- Final work is underway for the Cyber Incident Reporting for Critical Infrastructure Act, which Cybersecurity and Infrastructure Security Agency Director Jen Easterly expects to be done by the end of this year or early 2024 at the latest, she said Wednesday at the Billington Cybersecurity Summit. The act, signed in March 2022, requires critical infrastructure providers to report major cyber incidents and ransomware payments to the agency.
- “But until we have that in place, we need to make sure we are communicating around threats, realizing that a threat to one is a threat to many,” Easterly said.
- Easterly said the agency has made significant progress in building a collaborative model for sharing intelligence and gaining visibility into threats facing the nation, but said more work still needs to be done.
Easterly discussed the evolution CISA has made in expanding partnerships, sharing threat information and gaining real-time intelligence in order to help disrupt threats.
The agency has forged significant relationships with various organizations to gain a foothold against malicious cyber activity over the past two years.
In July, CISA partnered with Microsoft to gain enhanced visibility into security logs, after suspected China-based hackers gained access to sensitive emails in the U.S. State Department and Department of Commerce. Federal officials, including Sen. Ron Wyden, D-Oregon, heaped withering criticism against the company for its security policies.
CISA has been behind a concerted effort to make sure cloud providers and other technology companies infuse security into their platforms without requiring customers to pay an extra premium.
Earlier this year, CISA launched a pilot program to warn critical infrastructure providers about looming ransomware attacks. The Joint Ransomware Task Force is running the program, which involves warning organizations about internet-accessible vulnerabilities that have been linked to specific ransomware groups.
Easterly called on corporate boards and C-suite executives to take ownership over cybersecurity, warning that responsibility for cyber risk cannot be just handed off to CISOs and ignored by senior leadership.
Governance and risk concerns have taken on heightened importance in recent weeks after the Securities and Exchange Commission voted to require disclosure of material incidents within four business days and annual reporting on corporate risk mitigation strategies.