Debate over cybersecurity reporting divides CISA and FBI

Print Friendly, PDF & Email

A Cyber Incident Reporting Act that has unanimously been passed by the U.S. Senate appears to be fostering a debate between the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) over how best to require organizations to report cybersecurity incidents

The act requires major companies that, for example, operate oil pipelines, banks, electric grids, and transportation systems to report cyberattacks within 72 hours and any ransom payments they may have made within 24 hours.

This latest piece of cybersecurity legislation has yet to be taken up by the U.S. House of Representatives, but FBI Director Christopher Wray said in a statement the act  “in its current form it would make the public less safe from cyber threats – slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats.”

The FBI wants to require cybersecurity reports to be made in real-time as attacks occur to enable it to more easily track and eventually prosecute perpetrators. It also wants to provide organizations with liability protections to encourage them to report cybersecurity incidents.

CISA director Jen Easterly, however, appears to be more content with the three-day window currently specified. “Put plainly, this legislation is a game-changer,” she said in a statement. “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

The act, which the White House has already signaled the president intends to sign, is now being attached to an omnibus cybersecurity spending bill. The ongoing conflict between Russia and Ukraine is cited as the justification for that move.

Not every business, of course, is going to welcome the Cyber Incident Reporting Act. Customers, partners, suppliers, and investors are likely to be unnerved by these reports to the point where valuations of organizations will be impacted.

The act is also most likely a harbinger of additional cybersecurity-related legislation that will require organizations to share a lot more information about an attack that many of them have been historically reticent to share. The concern, of course, is that whatever is shared in those reports will simply alert other cybercriminals of the existence of a weakness before an internal cybersecurity team is able to remediate it.

The debate over the appropriate level of reporting is far from over. However, given the Democratic majority in the House, more organizations like it or not will need to resign themselves to the fact that they will be required to file a report every time there is a security breach. In fact, there are many that believe that when it comes to curing what really ails cybersecurity the best disinfectant of all is and always will be as much sunlight as possible. The only issue that remains to be resolved is how quickly that sunshine will be required

Scroll to top