Sen. Gary Peters, D-Mich., who convened the hearing, said he and Sen. Rob Portman, R-Ohio, are preparing legislation requiring organizations to inform CISA about any payments toransomware extortionists and obligating critical infrastructure firms to alert the agency when they are impacted by incidents.
CISA Director Jen Easterly said prompt reporting is essential to enabling her agency to support victims as well as to identify and warn others who could be impacted.
This reporting cannot be voluntary, and there must be mechanisms to ensure compliance, Easterly said. But she rejected the idea of using subpoenas as an enforcement lever, deeming that approach too slow to allow CISA to gather information and act in a timely manner.
Easterly instead suggested exploring fines — an approach seconded by National Cyber Director Chris Inglis, who said the federal government could look to states’ various approaches to enforcing reporting regulations for examples of best practices.
“Most of the 50 states have reporting requirements of a similar sort, and the vast majority of them have enforcement mechanisms, and many use fines,” Inglis said.
Lawmakers will need to tailor policies so that organizations that have just been hit with cyberattacks are not overwhelmed trying to manage obligations, Easterly said. She also advised finetuning requirements around when to report so as to prevent CISA becoming inundated with false alarms.
“We don’t want to be flooded with reports saying, ‘We detected something; we’re not sure whether there’s actual impact or not.’ We need to make sure there’s determined impact,” Easterly said. “What we don’t want is to have CISA overburdened with erroneous reporting, and we don’t want to burden a company under duress when they’re trying to manage a live incident.”
Establishing a federal policy could also streamline reporting for national organizations, by sparing them from juggling a variety of different state laws, Inglis said.
ELEVATING FEDERAL SECURITY
Sens. Portman and Peters released a report earlier this year that found many federal agencies failing to meet certain cybersecurity standards mandated under the Federal Information Security Modernization Act (FISMA). Seven agencies were noncompliant despite having been called out for issues only two years prior. That left them making security mistakes like using technology so old that vendors no longer provide security updates.
The senators are now pushing for various reforms to federal cybersecurity practices, and cybersecurity leaders testifying during the hearing proposed several improvements.
Easterly said that checkbox compliance isn’t effective, and Chris DeRusha, federal CISO for the Office of Management and Budget (OMB), said agencies should no longer simply self-assert that they have good security methods but must instead have their defenses regularly tested.
Easterly also stressed that putting up a better defense doesn’t have to involve sophisticated strategies. Adopting basic cyber hygiene measures like multifactor authentication could block a significant number of attacks, she said.
Of course, cyber improvements also require people power to implement and maintain.
The federal government — like state and local governments — suffers from workforce challenges, and Easterly and Inglis both spoke in support of apprenticeship programs that can expand the pathways to employment. Rotational, internships and other nontraditional entry routes are all promising, Easterly said, while Inglis advocated improving recruitment through efforts to increase awareness of opportunities and to remove unnecessary qualifications from job descriptions.
Still, DeRusha said it will take a while to fill the skills gap and automation will likely be needed to help stretch the existing workforces’ efforts farther in the meantime.
FEDERAL CYBER ROLES
The nation has had a national cyber director for four months, and senators expressed continued uncertainty over how the various agencies involved with aspects of cybersecurity are meant to work together. Portman questioned whether there is too much overlap between agencies and sought clarification on each unit’s particular slice of responsibility.
Easterly said CISA holds firmly to two key functions: serving as the operational lead for federal cybersecurity and coordinating critical infrastructure security. That work in turn sees it connect with a wide variety of public and private partners.
Inglis also sought to diffuse concerns, saying the current divisions of responsibility are “reasonably effective” and that cybersecurity work is often bolstered by so many different entities adding to the effort. What’s essential is to ensure they are coordinated well, he said, and noted that cybersecurity leaders plan to officially clarify their various roles and responsibilities in writing.
“All of those strengths represent diversity, which properly applied can be a huge strength for us,” Inglis said. “[The setup] is perhaps less complicated than the U.S. Department of Defense or an American football team, which if it has the right strategy, if it has the right roles, if the life forces that course across it create coherence, purpose [and] unity of effort — it can in fact be quite useful.”