Congress is considering a bill that would require critical infrastructure operators and federal agencies to report any cyber breaches and attacks to the top federal cyber agency, but the FBI wants to be in the reporting loop as well.
After a series of high-profile ransomware hacks and other cyberattacks that left the Cybersecurity and Infrastructure Security Agency scrambling to figure out how network breaches unfolded, the Biden administration has urged lawmakers to mandate reporting of cyber incidents to the federal government.
While CISA is responsible for securing critical infrastructure networks from cyberattacks, the FBI, as the law enforcement agency, goes after the criminal perpetrators.
The FBI’s unique role as an intelligence and law enforcement agency helps not only victims but also CISA, the National Security Agency and U.S. Cyber Command understand where “adversaries may strike next,” Bryan Vorndran, the FBI’s cyber division assistant director, told lawmakers last week.
“I can’t stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA,” Vorndran told the House Oversight and Reform Committee.
Chris Inglis, the national cyber director, who also testified before the panel, said the White House supports the FBI and CISA both getting incident reports.
Requiring victim organizations to report incidents simultaneously to CISA and the FBI would be ideal, said Frank Cilluffo, who is the director of Auburn University’s Charles D. McCrary Institute for Cyber and Critical Infrastructure Security and a member of the congressional Cyber Solarium Commission.
“In addition to providing support to the victims, the bureau has additional authorities and capabilities to investigate and take actions against the perpetrator or adversary, whether criminal or from a counterintelligence perspective,” Cilluffo told CQ Roll Call.
The bureau also has demonstrated it can hurt criminal networks by taking back ransom payments they obtain from victims of ransomware attacks, Cilluffo said. “That’s also illustrative of why the FBI ought to be included” in the reporting process, he said.
The House version of the annual defense policy bill would establish a cyber incident review office at CISA that would set guidelines for how quickly victim organizations would have to report attacks. The office would publish quarterly reports after redacting identifiable information.
The Senate version also would establish an incident review office under the Cybersecurity and Infrastructure Security Agency and would require businesses and both state and local governments to report ransomware-related payments to that office within 24 hours of making them.
The Senate bill also would require the same entities to inform CISA within 72 hours of a cyberattack.
In the absence of a uniform cyber incident reporting requirement, victims and government agencies struggle to figure out who’s in charge, according to a memo prepared by the Oversight and Reform Committee.
The committee obtained records from CNA Financial Corp., JBS Foods and Colonial Pipeline, all of which suffered severe ransomware attacks this year that affected millions of Americans.
CNA is said to have paid a ransom of $40 million in bitcoins after it suffered a ransomware attack in March by a cybercriminal group called Phoenix. In May, Colonial Pipeline was attacked by DarkSide and paid $4.4 million, also in cryptocurrency. In June, JBS Foods was attacked by REvil and paid a ransom of about $11 million.
“Each company provided notice to a variety of different federal agencies, including federal law enforcement,” the committee memo said.
Colonial, for example, was in contact with at least seven federal agencies or offices, the memo said.
“CNA was initially referred to one FBI field office before a different field office was designated as the primary point of contact,” the memo said.
In the case of JBS Foods, the company’s general counsel “first emailed an FBI field office, the agent they emailed was not the correct point of contact, so their inquiry was passed on to different case agents at the same field office, leading to a several-hour delay between the JBS official’s initial email and the FBI’s first substantive email response,” the memo said.
In another case, a company considering paying a ransom was “referred to the Treasury Department for questions regarding sanctions, while another company was provided a substantive answer on this topic by the FBI,” the committee found.
Getting companies and federal agencies to report attacks in a timely and organized fashion to the federal government would boost the country’s cybersecurity posture, Cilluffo said.
“The endgame is to get the public and private sectors to move beyond transactional cooperation of information sharing and toward true collaboration,” Cilluffo said.