There was an old 60’s movie called, The Spy who came in from the Cold. Well the FBI could be sidelined in new cybersecurity legislation and left out in the cyber security cold. In the view of America’s most powerful law enforcement agency, that could be a big problem.
In testimony to the US Congress, the current assistant director of the FBI’s Cyber Division, said that the Biden administration is “troubled” by legislation proposed by the US Senate and House Homeland Security committees requiring a wide range of companies to report intrusions to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) but not simultaneously to the FBI. “Current incident reporting legislation being considered fails to recognize the critical expertise and role that DOJ, including the FBI, play when it comes to cyber incident reporting,” the FBI said in a statement for the record provided to the House Committee on Oversight and Reform. “Cyber is the team sport, and the Department of Justice and the FBI are a key player. It is time for legislation to reflect this reality,” they stressed. The Biden administration’s stance now throws a last-minute wrench into a year’s long effort to require key companies to disclose cyberattacks.
The House’s annual must-pass defense bill includes language requiring critical infrastructure operators and federal contractors to alert CISA if they are hacked. Similar language is likely to make it into the Senate’s version of the bill. The provision — the result of weeks of negotiations between the leaders of the Senate homeland security and intelligence panels — would represent the most sweeping cyber regulation ever imposed on the private sector.
One of the biggest problems facing government cyber defenders is their lack of insight into many of the digital attacks on private companies. Unlike in some other countries, the US does not directly monitor or defend most critical private sector networks. That means government agencies rely on companies to voluntarily disclose hacks so they can assemble a complete picture of the threat environment and develop security recommendations accordingly.
In the wake of high-profile ransomware attacks on Colonial Pipeline, the meat processing giant JBS and the IT software vendor Kaseya, Biden administration officials have been adamant that Congress should mandate cyber incident reporting for the nation’s most important companies. “The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” the CISA Director told the Senate Homeland Security Committee last September.
While CISA leads what officials call the government’s “asset response” work by addressing specific vulnerabilities and helping victims upgrade their networks, the FBI oversees the “threat response” mission by identifying and deterring the hackers. For that reason, the US Justice Department and FBI officials want rapid access to any incident reports. “We urge Congress to create a national standard for reporting significant cyber incidents and to require that the reported information be shared immediately with the Justice Department,” the Attorney General said during a November 8th news conference announcing actions against ransomware gangs.
The administration’s call for simultaneous reporting to CISA and the FBI could derail efforts to slip the incident reporting language into the defense policy bill unless lawmakers quickly embrace the idea.
A NY congressperson (D-N.Y.), who chairs the House Homeland Security cyber subcommittee and was a lead sponsor of her chamber's reporting mandate, said she didn't favor changing the program. "We took seriously the disparate, yet complementary, roles played by agencies across the federal government," she said. "But, ultimately, we believe that CISA ... should lead the federal government's cyber incident reporting program."
Spokespeople for the reporting legislation's other chief sponsors did not provide comments on the administration’s call for legislative changes. It is also unclear whether the bureau’s position reflects any strain between the FBI and CISA, which have tried to form a close working relationship in the three years since CISA’s creation. Also unclear is whether a mandatory reporting requirement to the FBI would trigger heated opposition from the private sector.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments