[BreachExchange] FBI left out of the loop in cyberattack reporting bill

Tue Nov 16 15:23:29 EST 2021

https://www.yahoo.com/news/fbi-left-loop-cyberattack-reporting-165526416.html

The FBI could be sidelined in new cybersecurity legislation, a top Bureau
official told lawmakers Tuesday. And, in the view of America’s most
powerful law enforcement agency, that would be a big problem.

In testimony to Congress, Bryan Vorndran, the assistant director of the
FBI’s Cyber Division, said that the Biden administration is “troubled” by
legislation proposed by the Senate and House Homeland Security committees
requiring a wide range of companies to report intrusions to the Department
of Homeland Security’s Cybersecurity and Infrastructure Security Agency but
not simultaneously to the FBI.

“Current incident reporting legislation being considered fails to recognize
the critical expertise and role that DOJ, including the FBI, play when it
comes to cyber incident reporting,” Vorndran said in a statement for the
record provided to the House Committee on Oversight and Reform.

“Cyber is the team sport, and the Department of Justice and the FBI are a
key player,” Vorndran continued. “It is time for legislation to reflect
this reality.”

The Biden administration’s stance throws a last-minute wrench into a
yearslong effort to require key companies to disclose cyberattacks.

The House’s annual must-pass defense bill includes language requiring
critical infrastructure operators and federal contractors to alert CISA if
they are hacked. Similar language is likely to make it into the Senate’s
version of the bill. The provision — the result of weeks of negotiations
between the leaders of the Senate homeland security and intelligence panels
— would represent the most sweeping cyber regulation ever imposed on the
private sector.

One of the biggest problems facing government cyber defenders is their lack
of insight into many of the digital attacks on private companies. Unlike in
some other countries, the U.S. does not directly monitor or defend most
critical private sector networks. That means government agencies rely on
companies to voluntarily disclose hacks so they can assemble a complete
picture of the threat environment and develop security recommendations
accordingly.

In the wake of high-profile ransomware attacks on Colonial Pipeline, the
meat processing giant JBS and the IT software vendor Kaseya, Biden
administration officials have been adamant that Congress should mandate
cyber incident reporting for the nation’s most important companies.

“The earlier that CISA, the federal lead for asset response, receives
information about a cyber incident, the faster we can conduct urgent
analysis and share information to protect other potential victims,” CISA
Director Jen Easterly told the Senate Homeland Security Committee in
September.

But while CISA leads what officials call the government’s “asset response
work” by addressing specific vulnerabilities and helping victims upgrade
their networks, the FBI oversees the “threat response” mission by
identifying and deterring the hackers. For that reason, Justice Department
and FBI officials want rapid access to any incident reports.

“We urge Congress to create a national standard for reporting significant
cyber incidents and to require that the reported information be shared
immediately with the Justice Department,” Attorney General Merrick Garland
said during a Nov. 8 news conference announcing actions against ransomware
gangs.

Lisa Monaco, the deputy attorney general, also called for mandatory
reporting in an Oct. 6 CNBC op-ed.

The administration’s call for simultaneous reporting to CISA and the FBI
could derail efforts to slip the incident reporting language into the
defense policy bill unless lawmakers quickly embrace the idea. Spokespeople
for the Homeland Security committees’ leaders did not immediately provide
comments on the administration’s call for legislative changes.

It is also unclear whether the bureau’s position reflects any strain
between the FBI and CISA, which have tried to form a close working
relationship in the three years since CISA’s creation.

Also unclear: whether a mandatory reporting requirement to the FBI would
trigger heated opposition from the private sector.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20211116/9658c246/attachment.html>