A top FBI official told lawmakers Tuesday that the could be left out of new cybersecurity legislation. That, according to America’s most powerful law enforcement organization, would be a significant issue. Bryan Vorndran, the assistant director of the Cyber Division, testified before Congress that the Biden administration is “concerned” about legislation proposed by the Senate and House Homeland Security committees. It would require a wide range of companies to report intrusions to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency but not to the FBI simultaneously.
Current incident reporting law fails to recognize the Department of Justice’s (DOJ), especially the FBI, necessary expertise and role in cyber event reporting. The Biden administration’s stance throws a spanner in a years-long attempt to force major corporations to reveal cyberattacks. If critical infrastructure operators and federal contractors are hacked, the House’s annual must-pass defense bill includes a provision mandating them to notify CISA. The Senate’s version of the measure is likely to have similar language.
One of the most severe issues that government cyber defenders face is a lack of understanding of many digital attacks against private businesses. Unlike other countries, the United States does not actively monitor or defend most key private-sector networks. That means government agencies rely on companies to voluntarily reveal attacks to have a full view of the threat landscape and make appropriate security recommendations.
However, while CISA controls the government’s “asset response” objective, which involves resolving specific vulnerabilities and assisting victims in upgrading their networks, the FBI oversees the “threat response” mission, identifying and deterring hackers. As a result, authorities from the Justice Department and the FBI want quick access to any incident reports.