US Cyber Security Chiefs Support Mandatory Incident Reporting

The US government’s top cyber security officials have endorsed the idea of new legislation that would make private sector companies report when they have been hacked. “We absolutely agree it’s long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly (pictured) said during a Senate Homeland Security Committee hearing.

The Director of the US cyber security enforcement agency “is a huge supporter” of bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyber attacks to the agency.

The proposed legislation is partly in response to a surge of major cyber attacks that targeted government agencies and critical industries.

The hacks increased pressure on the Biden administration to bolster U.S. cyber defences and fuelled calls for federal legislation to require companies to share incidents with the federal government to assist in response and recovery.
The panel’s chairman, Michigan Democrat Gary Peters, told Bloomberg that he hopes to incorporate feedback from the hearing and introduce the bill in the coming weeks.

An increase in cyber attacks, particularly from ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.

Meanwhile, similar legislation has been added to the must-pass defence authorisation measure scheduled to pass the House this week. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s hearing.

The mandatory report should include digital supply chain and ransomware attacks, Easterly said said.

  • Cyber incident reporting should be timely, Easterly said, “ideally within 24 hours of detection.” This is in contrast to a  draft bill from thee Republican party which proposes a 72-hour time frame for reporting.
  • Incident reporting should also be “broad-based and not limited to type or sector,” Easterly said, adding that CISA and the US
  • The Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors.

Chris Inglis, the former NSA chief and newly installed US National Cyber Director, said at the hearing that cyber incident reporting would be “profoundly useful” and would be helpful in preventing future cyberattacks.

Both Easterly and Inglis said they supported fines on companies as an enforcement mechanism for not reporting cyber attacks.

Easterly, though, expressed scepticism towards the idea of using subpoenas for enforcements as proposed in the Republican bill. “My personal view is that it is not an agile enough mechanism to allow us to get the information that you need to share it as rapidly as possible to prevent other potential victims,” she said.

The Record:   Bloomberg;     Bloomberg:     Insurance Journal:      Image: CISA

You Might Also Read:

Australia Implements Mandatory Data Breach Reporting:

 

« Incident Response In The AWS Cloud
Webinar: How to build a secure access service edge (SASE) model in the AWS Cloud »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Quttera

Quttera

Quttera provides Website Security Solutions for Small & Medium Businesses, Enterprises and Organizations.

Cyber Security Centre - University of Hertfordshire

Cyber Security Centre - University of Hertfordshire

The Cyber Security Centre provides training, teaching and research in the fast paced topics of cyber security and digital forensics.

Black Duck Software

Black Duck Software

Black Duck Hub allows organizations to manage open source code security as well as license compliance risks.

JPCERT/CC

JPCERT/CC

JPCERT/CC is the first Computer Security Incident Response Team (CSIRT) established in Japan.

Science Applications International Corporation (SAIC)

Science Applications International Corporation (SAIC)

SAIC is a premier technology integrator in the technical, engineering, intelligence, and enterprise information technology markets. Services and solutions include Cybersecurity.

Government Communications Security Bureau (GCSB)

Government Communications Security Bureau (GCSB)

GCSB contributes to New Zealand’s national security by providing information assurance and cyber security to the New Zealand Government and critical infrastructure organisations.

CRI4DATA

CRI4DATA

CRI4DATA's mission is to help organizations build their resilience to cyber risk.

Ledger

Ledger

Ledger is a leader in security and infrastructure solutions for cryptocurrencies and blockchain applications using its proprietary technology.

Microland

Microland

Microland’s delivery of digital is all about making technology do more and intrude less for global enterprises. Our services include Cloud & Data Center, Networks, Cybersecurity and more.

Debevoise & Plimpton

Debevoise & Plimpton

Debevoise & Plimpton LLP is a premier law firm with market-leading practices in areas including Data Strategy & Security.

BlueSteel Cybersecurity

BlueSteel Cybersecurity

BlueSteel is a compliance consulting firm that leverages deep system, data and application expertise to build sustainable cybersecurity solutions.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

Calamu

Calamu

Calamu is a software-defined storage security and resiliency platform that keeps your data secure and accessible wherever you choose to store it.

Piiano

Piiano

Piiano offers developer-friendly privacy and security products. Reduce risk and protect your data by using our specialized security and privacy SaaS tools.

Assetnote

Assetnote

The Assetnote platform enables organizations to effectively map and continuously monitor their external attack surface.

Start-Up Chile (SUP)

Start-Up Chile (SUP)

Start-Up Chile is a business accelerator program created by the Chilean Government for high-potential tech entrepreneurs.