Information sharing is important when dealing with ransomware, but reporting requirements should not to overburden agencies or industry, CISA’s chief says.
To ensure mandatory cyber incident reporting is effective, lawmakers should be conscious of potentially overburdening companies – and agencies – with “reporting noise,” advised Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency
Speaking at the Sept. 29 Aspen Cyber Summit, Easterly said that CISA, as a voluntary and partnership agency, aims to “build trusted partnerships so that companies that are impacted by cyberattacks report information.” But as the threat environment grows more complex, information sharing becomes crucial to preventing damage in future attacks.
"Whether it's voluntary, or whether it's mandatory, we need to get that information as rapidly as possible so that we can share it to prevent others from suffering an attack," Easterly said.
The CISA director's comments come after Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio) introduced a bill that would require critical infrastructure companies and operators to report cyberattacks to CISA and for most entities to report ransomware payments.
Easterly said such information sharing is important when dealing with ransomware, but reporting requirements should take care not to overburden CISA or industry.
"That's why it's really important to have this rulemaking period, where we can figure out the scope of the reporting entity ... when they would need to report rapidly ... and then how you make sure that you can do enforcement," Easterly said. "Because at the end of the day, it really is to the benefit of the whole ecosystem if we can get information out rapidly to protect others."
Incident reporting is only part of the threat landscape. Rob Joyce, the director for the National Security Agency's cybersecurity directorate, said during his panel discussion that one of his biggest concerns is technical debt and being able to retroactively secure aging technologies still in use.
"There's a lot of things we know need to be modernized, upgraded, changed, but it's getting the resources and the will to put the investment in there," he said.
This article was first posted to FCW.