CISA to formally solicit industry feedback on cybersecurity incident reporting rules
Federal cyber officials will formally ask industry leaders “in the next couple of days” to help shape the regulatory structure for cybersecurity incident reporting, Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, said Wednesday.
The incident reporting framework follows the new law that President Biden signed in March requiring that critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.
CISA has said that it will use the reports to rapidly deploy resources to victims under attack and share information with network defenders. Easterly, who spent four years working on cyber defense at Morgan Stanley prior to coming to CISA, emphasized that she wants to work with industry to create a smart regulatory apparatus that doesn’t create problems for the private sector.
“This will finally allow us a much better understanding what’s going on across the ecosystem,” Easterly said at the Billington Cybersecurity Summit in Washington. “We don’t want to burden industry and we don’t want to burden the federal government with noise either.”
Easterly said that after CISA issues a request for information from the private sector, she intends to also host several listening sessions with industry to ensure the rule-making process is “consultative.”
Throughout the interview at Billington, Easterly emphasized that while offensive cybersecurity is “sexy,” she wants cyber defenders to understand that “defense is the new offense.”
“There’s amazing, amazing talent out there in the defense community, and we need to harness that to make sure that we are building and defending a secure and resilient ecosystem to make adversaries’ jobs much harder,” Easterly said. “This is the thing — attackers have budgets, too. We have to work together to make sure that we are increasing the marginal cost of their investment.”
U.S. cybersecurity practitioners can compete with anyone on the basis of skills alone, Easterly said. But she cautioned that America may sometimes come in behind adversaries because of ethics.
“They go after schools, they go after hospitals, they go after emergency services, they go after water,” Easterly said, lamenting what she called an “asymmetry in morality” between U.S. cyber operators and enemies.
Easterly was followed to the stage at Billington by National Cyber Director Chris Inglis, who told the audience that the “sense of urgency continues to go up on a daily basis.”
“Defense needs to be the new offense: We need to establish the initiative. That’s job one, priority one,” he said. “We need to make it such that if you’re a transgressor in this space, the new deal is you got to beat all of us to beat one of us.”