The need for legislation requiring companies to report cybersecurity incidents to the government is obvious, but it should be tweaked to explicitly include the FBI, according to officials from the law enforcement agency.
Last year the House passed incident reporting legislation that would require reports to the Cybersecurity and Infrastructure Security Agency 72 hours after an incident, but corresponding legislation failed to make it into the annual “must-pass” National Defense Authorization Act. The FBI expressed concern with some of the language in the bill but lawmakers said it was mostly just a matter of running out of time on the clock to clear the provisions with all the relevant committees of jurisdiction.
“There seems to be a misunderstanding that the FBI specifically is looking for a dual seal program with the legislation meaning that companies would have to report to both CISA and the FBI and that isn’t true,” said Bryan Vorndran, assistant director of the FBI’s cyber division. “What the Department of Justice and FBI [are] looking for is legislation that includes language about the FBI having real-time and unfiltered access to incident information that is reported to CISA. It can likely be accomplished by a few words or a sentence in proposed legislation.”
Vorndran spoke Thursday along with Robert Silvers, under secretary for policy at the Department of Homeland Security and key members of Congress during an event hosted by the Silverado Policy Accelerator, a think tank co-founded by Dmitri Alperovitch, former chief technology officer for the cybersecurity firm Crowdstrike.
The bipartisan legislation is being pursued by leading cybersecurity officials across the government for the insights it would provide into cyber threats and its utility for reducing the impact of attacks on critical infrastructure.
“It’s hard to overestimate what a game changer it will be in terms of giving the government visibility into the threat landscape,” Silvers said. “In terms of responding to particular incidents, we need it and in terms of developing trend analysis and understanding what we’re looking at big-picture, we need it too in fields like ransomware and other emerging threats. So it’s just critical and it’s a huge priority.”
He said CISA would share reports with the FBI and other relevant agencies regardless of what Congress ends up passing.
“There is just no question … we are going to share the reports immediately with the FBI and with other federal agencies that have a need to know,” he said. “We stand shoulder to shoulder with the FBI. The FBI is just indispensable when it comes to investigating the threats, so that information is going to be shared immediately in the implementation regardless of how an ultimate bill is cut.”
Reps. Yvette Clarke, D-N.Y., chair of the Homeland Security Committee’s panel on cybersecurity, and John Katko, R-N.Y., ranking member of the Homeland Security Committee, were both optimistic about being able to find a legislative path for passing the bill this year.
“This legislation is a top priority for Congress, the administration and even many in industry,” Clarke said. “With so much momentum on our side, I’m confident that we’ll find a vehicle to move this legislation and get it to the president’s desk this year.”
Speaking at a separate event Thursday hosted by the Washington Post, Tonya Ugoretz, deputy assistant director for the FBI’s cyber readiness, outreach and intelligence branch, said the private sector, specifically, wants the FBI to be included in the incident reporting legislation.
Justice has been able to make a strong case for reporting to the FBI bolstered by the bureau’s retrieval of millions of dollars worth of Bitcoin Colonial Pipeline paid to hackers last year during an attack that caused multiple states to declare emergencies due to a panic at the pump that led to fuel shortages along the East coast.
“We, already because of the draft legislation …, had partner companies coming up to us saying, ‘Well, what does this mean? We’re going to report to this new reporting entity, but if it doesn’t say that FBI is also going to receive the information, we want you to receive the information, so do we still have to report to you separately? How are we going to know that you’re receiving this information if it doesn’t say that in the legislation?’” she said. “One of the goals of all of this is to reduce confusion by the private sector. So we think, literally, just a few words, in addition to the draft legislation will make that difference.”