You know that hazy window that’s been obscuring the cyber threat landscape, leaving the feds squinting to try to see what’s really going on?
The government has recently pulled out some squeegees.
Case in point: the government spending deal that President Biden signed into law on Friday. The bill mandates that critical infrastructure operators report a significant cyber incident within 72 hours and a ransomware payment in 24 hours.
It’s About Time
As Politico reported, senior government officials and cyber policy watchers said the legislation is long overdue. As it is, they’ve long warned that federal cyber defenders don’t have nearly enough information about the digital threat landscape.
“This is the main thing that we’ve struggled with forever,” said Jonathan Reiber, senior director for cybersecurity strategy & policy at the cybersecurity company AttackIQ and former chief strategy officer for cyber policy for the Obama administration. “Anne Neuberger, the White House deputy national security advisor for cyber security, after the SolarWinds intrusion, she said, ‘Look, we lack visibility into how the adversaries are behaving within private sector networks,’” he noted.
Feds: The Only Ones Who Can Retaliate Against Nation States
The timing is suggestive. As it is, the new mandates coincide with proposals recently issued by the Securities and Exchange Commission (SEC) that would require some financial firms and listed companies to report cyberattacks to the regulator, create detailed plans for responding to hacks, and explain how they manage cybersecurity at all levels.
Padraic O’Reilly, financial firm and public company cyber risk advisor and co-founder of cyber risk management firm CyberSaint, is working directly with the financial services industry and public companies to understand and comply with these potential new reporting and board requirements. If enacted as written, he told Threatpost on Wednesday, the SEC’s proposed rules would substantially complicate how thousands of companies track, handle and report cyberattacks.
In these times of intense cyber aggression from nation states, the government has to step up, Reiber said. After all, it’s the only one who can.
“The government is the only one who can impose costs externally on a country that’s doing something to the United States,” he said in this week’s Threatpost podcast.
“Constitutionally, it’s the duty of the executive branch [and U.S. Cyber Command] to provide for the nation’s defense. You don’t want companies having to go up against a nation state on their own,” Reiber said.
The new mandates will help, he said. They’ll help the government to assume the burden of risk when it comes to providing a counter offense operation – if it’s required.
Regarding the difference between the SEC proposals and the spending bill, O’Reilly explained that “The SEC is out in front of the wider issue of transparency vs. the Cyber Reporting Bill … focuses more on the nuts and bolts of reporting these attacks” to the Department of Homeland Security, he told Threatpost via email.
The SEC is going to address “several incidents that weren’t reported correctly,” he said, and shows “tailwinds around where future cybersecurity legislation will be heading in terms of public disclosure of cyber posture,” he said.
In this week’s podcast, Reiber took a look at a number of questions on the spending bill’s reporting mandates, including what should and shouldn’t be considered to be a “significant” cyber incident, why strategic public and private sector partnerships will be vital, and more – including a big “huzzah!” regarding a nice shot in the arm for for the Cybersecurity and Infrastructure Security Agency (CISA): namely, a $568 million increase above last year’s funding level that surpasses the amount requested by the president.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.