The chairwoman of a House cybersecurity panel is developing legislation that would require critical infrastructure owners to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) and also codify a voluntary pilot program that the agency uses with companies that provide critical capabilities to give it real-time visibility on their networks.
The two bills would be “complementary, giving CISA the ability to monitor threats today and also learn how and why they’re successful so we can prevent them from happening tomorrow,” Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security’s cybersecurity subcommittee, said during a hearing on Tuesday that examined the federal response to a ransomware attack on pipeline operator Colonial Pipeline in May.
The bill that would improve visibility into private sector networks calls out CISA’s CyberSentry pilot program, which provides commercial-off-the-shelf tools such as network detection software to identify malicious activity on industrial control systems and corporate networks.
The U.S. and CISA face a “lack of visibility into cybersecurity risks facing our nation’s critical infrastructure,” said Eric Goldstein, CISA’s executive assistant director for Cybersecurity, adding that by risks he means “the possibility of criminal groups or nation-states breaking into our critical infrastructure with the intent to do harm.”
This visibility gives CISA the ability to “understand systemic risk across our country and provide actionable information that can protect others so they can either detect and block these threats before break-ins occur or they can evict adversaries from their networks once the intrusion happens,” Goldstein told the joint hearing of the committee’s Cybersecurity and Transportation Security panels.
Goldstein also said that CISA lacks sufficient insight into “entities” that may need the agency’s help, which ranges from providing guidance and best practices, cybersecurity services such as vulnerability scans and threat hunting, and help with remediating compromised networks.
Lessons learned over years of cyber intrusions show that many invasions of operational technology networks begin on business networks, Goldstein said. CyberSentry helps detect threats that try to move from the corporate networks to the control systems, he added.
The CyberSentry tools are currently deployed with a “limited number of highly critical entities” and have shown “significant success” by giving CISA more visibility into networks and helping the critical infrastructure entities, Goldstein said. The information CISA gains about threats through the CyberSentry tools helps the agency “understand and rapidly identify those kinds of threats manifesting across the most critical networks,” he said.
Clarke’s pending legislation mandating that operators and owners of critical infrastructure report cyber incidents to CISA appears to be similar to other bills being planned in Congress requiring disclosure of cyber breaches.