CISA chief floats fines to compel threat info sharing

To ensure cyberattack victims in critical infrastructure sectors share timely information on threats, the Biden administration is increasingly looking for ways to compel disclosure. While the executive branch can authorize such requirements for federal contractors and certain regulated industries, a wide ranging breach disclosure mandate would need legislation.

So far efforts to craft a federal standard to replace the more than 50 state-based and territorial disclosure laws have failed to gain traction, but that could change in the wake of well-publicized breaches like the Colonial Pipeline ransomware attack.

At a Sept. 23 hearing of the Senate Homeland Security and Government Affairs Committee, Cybersecurity and Infrastructure Security Agency Director Jen Easterly stressed the importance of threat information sharing.  

"It's long past time to get cyber incident reporting legislation out there," CISA Director Jen Easterly told lawmakers on the committee. "It's very important for us to both be able to render assistance to any entity that suffers an attack, but to be able to analyze that information and to share it more widely, because we know that in today's world, everything is connected, everything is interdependent, and thus everything is vulnerable."

Easterly said in her testimony that any legislation will need some way to get private companies to cooperate with disclosure requirements in the heat of an ongoing attack.

"I do think a compliance and enforcement mechanism is very important here. I know some of the language talks about subpoena authority. My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines…. I just came from four and a half years in the financial services sector where fines are a mechanism that enable compliance and enforcement."

Easterly also spoke to the importance of establishing CISA as the "operational lead" in federal cybersecurity as part of any update of the Federal Information Systems Modernization Act, while also "holding departments and agencies specifically accountable for the investments that they make in their cybersecurity teams," adding that, "we need to move from this compliance and box checking to true operational risk management."

 This article was first posted to FCW, a sibling site to GCN.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected