After a surprising failure to get mandatory cyber incident reporting included in the fiscal year (FY) 2022 National Defense Authorization Act (NDAA), Rep. Yvette Clarke, D-N.Y., and John Katko, R-N.Y., called the issue a top cybersecurity legislative priority for 2022.
The goal was shared by the FBI’s Cyber Division Assistant Director Bryan Vorndran and Department of Homeland Security’s Under Secretary for Policy Rob Silvers, who each expressed their support for the effort at a Silverado Policy Accelerator webinar on Jan. 13.
“The past year has taught or reinforced three lessons that I think should inform our work as policymakers,” Clarke said. “First, we will never be able to prevent all cyber attacks, but we can limit their impact. We must rapidly report and share information about cyber incidents that stop malicious cyber campaigns in their tracks and then focus on building resiliency. Second, we cannot take the security of our network devices or software for granted. We must adopt zero trust policies to secure our networks and rigorously and continuously vet the security of our devices and software.
“And then finally, government alone can address cybersecurity challenges we face. It is critical that we look at making sure that all we have accomplished in terms of making sure that there’s an appropriate role for everyone from the Federal government and big businesses to small companies and individuals.”
“My priorities for the remainder of the 117 Congress are to get Cyber Incident Reporting legislation across the finish line and continue oversight of the implementation of executive order 14028 to ensure that Federal security efforts are resulting in security gains.”
Clarke, who chairs the House Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, and Katko, ranking member on the House Homeland Security Committee, co-sponsored the Cyber Incident Reporting for Critical Infrastructure Act of 2021, an effort that would require critical infrastructure owners and operators to report any cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency’s Cyber Incident Review Office within 72 hours.
Katko sees incident reporting as a major way to help continue increasing collaboration amongst the Federal government.
“We’re already working very, very well together amongst the Federal agencies, in my opinion, so this incident reporting is really kind of the last piece to really turbocharge that effort,” Katko said. “And that’s why this piece of legislation is so important.”
Vorndran expressed his and the FBI’s support for the legislation and sought to clarify a misunderstanding about the agency’s position.
“It’s a tough town and to get things done, and we at the FBI applaud the work done by those on current Cyber Incident Reporting legislation,” Vorndran said. “There seems to be a misunderstanding that the FBI specifically is looking for a dual-seal program with the legislation, meaning that companies would have to report to both CISA and the FBI, and that isn’t true. What the Department of Justice and FBI are looking for is legislation that includes language about the FBI having real-time and unfiltered access to instant information that is reported to CISA and can likely be accomplished by a few words or a sentence in [the] proposed legislation.”
Vorndran said the request is due to the decentralized nature of the FBI’s cyber workforce and that real-time access would allow the agency to put a cyber-trained agent on an organization’s doorstep within an hour to help respond to a cyber incident.
The legislation also has significant support within the DHS, as Silvers called incident reporting their top cyber legislative priority for the year, calling the legislation a potential game-changer for the Federal cyber landscape.
“Cyber Incident Reporting legislation is our top legislative priority in cybersecurity for 2022,” Silvers said. “We were disappointed it didn’t make it into the NDAA, but we are very optimistic about the really strong bipartisan support behind that kind of legislation. And so, we’re… working together with Congress, and hopefully, we’ll get that through very soon through a different vehicle.”
“It’s hard to overestimate what a game-changer it will be in terms of giving the government visibility into the threat landscape,” Silvers added. “I mean, you cannot defend what you cannot see. And in terms of responding to particular incidents, we need it.”
Katko stressed the bipartisan support for the bill and called for continued public pressure to keep legislators’ feet to the fire on the effort.
“I could give a darn whether [Clarke’s] a Republican or Democrat, I think she feels the same about me. Nobody here cares about which agency they’re working for. We are all on the same page, and we just know what we need to do to make things better collectively,” Katko added. “And incident reporting is a huge part of that and going forward. I’m fairly confident we’ll get across the finish line this year, but all of you out there. I strongly encourage you to continue to make a lot of noise regarding this because the more noise you make, the more likely action will occur.”
