Legislation still being cobbled together within Congress to mandate that certain private sector entities report cybersecurity incidents to the federal government must ensure that the FBI will have real-time notification of any report, an FBI official said on Thursday.
Legislation that was being considered by the House and Senate last year directing covered private sector entities to report cyber-attacks against their networks focused on the Cybersecurity and Infrastructure Security Agency (CISA) receiving the information. The FBI is fine with that model but wants any law to then require CISA in turn immediately report the incident information to the bureau, Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division, said during a virtual cybersecurity discussion hosted by the Washington Post.
“Our view is that the legislation ideally would say that that information would be shared by CISA simultaneously and unfiltered with the FBI and here’s why,” Ugoretz said. “There are a number of agencies within the U.S. government with various cybersecurity responsibilities but there’s only two agencies that are identified as responsible for responding to cyber incidents and that’s CISA and the FBI, and as I just mentioned speed is of the essence when we’re talking about response to these cyber incidents. So, while we have an incredibly good relationship with our counterparts at CISA and we trust that they will share incident reporting information to us, it’s the speed in which that is shared. We are stronger when we can respond together on the basis of the same information.”
CISA, which is an operating component of the Department of Homeland Security, has authorities to require that federal civilian agencies take steps to strengthen their cyber defenses, and works on a voluntary basis with the private sector to help strengthen its cyber risk posture.
The FBI investigates cyber crimes and nefarious cyber activities. Last year, the FBI helped recover millions of dollars of payments made to criminal groups that carried out ransomware attacks against U.S. companies and other entities.
“So, ransom recovery is just one example of the benefit that comes from reporting suspicious cyber activity and incidents quickly to an agency like the FBI that has the authorities and the nationwide presence to act quickly,” Ugoretz said. “So, in the instances of the cryptocurrency seizures, those really were enabled by a unique set of circumstances in each case where the victim companies not only notified us quickly but worked with us and while quick notification is incredibly important because if we don’t know that something has happened, we can’t act.”
Ugoretz also highlighted that the FBI’s Internet Crime Complaint Center can help individuals and small- and medium-size companies if they’ve been the victim of ransomware attacks. In 2020, the FBI helped recover $400 million in ransomware-related payments, she said.
“But that only happens when we learn about the incident and we learn about details of it in a very quick time window,” she said.