More federal cyber leaders, including the FBI, Immigration and Customs Enforcement (ICE) and the U.S. Secret Service, called for new cyber-related authority and increased investment in IT and cyber infrastructure to safeguard critical infrastructure from the onslaught of ransomware attacks in a series of recent congressional hearings and virtual events.
The Cybersecurity and Infrastructure Security Agency (CISA) continues to call for mandatory cyber incident reporting, which has garnered Congressional support. The House Homeland Security Committee introduced an amendment to the Homeland Security Act of 2002 that installs a Cyber Incident Review Office within CISA.
But now the FBI wants in on the access to cyber incident data.
In a Nov. 16 hearing before the House Oversight Committee, FBI Cyber Division Director Bryan Vorndran called for federal agencies and private companies to report cyber incidents to the Department of Justice as well as to CISA.
“I know there are several cyber-reporting bills currently being considered, and I can't stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA,” Vorndran said during the hearing. “The faster we get this information, the faster we can deploy a local cyber threat expert to a victim's door, track, freeze and seize funds taken, and ultimately hold cyber criminals accountable.”
CISA Executive Director Brandon Wales said legislation for cyber incident reporting should be a “top priority” for Congress.
“We need the information to engage with the victim, offer our assistance, understand what's happening on their networks and protect other victims,” Wales said during the Nov. 16 hearing. “Even today there is a lot we're doing across the U.S. government to improve our public-private partnership and enable more cyber defensive activities to protecting the homeland. JCDC (the Joint Cyber Defense Collaborative) brought together the critical government agencies and those companies in the private sector that have the best visibility into the cyber ecosystem. These are companies that can take action on a massive scale.”
Wales and other representatives from the Department of Homeland Security (DHS) also asked Congress in a Nov. 17 House Homeland Security Committee hearing to expand law enforcement authority for ICE and the Secret Service to help hunt down ransomware perpetrators.
ICE's Homeland Security Investigations (HSI) unit leads many DHS efforts to combat cyber crime, such as vaccine fraud, and receives support from the Criminal Investigation and Network Analysis Center (CINA), a DHS Science & Technology Directorate Center of Excellence, to scour the dark web for cyber criminals and ransomware gangs.
Expanding ICE's authority in this area to investigate money laundering associated with ransomware could help law enforcement catch cyber criminals faster, DHS argued in its prepared testimony to the House Homeland Security Committee.
The importance of catching criminals or isolating incidents quickly is a common refrain from federal cyber leaders. In a Nov. 3 hearing before the House Homeland Security Committee, CISA Director Jen Easterly said she supports setting up a bureau of cyber statistics within CISA to better analyze and catalogue cyber incidents as they occur, which could help stop cyberattacks faster or at least isolate them.
National Cyber Director Chris Inglis said collaboration, cyber hygiene and quick response times are essential to strong cyber defense, but also said federal agencies need more IT investment in order to keep up with the rapidly shifting cyber landscape.
For many federal agencies, he added, poor cybersecurity is a result of a lack of resources.
“The technical debt, the lack of investment for so many years, is long in the making and won't be turned around in a fortnight,” he said at the Nov. 3 hearing. “Cyber is essentially a set of open borders. In cyberspace, geography means very little. We have to better identify those threats and secure the infrastructure to bring our resources to bear.”
As federal agencies work to deploy zero trust architectures in accordance with the White House Memorandum on Improving the Nation’s Cybersecurity, leadership buy-in and cyber hygiene are critical.
“A lot of organizations still struggle with basic cyber hygiene,” said Deidra Bass, deputy CISO at the Defense Intelligence Agency (DIA) at the Nov. 18 ATARC Zero Trust Summit. “Encryption is definitely going to be key. Getting really good at the basics is going to position us to be in a better place going forward.”
Jeffrey Lush, CIO of the Air Force's Air University, advised cyber and IT managers at federal agencies to deploy zero trust incrementally and constantly market their success to leadership to get more funding.
“Without leadership behind you, these kinds of initiatives can sputter out,” he said at the ATARC event. “Where agencies for the most part struggle is the ability to draft out what success looks like. What are those functional requirements that you're trying to do? Effectively communicate those to get the appropriate funding and support to implement that change. Without those two core elements, there's a lot of spinning the wheels. This is not a destination, it's a journey.”
Department of Health and Human Services inspector general CIO Gerald Caron said the future of zero trust is continuous, unending verification due to the continuous, unending nature of cyberattacks. Knowing your assets and prioritizing “discovery” of assets will be key.
Zero trust isn’t just a new way to defend networks, it’s a “paradigm shift” that will take time to implement, Bass added.
“All of [zero trust] deals with identity and access,” she said. “If those accesses are compromised, that nefarious character could have the keys to the kingdom. Identity is priority. At the end of the day, it's about protecting the data and the people and getting the right people to the right data at the right time so they can accomplish their mission.”