Cyber Notification Bill Critical, But Won’t Stop Bad Actors Entirely, Says Senator
Congress recently passed legislation including a requirement for critical infrastructure entities to notify government on cyber attacks.
Megan Boswell
WASHINGTON, March 15, 2022 – Mandatory cyber attack reporting is critical to keeping up cyber defenses against potential Russian attacks, a U.S. senator said, following the passing by Congress of legislation that would require certain companies to report such attacks within 72 hours.
But Senator Mark Warner, D-Virginia, and a former State Department cyber expert, said the bill will not stop bad actors entirely.
“We probably cannot be 100 percent effective on keeping the bad guys out,” Warner said Monday during a Center for Strategic and International Studies event discussing the Russian invasion of Ukraine. “We shouldn’t aim for 100 percent perfection on defense, but what we should aim for is this information sharing, so that we could then share with the private sector.”
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, part of a larger budget bill, requires certain critical infrastructure owners, including in the communications, energy and healthcare sector, and operators to notify the Cybersecurity and Infrastructure Security Agency of cybersecurity on attack incidents in certain circumstances. It was passed by both chambers and President Joe Biden is expected to sign the bill into law soon.
The bill’s passing comes after a year of high-profile cyber attacks that targeted software companies, a meat producer and an oil transport firm. Following those attacks, lawmakers and cyber officials urged Congress to push the bill forward. Late last year, Secretary of State Antony Blinken announced the department intends to create a new cyber bureau to help tackle the growing challenge of cyber warfare.
It also comes as Russia continues its war in Ukraine, which some have suspected will ramp up global cyber attacks.
‘Shields up’
Chris Painter, president of the Global Forum on Cyber Expertise Foundation and former coordinator for cyber issues at the State Department, agreed with Warner on Monday, saying that he thinks “that we will see that [cybersecurity attack capability] is being held in reserve, so I think shields up is really the right approach for the U.S.
“With a dedicated adversary like Russia,” Painter said “you could be very good at defense, [but] they’re still going to get in.”
Warner, who said the notification requirement is a “giant step forward,” said the bill doesn’t “want to hold the company accountable, [but] we do want to go after malware actors.” He added this is about being resilient in the face of incoming attacks.
But in a January congressional hearing about cybersecurity, Ross Nodurft of the Alliance for Digital Innovation, warned Congress against an “overly prescriptive definition of a [cybersecurity] incident” to avoid running the risk of “receiving so many notifications that the incidents which are truly severe are missed or effectively drowned out due to the frequency of reporting.”