The recent surge of cyberattacks has triggered a blame game between private industry and federal agencies over who truly bears responsibility for ensuring such incidents don’t cripple critical infrastructure for things like fuel, electricity and water supplies and cause massive damage to the economy.
Most notably, the Colonial Pipeline ransomware attack, which halted the flow of gasoline across the Southeast for more than a week during May, put a fresh spotlight on a years-old debate over whether private companies should be required to alert the government if their computer systems have been breached by hackers.
Private industry has long lobbied against such requirements for a range of reasons, from desires to limit government intrusiveness into proprietary data realms to concerns about reputational damage that can be wrought on a company when hacking incidents draw major media attention.
But such concerns are increasingly being pushed to the back burner amid rising public awareness of the hacking threat — as well as growing consensus among cyber experts that more aggressive cooperation between the private sector and federal agencies like the FBI and the Department of Homeland Security may be necessary to prevent a future doomsday cyber incident.
Sources on Capitol Hill say bipartisan momentum is growing behind calls for the establishment of a so-called “mandatory reporting” law, as well as for legislation to expand the government’s authorities in hacking investigations and elevate penalties federal courts can exact against individuals convicted of cybercrimes.
Industry insiders say the era of private companies being able to keep it quiet when they’ve been hit by hackers — regardless of whether a given company’s computer systems and employees were equipped to ward off the attack or woefully unprepared to deal with it — must come to an end.
“There should be the creation of a government task force that private companies of all levels who are working on critical infrastructure should be required to call and notify if they’ve been hacked,” says Regine Bonneau, the founder and CEO of RB Advisory, a Florida-based firm that helps companies develop cyber-risk management solutions across a range of industries.
Without such a requirement in place, the current environment surrounding cyberattacks is one of “chaos, Ms. Bonneau told The Washington Times.
“We’re in chaos right now, because we’re more reactive than proactive,” she said, adding that “at the present moment the government doesn’t know the extent of ransomware attacks that are happening against companies in the private sector, or the extent that those attacks are affecting those companies.”
Other experts say the Colonial Pipeline attack and last year’s SolarWinds hack — both of which have been blamed on Russia-backed cybercriminals — have triggered an inflection point in which the once rigid wall between cyber activities of private companies and U.S. government agencies has begun to break down.
“This is an idea that has suddenly taken Washington by storm, that if your company has a serious incident you need to tell the government about it,” says Stewart Baker, a former National Security Agency (NSA) general counsel and Department of Homeland Security policy chief now practicing technology law at the private firm Steptoe & Johnson.
“But it hasn’t been adopted across the board at this point,” Mr. Baker, who hosts the weekly Steptoe Cyberlaw podcast, told The Times, although he added that while “industry is just very cautious about sharing anything with the government … that’s breaking down in the face of the kind of crises we’ve had recently, mainly involving ransomware.”
Sen. Susan Collins, Maine Republican, has been circulating legislation for nearly a decade aimed at facilitating increased communication between private companies and federal agencies on cyberattacks. But the effort has not previously seen the bipartisan momentum it has now.
A major cybersecurity bill Mrs. Collins and former Sen. Joe Lieberman, Connecticut independent, introduced back in 2012 was blocked by more conservative, pro-business Republicans out of fear the legislation would have opened the floodgates for new government regulations and increased costs for private companies by requiring them to meet bureaucracy-laden cybersecurity standards.
New urgency around ransomware attacks appears to have diminished such concerns, with centrist lawmakers from both parties now circulating legislation that goes much further than what was proposed back in 2012 — both in terms of proposals for standards industry will be required to meet, and in terms of requirements that companies report hacking incidents and open their network’s to federal investigators.
A bill introduced in mid-July by Sen. Mark Warner, Virginia Democrat, and co-sponsored by Mrs. Collins and Sen. Marco Rubio, Florida Republican, would require all federal contractors, as well any private “owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services” to alert the government if they’ve experienced a cyberattack of any kind.
The legislation is broad in that it refers to the Critical Infrastructure Protection Act of 2001, which defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The bill would require companies to report hacking incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security, within 24 hours of the incident’s occurrence. The agency itself would be required to deliver a report to Congress annually, “in classified form if necessary,” outlining the landscape of attacks hitting critical infrastructure companies during a given year.
Such changes would amount to a revamping of CISA, which some consider to be the agency most responsible for communicating with the private sector. CISA has gone without Senate-confirmed leadership since last year, when former President Trump fired its director, Christopher Krebs, after the agency put out a statement disputing Mr. Trump’s claims of fraud in the 2020 presidential election.
President Biden has nominated Jen Easterly, the former head of the NSA’s counterterrorism center, to lead CISA, but her nomination has yet to be confirmed by the Senate.
While it remains to be seen whether more conservative Republicans will get behind the requirement that companies report cyberattacks to the government, there are signs that many in the GOP are motivated to embrace some form of aggressive cyber legislation. Mid-June saw Sens. Lindsey Graham, South Carolina Republican, and Thom Tillis, North Carolina Republican, reintroduce a 2018 bill — with support from Democrat Sens. Richard Blumenthal of Connecticut and Sheldon Whitehouse of Rhode Island — that aims to expand the government’s authorities in hacking investigations
The lawmakers said in a statement that their International Cybercrime Prevention Act would give federal investigators more power to seize property from suspected hackers, making it “easier to counter and disrupt” so-called “botnets” — networks of computers infected with malware used in cyberattacks. The bill would also “create a new criminal violation for individuals who have knowingly targeted critical infrastructure, including dams, power plants, hospitals, and election infrastructure,” the lawmakers said.
It’s unclear what impact such legislation may have on the FBI’s ability to investigate internationally-based hacking groups, such as Darkside, the Russia-based organization that U.S. officials says carried out the Colonial Pipeline attack.
In recent interviews with The Times, law enforcement and intelligence sources, have emphasized the connection between such organizations and Russian intelligence, asserting that the Biden administration should be taking more aggressive steps, through sanctions or U.S.-sponsored counter-attacks against groups like Darkside, to pressure Moscow to end its support for such groups.
William F. Evanina, the recently retired director of the National Counterintelligence and Security Center and former chief of the CIA’s counterespionage group told The Times this month that ransomware attacks like the one against Colonial Pipeline fit within Russian President Vladimir Putin’s strategy to undermine American democracy and economic power.
“The Russian government could shut this down in one moment if they wanted to,” Mr. Evanina said of the hacking operations.
At the same time, Mr. Evanina emphasized the need for a dramatic expansion in intelligence sharing between private U.S. companies and federal agencies. “We have to have the ultimate public-private partnership here,” he said.
Ms. Bonneau agreed, saying private companies need to be more transparent to facilitate quicker and more aggressive cyber forensic investigations by federal agencies.
“Government agencies only know of cyber attacks on private industry if a company comes forward with information about being hacked, or when someone else exposes the company,” she said. “If a company has been hacked, they should have to report it so government agencies can get a clearer picture of the evolving threat.”
Mr. Baker, meanwhile, said most of the intelligence and defense against cyberattacks at the present moment is in the hands of private companies that “don’t coordinate deeply with the government.”
Federal investigators, he said, have a “surprisingly good handle” on how hackers operate and what their capabilities are based on real-time observation and examination of hacks on government networks, but “there’s a real blind spot” when it comes to being alerted and seeing inside private networks.
“So the government doesn’t have deep insights into what’s happening inside a lot of [private] networks and it’s not clear how you would get that without a change in the relationship between government and industry” Mr. Baker said. “It is a hard problem, but that’s where the real seam is in our national defense against cyberattacks.”