According to Congressmembers Yvette Clarke and John Katko — who spoke during a Jan. 13 discussion hosted by Silverado Policy Accelerator — key goals include passing the cyber incident reporting legislation that failed to clear last year and domesticating semiconductor chip production.
Mandated Reporting — Try, Try Again?
Katko and Clarke said they're on the lookout for the next opportunity to pass the measure, whether as a standalone piece of legislation or as part of a larger bill.
“Any bill we can find — be that the budget, be that whatever — we’re going to throw it into it,” Katko said.
When such legislation passes, the FBI wants to be included, too. The agency has nationally and globally dispersed cyber experts who can arrive quickly at victims’ doorsteps — but only if the FBI knows when and where to send them, said Bryan Vorndran, assistant director of the FBI’s Cyber Division.
“What the Department of Justice and FBI is looking for is legislation that includes language about the FBI having real-time and unfiltered access to incident information that is reported to CISA. It could likely be accomplished by a few words or a sentence in the proposed legislation,” Vorndran said.
CISA currently collaborates and communicates with the FBI, but it's still important to have the information sharing officially recognized in law, Vorndran said.
Requiring organizations to report incidents to the federal government has benefits that go beyond agencies being able to respond better to a particular event. More reporting also means government will have the data needed to analyze evolving cyber attack trends and assess the effectiveness of its cybersecurity policies and initiatives, Clarke said.
“Without adequate data, it is difficult to assess the scope of the ransomware epidemic and to measure if our efforts are making a difference,” Clarke said.
Threat Hunting and Metrics
The federal government shouldn’t always need to wait for victims to report incidents before taking action, however. Instead, it needs visibility into certain partners’ networks to allow it to proactively detect and respond to threats, said the Silverado Policy Accelerator in a six-point policy recommendation paper that was released in conjunction with the discussion. Silverado is a nonprofit think tank that develops policy proposals for cybersecurity and other areas.
Silverado’s 2022 cyber policy priorities include granting the Department of Defense (DoD) authority to hunt threats on “the networks of cleared defense contractors that hold sensitive national security information.” The idea was previously proposed by the Cyberspace Solarium Commission.
Silverado also urged federal government to better assess agencies’ incident response capabilities. That could mean taking concrete measurements of agencies’ performances, such as their speed in detecting incidents and vulnerabilities as well as their speed in responding to and mitigating threats.
“In cyberspace, the only way to reliably defeat an adversary is to be faster than they are,” Silverado stated.
Making CISA the CISO
Federal cyber incident responses will become uncoordinated and uneven if each agency relies on their own independent CISO, said Katko and Rob Silvers, undersecretary for strategy, policy and plans at the U.S. Department of Homeland Security (DHS). Katko advocated instead for CISA to become the central hub overseeing cybersecurity efforts across civilian federal agencies.
In a similar proposal, Silverado recommended that CISA first test-run taking over cybersecurity for one small executive agency, then get involved with more and more agencies and ultimately become a shared services provider for cybersecurity. But achieving this goal requires giving CISA more resources and authorities.
Crypto and Chips
Cybersecurity is an international scene, so the U.S. must respond to activity in other countries that may impact its cyber posture.
Silverado’s recommendations push for cracking down on foreign cryptocurrency exchanges that may be enabling malicious cyber actors to profit. Know your customer (KYC) and anti-money laundering (AML) regulations bind U.S.-based crypto operations and reduce the chances of cyber criminals abusing the services, but stronger action is needed to encourage similar stringency in non-U.S. exchanges, Silverado said. That could mean equipping the Treasury Department with the ability to sanction foreign exchanges that fail to abide by KYC and AML rules.
Katko said that protecting the national economy and critical infrastructure means loosening the U.S.’s dependency on overseas semiconductor chip manufacturing and chip supply chains outside of American control.
He urged passage of the CHIPS For America Act, which deals with chip supply chain security and would invest in U.S.-based chip research and development and manufacturing.
Katko called this a “an essentially and probably underappreciated national priority,” although it was far from the only item deemed a top priority during Thursday's discussion.
Clarke seemed to acknowledge the challenge of so many goals competing for top focus.
“At this stage, again, there are just so many top priorities. It's not lost on anyone,” she said. “It's how do we shift the playing field to make sure that we can get as much done, as quickly as possible, before the end of this session?”
