Legislators pushing for mandatory cyber incident reporting by critical infrastructure operations have received a boost from newly installed Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly and Chris Inglis, the inaugural White House national cyber director.
Any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.
At their nomination hearings both Easterly and Inglis made it clear that they support imposing minimum reporting standards on critical infrastructure outfits and private companies to notify the federal government of cyber incidents. A mandate of that sort would include MSSPs and their customers. There is no such reporting requirement right now on any type of entity.
“It seems to me that voluntary standards are not getting the job done and there probably is some sort of role for making some of these standards mandatory to include notification,” Easterly said. “I do think it’s important that when there’s a significant cyber incident that critical infrastructure companies have to notify the federal government, in particular CISA. We have to be able to warn other potential victims,” she said.
Inglis said that the nation must have confidence that “our critical services, our critical functions…will be delivered.” Considering that voluntary reporting and market forces are not propelling companies to report cyber incidents, “some imposition of standards or regulation on top of that, we begin to take steps in that direction,” he said. It’s not clear, however, how to “achieve the full flowering of innovation that we still need in the private sector while imposing an expectation of the standards that go with that to ensure that those critical services can and will be delivered even under duress,” Inglis said.
On information sharing between the public and private sector, Inglis said we need to create “common cause,” or a sense of “mutual advantage.” By sharing threat information at the “lowest possible level, not after we have a well-formed idea but to put people shoulder to shoulder…where they can co-discover and co-mitigate threats on the fly…” public/private relationships will prosper and become self-sustaining, he said.
Easterly and Inglis were recently sworn into their new positions weeks after they were initially nominated. While the nominees were stuck in bureaucratic and political scuffling, Kaseya’s VSA cloud service was hit by a massive cyber attack, prompting some lawmakers to suggest that the slow-walking of both Senate confirmations is more evidence that the necessary urgency to fight the growing number and sophistication of cyber threats is insufficient and ill-attended.
Among the attacks that U.S. lawmakers have been watching closely: The Kaseya VSA cyberattack on July 2, 2021. The REvil Ransomware attack extended ransomware to roughly 50 MSPs and 1,500 downstream customers, and also caused thousands of MSPs to lose remote monitoring and management (RMM) capabilities for more than a week.
Meanwhile, Senator Mark Warner (D-VA) has called on Congress to enact new legislation that would require private companies to report cyber attacks to the federal government. Warner, who chairs the Senate Intelligence Committee and serves as vice chair of the Senate Democratic Caucus, said the nation has regarded cybersecurity as an “after-thought” for too long.
“We have no actual system in place to make, whether it’s Colonial Pipeline or SolarWinds, or any other company, actually mandatorily report that information to the government in real time so that we can have a full-fledged response,” the former Virginia governor said. Warner adds another powerful voice to U.S Intelligence leaders who last month pressed Congressional lawmakers to require private industry to report security breaches and other threat information to the federal government. He has previously said his Committee is working on legislation that would mandate reporting of cyber threats.
“We need to put in place an entity that would include the government, the FBI, CISA [and] some of the web services–Amazon, Microsoft, the security firms out there. We need a real time reaction team, and unfortunately, we don’t have that right now,” he said.
Many enterprises back away from disclosing security lapses for competitive reasons, electing not to admit cyber vulnerabilities for fear of additional attacks and also to quell unease among shareholders and customers about a cyber breach.