The recent surge of cyberattacks has triggered a blame game between private industry and federal agencies over who bears responsibility for ensuring such incidents don’t cripple critical infrastructure for fuel, electricity and water supplies and cause massive damage to the economy.
Most notably, the Colonial Pipeline ransomware attack, which halted the flow of gasoline across the Southeast for more than a week last month, put a fresh spotlight on a years-old debate about whether private companies should be required to alert the government if hackers have breached their computer systems.
Private industry has long lobbied against such requirements for several reasons, including desires to limit government intrusiveness into proprietary data and concerns about damage to reputations when hacking incidents draw major attention.
Such concerns are increasingly being downgraded because of rising public awareness of the hacking threat and growing consensus among cybersecurity experts that the private sector and federal agencies such as the FBI and the Homeland Security Department may need to cooperate more aggressively to prevent a doomsday cyberattack.
Sources on Capitol Hill say bipartisan momentum is growing to enact a “mandatory reporting” law, to expand the government’s authorities in hacking investigations and to elevate federal penalties for cybercrimes.
Industry insiders say the era of private companies keeping quiet about hacking must come to an end, regardless of whether computer systems and employees were equipped to ward off the attack or woefully unprepared to deal with it.
“There should be the creation of a government task force that private companies of all levels who are working on critical infrastructure should be required to call and notify if they’ve been hacked,” said Regine Bonneau, the founder and CEO of RB Advisory, a Florida-based firm that helps companies across a range of industries develop risk management solutions.
“We’re in chaos right now because we’re more reactive than proactive,” Ms. Bonneau told The Washington Times. “At the present moment, the government doesn’t know the extent of ransomware attacks that are happening against companies in the private sector or the extent that those attacks are affecting those companies.”
Other experts say the Colonial Pipeline attack and last year’s SolarWinds hack, both blamed on Russia-backed cybercriminals, triggered an inflection point to start breaking down rigid walls between private-sector cyberactivities and federal agencies.
“This is an idea that has suddenly taken Washington by storm, that if your company has a serious incident, you need to tell the government about it,” said Stewart Baker, a former National Security Agency general counsel and Homeland Security Department policy chief now practicing technology law at the private firm Steptoe & Johnson.
“But it hasn’t been adopted across the board at this point,” Mr. Baker, who hosts the weekly “Cyberlaw Podcast,” told The Times.
Although “industry is just very cautious about sharing anything with the government … that’s breaking down in the face of the kind of crises we’ve had recently, mainly involving ransomware,” he said.
Sen. Susan M. Collins, Maine Republican, has been circulating legislation for nearly a decade to increase communication between private companies and federal agencies on cyberattacks. The proposal now has gained bipartisan momentum.
Ms. Collins and Sen. Joe Lieberman, Connecticut independent, introduced a major cybersecurity bill in 2012. Conservative, pro-business Republicans blocked the legislation out of fear that it would have opened the floodgates for more government regulations and increased costs for private companies by requiring them to meet bureaucracy-laden cybersecurity standards.
Recent ransomware attacks appear to have diminished such concerns. Centrist lawmakers from both parties are circulating legislation that goes much further than the 2012 proposal in terms of required industry standards and mandates to report hacking incidents and open private-sector networks to federal investigators.
A bill introduced by Sen. Mark R. Warner, Virginia Democrat, and co-sponsored by Ms. Collins and Sen. Marco Rubio, Florida Republican, would require all federal contractors and any private “owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services” to alert the government if they experience a cyberattack of any kind.
The broad legislation refers to the Critical Infrastructures Protection Act of 2001, which defined critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
The bill would require companies to report hacking incidents to the Cybersecurity and Infrastructure Security Agency, part of the Department of Homeland Security, within 24 hours. The agency would be required to deliver a report to Congress annually, “in classified form if necessary,” outlining the landscape of attacks on critical infrastructure companies.
Such changes would amount to a revamping of the Cybersecurity and Infrastructure Security Agency, which some consider to be the most responsible entity for communicating with the private sector. The agency has gone without Senate-confirmed leadership since last year. President Trump fired its director, Christopher Krebs, after the agency issued a statement disputing Mr. Trump’s claims of fraud in the 2020 presidential election.
President Biden has nominated Jen Easterly, a former head of the NSA’s counterterrorism center, to lead the Cybersecurity and Infrastructure Security Agency, but the Senate has yet to confirm her nomination.
It remains to be seen whether more conservatives will get behind a requirement for companies to report cyberattacks to the government, but many Republicans are showing motivation to embrace some form of aggressive cybersecurity legislation. Sen. Lindsey Graham, South Carolina Republican, and Sen. Thom Tillis, North Carolina Republican, have reintroduced a 2018 bill — with support from Democratic Sens. Richard Blumenthal of Connecticut and Sheldon Whitehouse of Rhode Island — that aims to expand the federal government’s authorities in hacking investigations.
The lawmakers said in a statement that their International Cybercrime Prevention Act would give federal investigators more power to seize property from suspected hackers, making it “easier to counter and disrupt” so-called botnets — networks of computers infected with malware used in cyberattacks. The bill would also “create a new criminal violation for individuals who have knowingly targeted critical infrastructure, including dams, power plants, hospitals, and election infrastructure,” the lawmakers said.
It’s unclear what impact such legislation may have on the FBI’s ability to investigate internationally based hacking groups, such as DarkSide, the Russia-based organization that U.S. officials accuse of carrying out the Colonial Pipeline attack.
In recent interviews with The Times, law enforcement and intelligence sources emphasized the connection between such organizations and Russian intelligence. They said the Biden administration should take more aggressive steps, through sanctions or U.S.-sponsored counterattacks, to pressure Moscow to end its support of groups such as DarkSide.
William F. Evanina, the recently retired director of the National Counterintelligence and Security Center and former chief of the CIA’s counterespionage group, told The Times this month that ransomware attacks like the one against Colonial Pipeline fit within Russian President Vladimir Putin’s strategy to undermine American democracy and economic power.
“The Russian government could shut this down in one moment if they wanted to,” Mr. Evanina said of the hacking operations.
At the same time, Mr. Evanina emphasized the need for a dramatic expansion in intelligence-sharing between private companies and federal agencies. “We have to have the ultimate public-private partnership here,” he said.
Ms. Bonneau agreed. She said private companies need to be more transparent to facilitate quicker and more aggressive forensic investigations by federal agencies.
“Government agencies only know of cyberattacks on private industry if a company comes forward with information about being hacked, or when someone else exposes the company,” she said. “If a company has been hacked, they should have to report it so government agencies can get a clearer picture of the evolving threat.”
Mr. Baker said most of the intelligence and defense against cyberattacks are in the hands of private companies that “don’t coordinate deeply with the government.”
Federal investigators, he said, have a “surprisingly good handle” on how hackers operate and what their capabilities are based on real-time observation and examination of hacks on government networks, but “there’s a real blind spot” when it comes to being alerted and seeing inside private networks.
“So the government doesn’t have deep insights into what’s happening inside a lot of [private] networks and it’s not clear how you would get that without a change in the relationship between government and industry,” Mr. Baker said. “It is a hard problem, but that’s where the real seam is in our national defense against cyberattacks.”