The recent surge in cyberattacks has triggered a blame game between private industry and federal agencies over who is really responsible for ensuring such incidents do not cripple critical infrastructure for things like supplying fuel, electricity and water and cause massive damage. to the economy.
In particular, the Colonial Pipeline ransomware attack, which stopped the flow of gasoline in the Southeast for more than a week in May, highlighted a years-long debate over whether private companies should be required to notify the government if their computer systems have been breached by hackers.
Private industry has long lobbied against such requirements for a variety of reasons, from a desire to limit government intrusion into the domains of proprietary data to concerns about reputational damage that can occur in a business when piracy incidents attract media attention.
But such concerns are increasingly being relegated to the background amid growing public awareness of the threat of hacking, as well as the growing consensus among cyber experts that more aggressive cooperation between the private sector and federal agencies such as the FBI and the Department of Homeland Security can be a problem. necessary to prevent a future apocalyptic cyber-incident.
Sources on Capitol Hill say bipartisan momentum is building behind calls for the establishment of the so-called “mandatory reporting” law, as well as for legislation to broaden government authority in piracy investigations and raise penalties for criminals. Federal courts can impose people convicted of cyber crimes. .
Industry insiders say the era of private companies that can keep it quiet when attacked by hackers, regardless of whether the computer systems and employees of a given company were equipped to protect themselves from attack or sadly unprepared. To deal with it, you must get there. until the end.
“A government task force should be created that should require private companies at all levels working on critical infrastructure to call in and report if they have been hacked,” says Regine Bonneau, founder and CEO of RB Advisory. a Florida-based company that helps companies develop cyber risk management solutions in a variety of industries.
Without such a requirement, the current environment surrounding cyberattacks is one of “chaos,” Bonneau told The Washington Times.
“We are in chaos right now, because we are more reactive than proactive,” he said, adding that “at this time the government does not know the extent of the ransomware attacks that are occurring against private sector companies, or the extent to which that these attacks are affecting those companies “.
Other experts say that last year’s Colonial Pipeline attack and SolarWinds hack, both attributed to Russian-backed cybercriminals, have triggered a tipping point where the once rigid wall between the cyber activities of private companies and US government agencies have started to break down. under.
“This is an idea that has suddenly taken Washington by storm, that if your company has a serious incident, you should report it to the government,” says Stewart Baker, former general counsel for the National Security Agency (NSA) and Department of Security. National. chief of policy who now practices technology law at the private law firm Steptoe & Johnson.
“But it hasn’t been adopted across the board at the moment,” Baker, who hosts the weekly Steptoe Cyberlaw podcast, told The Times, adding that while “the industry is very cautious about sharing anything with the government… that is collapsing in the face of the kind of crisis we’ve had recently, mainly related to ransomware. “
Sen. Susan Collins, R-Maine, has been circulating legislation for nearly a decade aimed at facilitating greater communication between private companies and federal agencies about cyberattacks. But the effort has not previously seen the bipartisan momentum it has now.
A major cybersecurity bill that Ms. Collins and former Connecticut Independent Senator Joe Lieberman introduced in 2012 was blocked by more conservative and business-friendly Republicans for fear the legislation would have opened the floodgates for new regulations. government and higher costs for private companies. companies by requiring them to comply with bureaucracy-laden cybersecurity standards.
The new urgency surrounding ransomware attacks appears to have lessened such concerns, and centrist lawmakers from both parties are now circulating legislation that goes far beyond what was proposed in 2012, both in terms of proposed standards that Industry will need to meet as in terms of requirements for companies to report hacking incidents and open their networks to federal investigators.
A bill introduced in mid-July by Senator Mark Warner, Democrat of Virginia, and co-sponsored by Ms. Collins and Senator Marco Rubio, Republican of Florida, would require that all federal contractors, as well as private owners or operators of critical infrastructure and non-governmental entities that provide response services to cybersecurity incidents ”to alert the government if they have experienced a cyber attack of any kind.
The legislation is broad in the sense that it refers to the Critical Infrastructure Protection Act of 2001, which defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that incapacity or destruction of such systems and assets there would be a debilitating impact on security, national economic security, national public health or safety, or any combination of those issues. “
The bill would require companies to report hacking incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security, within 24 hours of the incident. The agency itself would be required to submit a report to Congress annually, “in classified form if necessary,” describing the landscape of attacks that affect critical infrastructure companies during a given year.
Such changes would amount to a revamp of CISA, which is considered by some to be the agency most responsible for communicating with the private sector. CISA has been without Senate-confirmed leadership since last year, when former President Trump fired its director, Christopher Krebs, after the agency issued a statement questioning Trump’s allegations of fraud in the presidential election. 2020.
President Biden nominated Jen Easterly, former director of the NSA’s counterterrorism center, to head CISA, but her nomination has yet to be confirmed by the Senate.
While it remains to be seen whether more conservative Republicans will back the requirement that companies report cyber attacks to the government, there are signs that many in the Republican Party are motivated to adopt some form of aggressive cyber legislation. In mid-June, Senators Lindsey Graham, Republican of South Carolina, and Thom Tillis, Republican of North Carolina, reintroduced a 2018 bill, with the support of Democratic Senators Richard Blumenthal of Connecticut and Sheldon Whitehouse of Rhode. Island, which aims to expand government authorities. in piracy investigations
Lawmakers said in a statement that their International Cybercrime Prevention Act would give federal investigators more power to seize property from suspected hackers, making it easier to counter and disrupt so-called “botnets.” computers infected with malware used in cyber attacks. . The bill would also “create a new criminal offense for people who have deliberately targeted critical infrastructure, including dams, power plants, hospitals and electoral infrastructure,” lawmakers said.
It is unclear what impact such legislation may have on the FBI’s ability to investigate internationally-based hacking groups such as Darkside, the Russia-based organization that, according to US officials, carried out the Colonial Pipeline attack.
In recent interviews with The Times, law enforcement and intelligence sources have emphasized the connection between such organizations and Russian intelligence, stating that the Biden administration should take more aggressive action, through US-sponsored sanctions or counterattacks against groups like Darkside. pressure Moscow to end its support for such groups.
William F. Evanina, the recently retired director of the National Center for Counterintelligence and Security and former head of the CIA’s counterintelligence group, told The Times this month that ransomware attacks such as the one against Colonial Pipeline fit within the Russian president’s strategy. Vladimir Putin to undermine American democracy and economic power.
“The Russian government could shut this down in a moment if it wanted to,” Evanina said of the hacking operations.
At the same time, Mr. Evanina emphasized the need for a dramatic expansion in intelligence sharing between private US companies and federal agencies. “We have to have the ultimate public-private partnership here,” he said.
Ms. Bonneau agreed, saying that private companies need to be more transparent to facilitate faster and more aggressive cyber forensic investigations by federal agencies.
“Government agencies only know about cyberattacks on private industry if a company presents information about being hacked or when someone else exposes the company,” he said. “If a company has been hacked, they should report it so that government agencies can have a clearer picture of the evolution of the threat.”
Baker, meanwhile, said that most of the intelligence and defense against cyber attacks at the moment is in the hands of private companies that “do not coordinate deeply with the government.”
Federal investigators, he said, have “surprisingly good control” over how hackers operate and what their capabilities are based on real-time observation and examination of hackers on government networks, but “there is a real blind spot. ”When it comes to receiving alerts. and see inside private networks.
“Therefore, the government does not have a deep vision of what is happening within many [private] networks and it is not clear how to achieve this without a change in the relationship between government and industry, ”said Baker. “It is a difficult problem, but that is where the real stitching is in our national defense against cyberattacks.”