Cybersecurity leaders back law for critical infrastructure

There is bipartisan support in the U.S. Senate for a law requiring critical infrastructure firms to report a cybersecurity incident.

Three top U.S. security officials are suggesting fines for non-compliance. Critical infrastructure firms cover a broad swath of the economy, including telecommunications, chemical, energy, financial services, healthcare and other industries.

Sen. Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, are working on legislation requiring critical infrastructure companies hit by a significant cyberattack to report it to the Cybersecurity and Infrastructure Security Agency (CISA). No federal cyber incident reporting requirement exists, though most states implement their own requirements for reporting situations.

Peters said recent cybersecurity incidents like SolarWinds and the Colonial Pipeline, as well as the growing number of attacks against critical infrastructure facilities such as hospitals, water treatment plants and food processing facilities, is prompting a need for a national cyber incident reporting law. Peters announced the legislative proposal at the U.S. Senate Committee on Homeland Security and Governmental Affairs hearing this week.

There is no national requirement for all critical infrastructure owners and operators to report to the federal government when they have been hit with a significant attack, and that needs to change.
Gary PetersU.S. Senator, D-Mich.

The federal government needs to know when cyber incidents occur to determine if there are attack patterns as well as future targets, and to help seal vulnerabilities, Peters said.

“This information is especially vital when it comes to our nation’s critical infrastructure, 85% of which is privately owned and operated,” Peters said during the hearing. “Despite this vulnerability, there is no national requirement for all critical infrastructure owners and operators to report to the federal government when they have been hit with a significant attack, and that needs to change.”

Cybersecurity leaders weigh in

CISA Director Jen Easterly, a witness at the hearing, spoke in support of the reporting requirement.

Easterly said without timely notification to CISA of a cybersecurity incident, critical analysis and information sharing is “severely delayed,” leaving critical infrastructure vulnerable. She said incident reporting should not be limited by incident type or sector affected.

The requirement should also provide enforcement mechanisms to drive compliance, such as fines — an idea supported by National Cyber Director Chris Inglis and Christopher DeRusha, federal chief information security officer at the Office of Management and Budget.

“Legislation should provide CISA with the flexibility to define the scope of requirements in consultation with our partners, including — importantly — DOJ and FBI, balancing the benefit of reporting against the burdens to industry and government,” Easterly said during the hearing.

Inglis, who also served as a witness at the hearing, said the information reported to CISA under a national cyber incident reporting law would help inform development of a national strategy for addressing and preventing cyberattacks.

“That information is useful to help us be more efficient and to prioritize our response in the moment,” Inglis said.

Along with a national cyber incident reporting law, Peters said senators are working to reform the Federal Information Security Modernization Act (FISMA), legislation passed in 2014 to update federal security practices.

“We need to pass updated legislation clarifying CISA’s role and responsibilities, improve how incidents on federal networks are being reported to Congress and ensure our own cybersecurity resources are aligned with emerging threats,” Peters said.

Also this week

  • In a memo to Federal Trade Commission commissioners and staff, Chair Lina Khan outlined a strategic approach for the agency, defined policy priorities and laid out operational objectives. Khan said a key project for the agency will be revising merger guidelines in conjunction with the Department of Justice. “We need to find ways to deter unlawful transactions,” Khan said in the memo. “The rate at which firms propose facially illegal deals heavily strains agency resources and compromises our ability to investigate significant mergers … identifying ways to reduce the agency resources and burden associated with investigating and filing lawsuits against unlawful mergers will be important as we look for ways to turn the page.”
  • Apple won’t let Epic Games’ popular Fortnite back into the App Store until the court appeals process is complete. Epic Games CEO Tim Sweeney posted a series of tweets regarding Apple’s decision not to reinstate Fortnite, including an email from an Apple legal representative. “Apple spent a year telling the world, the court and the press they’d ‘welcome Epic’s return to the App Store if they agree to play by the same rules as everyone else.’ Epic agreed, and now Apple has reneged in another abuse of its monopoly power over a billion users,” Sweeney tweeted.

Makenzie Holland is a news writer covering big tech and federal regulation. Prior to joining TechTarget, she was a general reporter for the Wilmington StarNews and a crime and education reporter at the Wabash Plain Dealer.