WASHINGTON — Congress is considering a bill that would require critical infrastructure operators and federal agencies to report any cyber breaches and attacks to the top federal cyber agency, but the FBI wants to be in the reporting loop as well.
After a series of high-profile ransomware hacks and other cyberattacks that left the Cybersecurity and Infrastructure Security Agency scrambling to figure out how network breaches unfolded, the Biden administration has urged lawmakers to mandate reporting of cyber incidents to the federal government.
While CISA is responsible for securing critical infrastructure networks from cyberattacks, the FBI, as the law enforcement agency, goes after the criminal perpetrators.
The FBI’s unique role as an intelligence and law enforcement agency helps not only victims but also CISA, the National Security Agency and U.S. Cyber Command understand where “adversaries may strike next,” Bryan Vorndran, the FBI’s cyber division assistant director, told lawmakers last week.
“I can’t stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA,” Vorndran told the House Oversight and Reform Committee.
Chris Inglis, the national cyber director, who also testified before the panel, said the White House supports the FBI and CISA both getting incident reports.
Requiring victim organizations to report incidents simultaneously to CISA and the FBI would be ideal, said Frank Cilluffo, who is the director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyber Solarium Commission.
“In addition to providing support to the victims, the bureau has additional authorities and capabilities to investigate and take actions against the perpetrator or adversary, whether criminal or from a counterintelligence perspective,” Cilluffo told CQ Roll Call.
The bureau also has demonstrated it can hurt criminal networks by taking back ransom payments they obtain from victims of ransomware attacks, Cilluffo said. “That’s also illustrative of why the FBI ought to be included” in the reporting process, he said.
The House version of the annual defense policy bill would establish a cyber incident review office at CISA that would set guidelines for how quickly victim organizations would have to report attacks. The office would publish quarterly reports after redacting identifiable information.