The chairman of the Senate Select Committee on Intelligence Sen. Mark Warner (D-Virginia) said he is “very optimistic” that national cybersecurity legislation can pass that will be “broadly bipartisan with broad industry support” during a U.S. Chamber of Commerce-sponsored webinar Tuesday. The bill would make breach notification mandatory and provide “limited immunity” and anonymized information to incent private companies to “respond in a more comprehensive way.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
With the recognition that 80% to 90% of critical infrastructure “is in private hands,” Warner said the focus needs to be on creating “a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure that doesn’t get to full data breach negotiations” to ensure a level of privacy of information.
The bill is still being worked on and needs support from U.S. allies as well, Warner said.
“I still, perhaps naively, hope on a multilateral basis we can create cyber norms so that our adversaries [with] tier-one capabilities will know there are certain types of attacks,” such as against hospitals and national power grids, that will not be tolerated, he said.
If norms are in place, the U.S. can put adversaries on notice that if they violate them, “and we can find appropriate attribution, there will be consequences,” Warner said. “Right now, our failure to have norms and a more robust notification system…candidly, has allowed in many ways, Russia and China to launch cyberattacks with virtual impunity.”
SEE: After Virginia passes new privacy law, states race to catch up to CCPA and GDPR (TechRepublic)
Warner and other panelists referenced the SolarWinds cyber breach several times throughout the webinar. Warner said cyberattacks on western nations and the problem of protecting personal information and dealing with ransomware demands have risen dramatically. He reiterated that “there’s a growing understanding of this across industry and a growing recognition that as long as we can provide a level of limited immunity and some privacy, we can earn industry support.”
The proposed legislation will be separate from more longstanding debates about national cyber breach notifications, Warner added.
Warner said he’s frustrated that Congress hasn’t yet enacted cyber breach legislation and states have had to rely on a variety of “patchwork” laws. Debate about the issue continues, and “born of some of the scars of those debates,” he doesn’t see any resolution in the short term, he said. Thanks to high-profile breaches like SolarWinds, more CEOs are focusing on cybersecurity, though.
“What I hear from CEOs is they realize that while they should not walk away from good cyber hygiene, that alone will not stop [tier-one] adversaries and the most sophisticated of cybercriminals from getting into their systems,” Warner said.
Years ago, CEOs were balking against additional regulatory reporting, he said. But now they’re saying if there are incentives to do so, it will protect their organizations—as well as others who may not even know they have been breached, he said.
“The concern I have with our international process is we don’t want this to be an us-vs.-China or us-vs.-Russia approach,” Warner said. Adversaries are attacking regimes all over the world, “and if we can get this set up and some sensible cyber norms, I think we can rally the world so that when adversaries do take these actions they will pay a price.”
Recommendations from the Cyberspace Solarium Commission
Representatives from the U.S. Cyberspace Solarium Commission discussed its priorities for advancing a new approach to defend against cyberattacks.
Panelist Frank Cilluffo, the commissioner of the U.S. Cyberspace Solarium Commission, called its legislative agenda for the 117th Congress “pretty robust” and said it includes 35 recommendations that zero in on legislative requirements for the private sector. “I want to make sure they’re not feel-good talk but actual implementation and partnerships,” Cilluffo said.
Among them are ways to get cloud providers in the government and private sectors to provide more visibility, he said. One recommendation Cilluffo said he’s personally passionate about is a national cyber victims recovery fund.
SEE: Security incident response policy (TechRepublic Premium)
Retired Rear Adm. Mark Montgomery, executive director of the Solarium Commission, said it has recommended an increase of between 15% and 20% in appropriations for the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency. The Biden administration has recommended $2.1 billion, and the commission is proposing $2.4 billion, Montgomery said.
A few years from now, an effective budget to appropriate and fund national cybersecurity will be between $3 and $4 billion he said, and “this is down payment to do that.” But Montgomery acknowledged that “There’s lots of mouths coming into this buffet, and we won’t get 100% of what we want.”
Matthew Eggers, vice president for cyber policy for the U.S. Chamber of Commerce, said the Chamber is looking for legislation that supports businesses and “government doers,” the people operating and protecting networks.
“We want legislation in service of entities trying to do the right things,” Eggers said. “We want to be getting more good, actionable data in the hopper so we can analyze it.”
When he looks at the Solarium Commission report, “defending forward is the way to go,” Eggers said. “We want to be making sure the legislative effort is making the business community an ally.”
Cilluffo said he has long been an advocate of not just transnational legislation but legislation that has the U.S. leading in international actions. The diplomatic element is critical, he said.
“The Cyber Diplomacy Act won’t take away from existing work but will bring in allies” from security organizations in Japan, India and Israel, he said. “The bottom line here is we’ve ceded the battlefield for quite some time to China,” which has taken advantage of international inaction, “and quite honestly, we’ll need our allies to push back,” he said.
The long-term benefit is “we’re never going to firewall our way out of this problem alone. We’ve been blaming the victim for so long we need to split the equation on cost and consequence on bad cyber behavior, and the way to do that is to ensure our own national interests but others as well.”
Montgomery said he thinks the Cyber Diplomacy Act will go forward, and he won’t be surprised if it moves into the cyber legislation bill.
At the end of 2021, success to the commission will be making sure companies, national agencies and citizens are enhancing their overall cybersecurity efforts, Cilluffo said. “We need to follow up our ideas with resources. This is not going to be accomplished through Washington alone but will require your members,” he said, referring to the Chamber. “This is not a trite comment. The private sector needs a front-row seat here.”