Report or pay up

The nation’s top cybersecurity officials on Thursday urged Congress to consider passing legislation that would fine organizations if they failed to report cybersecurity incidents to the federal government, part of an effort to do more to confront a recent spree of attacks.

Senior leaders weigh in: Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), testified in favor of taking the more hardline stance to encourage incident reporting during a hearing held by the Senate Homeland Security and Governmental Affairs Committee, which is considering bipartisan mandatory cyber reporting legislation.

“I know some of the language talks about subpoena authority,” Easterly said, referring to the committee’s draft legislation. “My personal view is, that is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines.”

Both Federal Chief Information Security Officer Christopher DeRusha and National Cyber Director Chris Inglis testified alongside Easterly on Thursday, with both agreeing that further enforcement mechanisms were needed to encourage cyber incident reporting to the federal government.

Bill incoming: Their comments came in response to efforts by Committee Chairman Gary Peters (D-Mich.) around cyber incident reporting legislation he is working on alongside committee ranking member Rob Portman (R-Ohio).

“Ranking member Portman and I are currently working on legislation that we plan to introduce soon to require critical infrastructure companies that experience cyber incidents, and other entities that make ransomware payments, to report this information to CISA,” Peters said at the start of the hearing Thursday.