- There is an effort among federal cybersecurity leaders to create a national cyber incident reporting law to streamline response and recovery, and real-time information sharing. A reporting law could inform cybersecurity investments and determine strategy, said Chris Inglis, national cyber director (NCD), during a Senate Committee on Homeland Security & Governmental Affairs hearing Thursday.
- If a federal cyber incident reporting law were to be enacted, the Cybersecurity and Infrastructure Security Agency (CISA) expects to use the information for response analysis and broad sharing, according to Jen Easterly, director of CISA, during the hearing. "We absolutely agree it's long past time to get cyber incident reporting legislation out there," she said.
- Cybersecurity leaders in the federal government and members of the Senate committee put a lot of emphasis on modernizing the Federal Information Security Management Act (FISMA) to encompass today's threats, formalize CISA's operational responsibility across sectors and create a reporting standard.
With greater emphasis on cyber, the federal government has issued executive orders and mandates this year to compensate for outdated cyber strategy. Yet it's been "nearly seven years since FISMA was last updated in 2014," Sen. Rob Portman, R-Ohio, said during the hearing. "Agencies still have the same vulnerabilities year after year."
All U.S. departments, with the exception of Homeland Security, scored a "C" or D" on their cybersecurity posture, according to a report by the Senate committee, published in August. Reforming FISMA would ideally harmonize the federal government's cybersecurity strategy, and treat agencies and departments more like an enterprise.
For federal cybersecurity or FISMA reform, Easterly wants to see:
- CISA codify its role in federal cybersecurity as the operational lead
- Transition from compliance-list-checking to operational risk management
- Introduce a national notification law to ensure CISA receives data to share quickly
It's "very important that we're not asking a company, a business that's under duress during a cyber incident to report to seven different entities," said Easterly. She doesn't want to complicate companies reporting to CISA for the incident and regulatory bodies for legalities.
While CISA acts as the coordinator between the public and private sectors, the information pipeline it uses to share is too shallow. CISA is timely, but its information-sharing abilities could improve with a more robust data pipeline.
CISA does not want to be inundated with "erroneous reporting," Easterly said. And likewise, "we don't want to burden a company under duress when they're trying to actually manage a live incident."
To do so, compliance and enforcement measures for submitting information is necessary, Easterly said.
"I know some of the language talks about a subpoena authority. My personal view is, that is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors," she said. If requirement mechanisms are not followed, companies could expect fines.
Because each state has its own data breach reporting laws, Inglis suggested performing a survey to find best practices an incident reporting law could adopt. "We of course don't want to impose an unfair burden on the victims. But this information is essential for the welfare of the whole," he said. "There should be rewards for good behavior."