Acting Cybersecurity and Infrastructure Security Agency (CISA) Director Brandon Wales said today the government is concerned that the nation is witnessing the prelude to broader-based cyber attacks, and he called on Congress to take action on legislation that would require reporting of cyber incidents to the Federal government.
Wales said President Biden’s Cyber Executive Order (EO) signed May 12 is a critical step for broad-based cybersecurity advancements but emphasized that the agency needs Congress to require more collaboration between CISA and cyberattack. The administration’s cybersecurity EO already orders some steps in that direction, but the CISA chief said legislators need to do more to help the effort.
“For CISA to do its job, and for the Federal government to broadly execute the mission that the American people want us to do which is protect critical infrastructure broadly, we need information from victims of cyber incidents, so that we can share that information and raise the baseline of cybersecurity. But to do that we need Congress to take certain actions to require cyber incident notification,” Wales said at a George Washington University Cyber Media Forum.
Status of Congressional Action
Congress already has numerous cybersecurity-related bills on its plate at the moment.
One bill sponsored by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, would also create a $20 million Cyber Incident Response Fund. Wales said the proposed fund would go through a year of mechanism testing, before potentially needing a larger pot of money at its disposal.
More recently, Sens. Peters and Portman have discussed changing the Federal Information Security Act (FISMA) to make sure Congress gets timely reports of cyberattacks.
Members of Congress have already praised Biden’s EO as a “significant step” towards strengthening the nation’s cybersecurity and expressed a willingness to work with the White House on these issues.
“Last year, we learned that numerous federal government agencies were victims of a serious and widespread cyberattack … [and] unfortunately, we have recently learned of several additional serious attacks,” Reps. Carolyn Maloney, D-N.Y., Gerry Connolly, D-Va., and Stephen Lynch, D-Mass., said in a joint statement today.
“We look forward to working together with the Biden-Harris Administration … and our colleagues on both sides of the aisle to strengthen our nation’s cyber defenses and seek permanent legislative solutions,” the chairs of the House Committee on Oversight and Reform, and Subcommittees on Oversight and Reform and Government Operations pledged.
Adversaries Getting ‘More Aggressive’
Wales said that while the past six months have seen more and more cyberattacks exposed, a number of these incidents began much earlier.
“I think it shows a couple of things,” Wales said. “First, it shows that our adversaries are growing far more aggressive and far more sophisticated. They are looking for and finding, or in some cases stealing, information on critical vulnerabilities in essential software.”
“When you think about what they did … our adversaries have identified critical pieces of technology that oftentimes are areas of concentrated risk within networks and have targeted their efforts to find vulnerabilities or … to create a vulnerability … within those critical devices,” he added.
Wales said CISA and the United States need to be prepared to respond to such attacks and to more quickly identify devices with exposed vulnerabilities and develop ways to ensure more protection and additional controls for monitoring the devices.
He noted that some elements of increased preparedness are included in the Cyber EO, such as asking the Federal government to identify areas of “concentrated risk,” identifying critical products and software that can be in those areas of concentrated risk, and then working with agencies like the National Institute of Standards and Technology to ensure proper controls exist around those areas.
“I think this executive order is absolutely critical to our ability to continue to make advancements in cybersecurity at the Federal level,” Wales said. “We needed the entire government to be moving in the same direction. We needed clear direction from the White House to the Federal agencies that cybersecurity of Federal systems was a priority, and to outline some of the essential steps needed to take.”
“This executive order checks that box in a really big way,” Wales said.