HSGAC Leaders File Cyber Package, Look to Senate Vehicle
Senators will try to attach mandatory cyber incident reporting language to must-pass legislation or other vehicles in the near future, Senate Homeland Security Committee Chairman Gary Peters, D-Mich., told us Tuesday.
Peters and ranking member Rob Portman, R-Ohio, failed to attach language to the National Defense Authorization Act in 2021 due to last-minute squabbling over provisions (see 2112130062). On Tuesday, they introduced a cyber package that includes mandatory cyber reporting and cyber ransomware payment requirements. It combines the Cyber Incident Reporting Act, the Federal Information Security Modernization Act and the Federal Secure Cloud Improvement and Jobs Act. Critical infrastructure entities would have to report to the Cybersecurity and Infrastructure Security Agency within “72 hours if they are experiencing a substantial cyberattack, and within 24 hours if they make a ransomware payment.”
“We believe it’s important that [the bills] get passed as quickly as possible, particularly given what’s happening in Ukraine” and the potential for Russian retaliatory action against U.S. aid, Peters told us. “Whatever we can provide, we should be helping” Ukraine. Cyber is Russia’s “first line of attack,” he said.
Hopefully Congress can “speak with one voice” in pushing for sanctions and military assistance in helping Ukraine against cyberattacks and disinformation, Portman told us. The committee explored vulnerabilities of the Apache Log4j software library at Tuesday’s hearing. Peters called the vulnerability “one of the most serious and widespread cybersecurity risks,” after a briefing from CISA Director Jen Easterly and National Cyber Director Chris Inglis.
Peters and Portman credited the benefits of open-source software but said there should be comprehensive procedures in place for something that underpins much of modern software. Log4 is particularly troublesome because it’s contained in “so many places,” and it’s easy to exploit, said Portman: Reporting legislation will help enable visibility into attacks like Log4j.
Companies reap “massive benefits” from open source software without contributing to development or maintenance of software products, said Sen. Alex Padilla, D-Calif. He questioned whether industry as a whole is doing enough to maintain an open source ecosystem. Witnesses agreed open-source software has more benefits than harms, despite some companies freeloading. Open-source coding spurs competition from those accessing the information, said Cisco Systems Senior Vice President Brad Arkin. The mission is accomplished when open-source software is used broadly, which spurs other industry entities to contribute, said Apache Software Foundation President David Nalley. Palo Alto Networks Deputy Director-Threat Intelligence Jen Miller-Osborn urged a shift to zero-trust architecture, where system compromise is assumed at a “base level.” Government entities and critical infrastructure are under attack right now in Ukraine, she said.
Portman said there should be concern about Russian retaliatory action. Despite reports Russia is using Log4j against Ukraine and against U.S. support, there’s no way to know for sure because there's no comprehensive reporting, said Peters. There’s a “real policy benefit” from incident reporting legislation, said Miller-Osborn. The legislation would add to CISA’s ability to identify long-term trends, said Atlantic Council Cyber Statecraft Initiative Director Trey Herr.