CISA chief floats fines to compel threat info sharing
Cybersecurity and Infrastructure Security Agency Director Jen Easterly told lawmakers that fines may help enable disclosure compliance and enforcement.
To ensure cyberattack victims in critical infrastructure sectors share timely information on threats, the Biden administration is increasingly looking for ways to compel disclosure. While the executive branch can authorize such requirements for federal contractors and certain regulated industries, a wide ranging breach disclosure mandate would need legislation.
So far efforts to craft a federal standard to replace the more than 50 state-based and territorial disclosure laws have failed to gain traction, but that could change in the wake of well-publicized breaches like the Colonial Pipeline ransomware attack.
At a Sept. 23 hearing of the Senate Homeland Security and Government Affairs Committee, Cybersecurity and Infrastructure Security Agency Director Jen Easterly stressed the importance of threat information sharing.
"It's long past time to get cyber incident reporting legislation out there," CISA Director Jen Easterly told lawmakers on the committee. "It's very important for us to both be able to render assistance to any entity that suffers an attack, but to be able to analyze that information and to share it more widely, because we know that in today's world, everything is connected, everything is interdependent, and thus everything is vulnerable."
Easterly said in her testimony that any legislation will need some way to get private companies to cooperate with disclosure requirements in the heat of an ongoing attack.
"I do think a compliance and enforcement mechanism is very important here. I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines…. I just came from four and a half years in the financial services sector where fines are a mechanism that enable compliance and enforcement."
Easterly also spoke to the importance of establishing CISA as the "operational lead" in federal cybersecurity as part of any update of the Federal Information Systems Modernization Act, while also "holding departments and agencies specifically accountable for the investments that they make in their cybersecurity teams," adding that, "we need to move from this compliance and box checking to true operational risk management."
This article was first posted to FCW, a sibling site to Defense Systems.