Senators Debate Cyber Rules for US Critical InfrastructureCISA's Jen Easterly and National Cyber Director Chris Inglis Support Updates
As the U.S. Senate Homeland Security and Government Affairs Committee considers new cyber rules and guidelines for the nation's critical infrastructure, lawmakers heard expert testimony Thursday in favor of expanding and strengthening some regulations, including updating the 2014 Federal Information Security Modernization Act.
As part of the debate over these new rules, the Homeland Security Committee heard testimony from Cybersecurity and Infrastructure Security Agency Director Jen Easterly, National Cyber Director John "Chris" Inglis and Federal CISO Christopher DeRusha.
The Senate committee is currently considering several new bills that are now being drafted by Sen. Gary Peters, D-Mich., the committee chairman, and Sen. Rob Portman, R-Ohio, the ranking member. The legislation includes a bill that would require the owners and operators of critical infrastructure to report cyber incidents to the federal government as well as updates to the Federal Information Security Modernization Act, which is also known as FISMA.
None of these bills have been formally introduced.
During his opening comments, Peters noted that a rash of recent nation-state and ransomware attacks against critical infrastructure, including incidents involving SolarWinds and Colonial Pipeline Co. and others, show the need for a nationwide reporting standard for the operators of these facilities so that CISA can better understand and respond to cyberthreats.
"The legislation that we plan to introduce would require critical infrastructure companies that experience cyber incidents and other entities that make ransomware payments to report this information to CISA," Peters said. "This requirement will ensure CISA and other federal officials have better situational awareness of ongoing cybersecurity threats, who those targets are, how the adversary is operating and how best to protect the nation."
Peters also noted that FISMA has not been updated since Congress passed the law in 2014 and that technologies and cyberthreats have evolved rapidly since then. Additions to the law should include codifying the role CISA plays in responding to attacks as well as how incidents that affect federal networks are reported.
Portman noted that a Senate report released in August found that at least seven executive branch agencies and departments were not meeting the cybersecurity requirements outlined in FISMA and that improvements are needed as attacks become more destructive and sophisticated (see: Report: 7 Federal Agencies Still Lack Basic Cybersecurity).
"In the nearly seven years since FISMA was last updated in 2014, agencies still have the same vulnerabilities year after year. Accountability is a critical aspect of any strategy," Portman said.
During Thursday's hearing, both Inglis and Easterly endorsed the notion of creating new legislation that would require the owners and operators of critical infrastructure to report serious and significant incidents to the federal government, especially to CISA.
"What we could do with this information is not only render assistance to the victim and help them remediate and recover from the attack, but we can use that information in order to analyze it and share it broadly," Easterly testified.
Inglis, who has given several recent talks about the importance of developing resilient systems that can withstand and recover from these types of attacks, echoed Easterly's point (see: National Cyber Director Chris Inglis Focusing on Resiliency).
"I do believe that information would be profoundly useful for the determination of an appropriate strategy," Inglis said. "That information is useful to help us be more efficient and to prioritize the response, to inform investments that we should make to get left of the event and to prevent these from happening in the future."
Both Inglis and Easterly noted that on the specifics of the legislation, they would rather Congress include language that would levy fines against those critical infrastructure operators that do not comply rather than give additional subpoena power to CISA.
"I think a compliance and enforcement mechanism is very important here. I know some of the language talks about subpoena authority," Easterly said. "My personal view is: That is not an agile enough mechanism to allow us to get the information that we need and to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines."
In terms of updating FISMA, Easterly told senators that her three priorities for a revamp of the law would be to codify CISA's role as the main civilian agency when it comes to responding to cyber incidents, hold federal agencies and departments responsible for their cyber response, and create a cyber compliance model.
Easterly also wants to give companies and federal agencies enough time to assess what is happening and if these networks are under potentially damaging attack. This would also prevent CISA from being inundated with data that might not be relevant.
"What we don't want is to have CISA overburdened with erroneous reporting, and we don't want to burden a company that is under duress when they're trying to actually manage a live incident. That's why I think the rulemaking process should be consultative with industry and it will really be important to getting this right," Easterly said.
Besides the proposals that Peters and Portman are working on, several other lawmakers have put forth their breach notification bills in response to recent cyber incidents. Members of the Senate Intelligence Committee have released their own bill that would require targeted companies to report incidents within 24 hours (see: Senators Introduce Federal Breach Notification Bill).
A similar bill in the House, which has backing from private industry groups, would require victims to report incidents to CISA within 72 hours (see: House Debates Breach Notification Measure).
Many other national breach notification bills, which would have applied to a broader range of organizations, have failed to advance in Congress over the last several years.
In addition to testimony from Easterly and Inglis about pending legislation, senators heard from DeRusha about the federal government's efforts to implement "zero trust" architectures across networks, which could help reduce the types of attacks that have spurred these types of breach notification bills.
The adoption of zero trust throughout the federal government is one of the main cybersecurity developments outlined in President Joe Biden's executive order (see: White House Pushing Federal Agencies Toward 'Zero Trust').
"Our strategy requires agencies to adopt known, trusted technologies and practices that make it harder for even sophisticated actors to compromise an organization," DeRusha testified. "We also recognize that some areas of zero trust are too complex to address through prescriptive technical requirements. In these areas, the federal government will continue to find flexible and innovative solutions to overcome practical and technical hurdles."