US Cyber Security Chiefs Support Mandatory Incident Reporting

The US government’s top cyber security officials have endorsed the idea of new legislation that would make private sector companies report when they have been hacked. “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly (pictured) said during a Senate Homeland Security Committee hearing.

The Director of the US cyber security enforcement agency “is a huge supporter” of bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyber attacks to the agency.

The proposed legislation is partly in response to a surge of major cyber attacks that targeted government agencies and critical industries.

The hacks increased pressure on the Biden administration to bolster U.S. cyber defences and fuelled calls for federal legislation to require companies to share incidents with the federal government to assist in response and recovery.
The panel’s chairman, Michigan Democrat Gary Peters, told Bloomberg that he hopes to incorporate feedback from the hearing and introduce the bill in the coming weeks.

An increase in cyber attacks, particularly from ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.

Meanwhile, similar legislation has been added to the must-pass defence authorisation measure scheduled to pass the House this week. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s hearing.

The mandatory report should include digital supply chain and ransomware attacks, Easterly said said.

  • Cyber incident reporting should be timely, Easterly said, “ideally within 24 hours of detection.” This is in contrast to a  draft bill from thee Republican party which proposes a 72-hour time frame for reporting.
  • Incident reporting should also be “broad-based and not limited to type or sector,” Easterly said, adding that CISA and the US
  • The Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors.

Chris Inglis, the former NSA chief and newly installed US National Cyber Director, said at the hearing that cyber incident reporting would be “profoundly useful” and would be helpful in preventing future cyberattacks.

Both Easterly and Inglis said they supported fines on companies as an enforcement mechanism for not reporting cyber attacks.

Easterly, though, expressed scepticism towards the idea of using subpoenas for enforcements as proposed in the Republican bill. “My personal view is that it is not an agile enough mechanism to allow us to get the information that you need to share it as rapidly as possible to prevent other potential victims,” she said.

The Record:   Bloomberg;     Bloomberg:     Insurance Journal:      Image: CISA

You Might Also Read:

Australia Implements Mandatory Data Breach Reporting:

 

« Incident Response In The AWS Cloud
Webinar: How to build a secure access service edge (SASE) model in the AWS Cloud »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

Kramer Levin

Kramer Levin

Kramer Levin is a full-service law firm with offices in New York and Paris. Practice areas include Cybersecurity, Privacy and Data Protection.

Synelixis Solutions

Synelixis Solutions

Synelixis Solutions is a high-tech company founded to provide complete telecommunications, networking, security, control and automation solutions.

Vesta

Vesta

Vesta Corporation is a global provider of a scalable suite of fraud and payment solutions for online commerce.

CYE

CYE

Utilizing data, numbers, and facts, CYE helps security leaders know what business assets are at risk and execute cost-effective remediation projects for optimal risk prevention.

Liquid Technology

Liquid Technology

Liquid Technology provide DOD- and NIST-compliant data destruction and EPA-compliant e-waste disposal and recycling services throughout North America, Europe and Asia.

Network Center Inc (NCI)

Network Center Inc (NCI)

NCI is one of the largest IT solution providers in the Midwest. We specialize in industry specific technology solutions, service, support, and expertise for small to enterprise businesses.

Casque SNR

Casque SNR

CASQUE SNR is the next generation of Identity Assurance that has potential to supersede existing solutions. It provides Identity Assurance for both people and things.

AmWINS Group

AmWINS Group

AmWINS are a global specialty insurance distributor with expertise in property, casualty and professional lines including cyber liability.

Evina

Evina

Evina offers the most advanced cybersecurity and fraud protection for mobile payment.

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

Centre for Cyber Security Research and Innovation (CSRI) - Deakin University

CSRI solves the cyber security threats of tomorrow, today. We work with industry and government leaders on innovative research that has real-world impact.

IoTeX

IoTeX

Building the connected world. IoTeX is a fast, secure, and decentralized platform that connects real world devices/data to the blockchain.

Castlepoint Systems

Castlepoint Systems

Castlepoint Systems is a pioneer in information governance, risk and compliance as a service. An all-in-one solution offering powerful risk management, built in compliance, cybersecurity and audit.

Armata Cyber Security

Armata Cyber Security

Armata exists to bring Cyber Security to all people – from home users and SMBs to large enterprises. We believe all users have the right to an affordable yet effective Cyber Security solution.

The Hacking Games

The Hacking Games

The Hacking Games' Mission is to inspire, educate and mobilise a generation of ethical hackers to make the world a safer place.

Early Game Ventures (EGV)

Early Game Ventures (EGV)

Early Game Ventures invests in startups that jumpstart new industries in the emerging markets of Europe.