Congress needs to consider legislation that would require industry to share information about cyber-attacks on their networks so that the nation can better combat against cyber threats, a Republican senator said on Wednesday.
Sen. Mike Rounds (R-S.D.), the ranking member on the Cyber Subcommittee of the Senate Armed Services Committee, quoted testimony to the panel earlier this year by Army Gen. Paul Nakasone, commander of U.S. Cyber Command and director of the National Security Agency, who discussed foreign actors conducting cyber-attacks against the U.S. According to Rounds, Nakasone said “‘It’s not the fact we can’t connect the dots, we can’t see all of the dots.’”
Rounds said “I think it is time to explore a requirement for industry to make confidential disclosures of cyber-attacks above a certain threshold to the appropriate authorities to strengthen our ability to more quickly find and respond to these cyber-attacks.”
Rounds comments echo a slew of others by Democrats and Republicans in Congress that the federal government needs to begin mandating some sort of cyber breach disclosures by the private sector, at least for companies that own or operate critical infrastructure. The growing interest in federal breach notification laws stems is due in large part to the increasing number or ransomware attacks against critical infrastructure targets that cause disruptions to the U.S. economy.
The most recent examples include ransomware attacks in May against East Coast fuel pipeline operator Colonial Pipeline and meat processing facilities in the U.S., Australia and Canada of Brazil-based JBS. In both instances, the companies paid the network hostage-takers multi-million-dollar sums of money to be able to bring their networks back online.
The cyber panel met to consider the Defense Department’s roles and responsibilities in protecting the nation from cyber and ransomware attacks. Ransomware attacks are pursued by criminal organizations, typically outside the U.S. in countries that willingly or unwillingly provide them with safe harbor.
Rounds said that discussion about breach notification requirements “extend beyond the jurisdiction” of the subcommittee but said the issues must be addressed “holistically and I look forward to working with my colleagues on the other committees of jurisdiction and with industry to explore the policies necessary to better protect our nation.”
A joint written statement by a trio of DoD witnesses outlined three roles the department plays as part of a whole-of-government approach to combatting ransomware attacks. First, is taking advantage of the insights and information gathered “about hostile cyber actors through Hunt Forward Operations on allied and partner nation networks” that allow the DoD to improve its security posture and give federal and international partners the ability to take actions, they said.
Second, through entities like the DoD Cyber Crime Center and an information sharing effort it has with the defense industry, the department has a priority on “ransomware reporting and content briefings,” the officials said.
Finally, DoD cyber forces constantly protects the department’s information network from cyber threats, they said.
“We continue to leverage the insights gained by operating on foreign networks to improve our cyber defenses, and we continue to strengthen our partnerships with the Federal Bureau of Investigation and the Department of Homeland Security in order to improve the cyber defenses of federal, state, and local governments, as well as those of the private sector,” said the joint statement.
The DoD witnesses at the hearing were Mieke Eoyang, deputy assistant secretary of defense for Cyber Policy, Air Force Maj. Gen. Kevin Kennedy, director of operations for U.S. Cyber Command, and Rear Adm. Ronald Foy, deputy director for Global Operations on the Joint Staff.