Communications Litigation Today was a Warren News publication.
Thompson Pushes Legislation

Easterly Wants Cyber Reporting; Industry Skeptical

The private sector should report major cyber incidents to the federal government, despite many company owners considering it a waste of time, Cybersecurity and Infrastructure Security Agency Director Jen Easterly told the House Homeland Security Committee Wednesday.

The waste claim is a “prevalent attitude” in the business sector, said Rep. Jake LaTurner (R). He met with a constituent in Kansas this week who was the victim of a recent ransomware attack. Lawyers and technical experts told the company it would be a “waste of time” to report to the government, said LaTurner. Hackers demanded $900,000, and the company paid $600,000, said LaTurner. It was losing $2 million daily.

Easterly said she’s aware many in industry don’t see the utility in reporting, but CISA can provide the information needed to protect others from similar attacks. The agency is making progress to ensure there are fewer attacks like that against Colonial Pipeline (see 2110060077), she said. National Cyber Director Chris Inglis agreed, saying it’s the federal government’s job to prevent such future events: If officials know about the attacks, they can act to mitigate.

Chairman Bennie Thompson, D-Miss., said he’s optimistic the House will pass bipartisan mandatory cyber reporting legislation (see 2110010045). Like the Senate, he’s open to attaching the bill to the National Defense Authorization Act. “We’ll attach it to anything that’s moving,” he told us. “If we get traction [with the NDAA], that’s good. I think we’ll get there. Whether it will be freestanding or attached to anything remains to be seen.”

Ranking member John Katko, R-N.Y., said during the hearing he’s pleased to partner with Thompson and other sponsors. Reporting will be an important tool for CISA, not a “silver bullet,” he said. He noted many in business say information is given to CISA and little value comes back.

CISA ordered almost all federal agencies to patch some 300 cybersecurity vulnerabilities within six months. The binding operational directive is an effort to “remediate vulnerabilities that are being actively exploited by known adversaries.” CISA established a catalog of relevant vulnerabilities that will be updated “regularly.” The agency is trying to lead by example so the private sector practices basic cyber hygiene, said Easterly. Wednesday's mandate is “groundbreaking,” giving timelines to agencies to remediate “specific vulnerabilities,” she said.

Rep. Ritchie Torres, D-N.Y., asked why the Biden administration isn’t universally mandating basic cyber hygiene standards like multifactor authentication, software updates and third-party assessments. Easterly noted the administration has begun mandating such measures within the federal government, per President Joe Biden’s cyber executive order. She hopes this, too, is a signal for the private sector. Signaling is different from mandating, and the government needs to govern, not react, said Torres.

Thompson asked Easterly and Inglis if they have the authority and resources to carry out their missions. Inglis said his office has sufficient authority and resources to “make the difference that’s expected” and will continue to reassess. Easterly said her agency could use a more streamlined process for filling vacancies. It takes too long to hire government employees, she told the committee, noting her five years at Morgan Stanley.

Easterly welcomed new CISA authority included in last year’s NDAA. The agency can now subpoena ISPs to obtain contact information to identify critical infrastructure operators, noted Rep. Mariannette Miller-Meeks, R-Iowa. Easterly called it a “really important authority.” She told Miller-Meeks the agency has issued some 35 subpoenas, resulting in closing known vulnerabilities.