Senior cyber officials back new, mandatory reporting of breaches

Two of the U.S. government’s top cybersecurity officials on Thursday endorsed the idea of new legislation that would mandate certain private sector companies report when they have been hacked.

“We absolutely agree it's long past time to get cyber incident reporting legislation out there,” Cybersecurity and Infrastructure Security Agency chief Jen Easterly said during a Senate Homeland Security Committee hearing.

She noted her agency’s “superpower” is to share information, enabling it to protect other potential victims, and that the delivery of additional, timely data would prove “critical to help us raise the baseline and protect the cyber ecosystem.”

National Cyber Director Chris Inglis “wholeheartedly” backed Easterly’s comments, adding such information would be “profoundly useful” to crafting digital strategies, improving responses to intrusions and determining how best to spend federal dollars to prevent future attacks.

Their remarks add to the growing chorus of officials who have voiced support for the first new requirements for industry in several years following the high-profile breaches of software vendors SolarWinds and Kaseya and ransomware attacks on the Colonial Pipeline and meat processing giant JBS.

However, figuring out what the new mandates would look like has become something of a jump ball, with multiple proposals circulating on Capitol Hill

In July, members of the Senate Intelligence Committee and others unveiled legislation that would, among other things, institute a 24-hour turnaround for companies to submit an incident report to the government. 

Since then, the House Homeland Security Committee put forward a draft bipartisan bill that is perceived to be more friendly to industry. It would give CISA 270 days to publish interim rules describing what companies must report incidents and what kinds of incidents should be flagged, as well as what information should be shared. It would also provide a 72-hour window to report a breach.

Meanwhile, Senate Homeland leaders Gary Peters (D-Mich.) and Rob Portman (R-Ohio) are working on legislation that mirrors the House bill and would require critical infrastructure companies that experience incidents, and other entities that make ransomware payments, to report.

Both Easterely and Inglis supported fines for non-compliance rather than subpoena power to make sure companies follow the law. Easterly said subpoena power isn't “agile enough” to share information rapidly or prevent harm to other victims.

She urged lawmakers to give CISA flexibility in any legislation to define what the new incident reporting mandates look like.

“What we don't want is to have CISA overburdened with erroneous reporting,” she said. “And we don't want to burden a company under duress when they're trying to actually manage a live incident … Erroneous noise is not what we need. We need signal.”

Portman said he “couldn’t agree more” with Easterly’s assessment.

“It's a balance, and we'll try to achieve that balance but also provide some discretion so that we get it right,” he said.