

ABPSecurite

ABPSecurite

ABPSecurite is a leading value-added distributor and a network performance solutions provider.

XY Cyber

XY Cyber

XY Cyber enable Generative AI for Cyber Operations. We simplify the complex world of cyber threats into actionable strategies, empowering your defense with AI-powered solutions.

Nicos AG

Nicos AG

Nicos AG specializes in secure, global data communication.

RELIANOID

RELIANOID

RELIANOID is an application delivery controller and load balancing system that ensures high performance and security of IT services on a massive scale.