Published on September 7th, 2022 📆 | 8619 Views ⚑
0CISA to formally solicit industry feedback on cybersecurity incident reporting rules
Federal cyber officials will formally ask industry leaders âin the next couple of daysâ to help shape the regulatory structure for cybersecurity incident reporting, Jen Easterly, director of the Department of Homeland Securityâs Cybersecurity and Infrastructure Security Agency, said Wednesday.
The incident reporting framework follows the new law that President Biden signed in March requiring that critical infrastructure owners and operators to report major cyberattacks to CISA within 72 hours and ransomware attacks within 24 hours.
CISA has said that it will use the reports to rapidly deploy resources to victims under attack and share information with network defenders. Easterly, who spent four years working on cyber defense at Morgan Stanley prior to coming to CISA, emphasized that she wants to work with industry to create a smart regulatory apparatus that doesnât create problems for the private sector.
âThis will finally allow us a much better understanding whatâs going on across the ecosystem,â Easterly said at the Billington Cybersecurity Summit in Washington. âWe donât want to burden industry and we donât want to burden the federal government with noise either.â
Easterly said that after CISA issues a request for information from the private sector, she intends to also host several listening sessions with industry to ensure the rule-making process is âconsultative.â
Throughout the interview at Billington, Easterly emphasized that while offensive cybersecurity is âsexy,â she wants cyber defenders to understand that âdefense is the new offense.â
âThereâs amazing, amazing talent out there in the defense community, and we need to harness that to make sure that we are building and defending a secure and resilient ecosystem to make adversariesâ jobs much harder,â Easterly said. âThis is the thing â attackers have budgets, too. We have to work together to make sure that we are increasing the marginal cost of their investment.â
U.S. cybersecurity practitioners can compete with anyone on the basis of skills alone, Easterly said. But she cautioned that America may sometimes come in behind adversaries because of ethics.
âThey go after schools, they go after hospitals, they go after emergency services, they go after water,â Easterly said, lamenting what she called an âasymmetry in moralityâ between U.S. cyber operators and enemies.
Easterly was followed to the stage at Billington by National Cyber Director Chris Inglis, who told the audience that the âsense of urgency continues to go up on a daily basis.â
âDefense needs to be the new offense: We need to establish the initiative. Thatâs job one, priority one,â he said. âWe need to make it such that if youâre a transgressor in this space, the new deal is you got to beat all of us to beat one of us.â
Gloss