U.S. Cyber Agency Hopes to Avoid the ‘Regulator’ Label | #cybersecurity | #conferences

The U.S. cyber agency wants to avoid the R-word.

“We’re not a regulator,” Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said last week at a conference hosted by cybersecurity company

Mandiant Inc.

“We don’t want to be a regulator.”

Legislation in Congress could push CISA into such a role by giving the agency power to write rules forcing companies to report hacks, subpoena them for information and potentially fine noncompliant firms, businesses say.

Lobbyists warn a strict law risks tainting CISA’s relationships with businesses that operate most critical infrastructure and could slow the agency’s push for cloud providers, telecom companies and other firms to voluntarily share more data about cyber threats.

“You change the process more akin to a parent-child relationship, where you have the regulator and regulated entity,” said Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, a trade association of broadband providers. Companies fearing legal or financial blowback would be more cautious about divulging information by choice, he said.

Still, a CISA official said mandatory reporting could complement the agency’s voluntary programs by giving it more data about vulnerabilities and hacking campaigns seen across public- and private-sector computer networks.

If companies are forced to report hacks, “We will have so much more analytic, technical information that we are able to anonymize and disseminate to help organizations protect themselves,” said Eric Goldstein, CISA’s executive assistant director for cybersecurity.

The debate over what exactly CISA should and shouldn’t be doing previews longer-term questions for the agency as the Biden administration and some lawmakers push to expand cyber requirements across the U.S. economy, according to security experts, congressional aides and industry groups.

The decadelong push for hack-reporting rules gained steam in Congress this year after a string of disruptive hacks, including the breach of companies and federal agencies through a compromised software update from

SolarWinds Corp.

U.S. officials learned of the Russian spying campaign, which the Kremlin denies, because it was voluntarily reported by Mandiant, previously called FireEye.

The uptick in cyberattacks has led some businesses to support requirements to report hacks, saying that digitized businesses and interconnected supply chains make such transparency crucial.

From left, Kevin Mandia of Mandiant, Sudhakar Ramakrishna of SolarWinds and Brad Smith of Microsoft told a Senate committee hearing in February that they supported confidential cyberattack reporting requirements.


demetrius freeman/Press Pool

Accepting that rules are likely coming, companies have urged officials to narrow hack-reporting proposals, giving CISA leeway to define which firms would be covered by rules and what types of information they would have to share under confidentiality and liability protections.

Two bills advancing on Capitol Hill call for a 72-hour reporting time frame for companies to report hacks, allowing CISA to subpoena noncompliant firms but giving it no power to impose penalties. A third proposal, co-sponsored by Sen. Mark Warner, (D., Va.), would impose a 24-hour deadline and the threat of fines by CISA.

Ms. Easterly told Senate lawmakers last month that potential penalties would be key for enforcement. A CISA spokeswoman didn’t respond to a request for comment on how that squares with the agency’s distaste for a regulatory role.

Mr. Warner, meanwhile, has grown wary of harming CISA’s rapport with industry, a spokeswoman said. The senator’s office is examining proposed reporting timelines and other potential enforcement mechanisms, she added.

“We don’t want to turn CISA into some kind of regulatory or enforcement entity,” Mr. Warner said last month at an event hosted by

Amazon.com Inc.’s

cloud division, Amazon Web Services.

CISA already requires high-risk chemical facilities to report significant cybersecurity incidents. The agency played an advisory role during the preparation this summer of the Transportation Security Administration’s cyber regulations for the pipeline sector, according to the Department of Homeland Security, the parent organization of both CISA and TSA.

CISA advised TSA on cybersecurity mandates for the pipeline sector after a ransomware attack on Colonial Pipeline in May led to gas shortages.


kevin lamarque/Reuters

Mr. Goldstein declined to comment on whether CISA contributed to new cyber rules for the rail and airline sectors announced by DHS last week, adding that the agency provides expertise across the public and private sectors.

Some companies fear stringent reporting standards could complicate their ability to respond to hacks. Phil Venables, chief information security officer for the cloud division at

Alphabet Inc.’s

Google, said threats that appear to be major at first glance often turn out to be nothing.

“At one level, you want to encourage [disclosures],” he said. “But at another level, you don’t want to create a regime that harms companies’ ability to respond to incidents.”

To help fight cyber threats, CISA in August launched the Joint Cyber Defense Collaborative, an information-sharing partnership with companies including

Microsoft Corp.

, Amazon and Google.

The goal of the program is to exchange data about vulnerabilities and hacking campaigns at “an operational tempo,” Mr. Venables said. Some previous attempts to share information have been ineffective, companies say, because they haven’t kept up with fast-moving cyber threats.

The new partnership launched focusing on ransomware and hacks of cloud-service providers, but CISA hopes to expand the program to two other focus areas by the end of the year, Mr. Goldstein said. He declined to name the next two “sprints” but said they would include additional companies.

CISA plans to open a dedicated facility for the partnership and is building out technological tools for quicker communication, Mr. Goldstein said.

Write to David Uberti at david.uberti@wsj.com

Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8

Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

56 + = sixty five