The increased velocity of major cyber attacks on U.S. government and private sector targets is giving increased urgency to the adoption of cyber incident reporting rules that will improve the government’s ability to identify and defeat them, said Tonya Ugoretz, Deputy Assistant Director for the Cyber Readiness, Outreach, and Intelligence Branch at the Federal Bureau of Investigation.
Just a few years ago, Ugoretz said during a Jan. 14 Washington Post Live event, the U.S. might experience one major cyber incident per year that would capture the government’s attention and, at times, that of the public. But last year changed all of that.
“2021 will go down as a landmark year in cybersecurity,” she said, giving renewed importance to more robust incident reporting rules that have yet to make it through Congress.
Lawmakers in the Senate advanced language in the Fiscal Year 2021 National Defense Authorization Act that would set timeframes for when critical infrastructure owners and operators must report major incidents, and that would make mandatory for some companies reporting of ransomware payments, but those provisions didn’t survive final negotiations on the bill. Senate lawmakers – along with House members including Reps. John Katko, R-N.Y., and Yvette D. Clarke, D-N.Y. – want to try to get a similar measure passed this year.
“There are a number of agencies in the U.S. government with various cybersecurity responsibilities. But there are only two agencies that are identified as responsible for responding to cyber incidents, and that’s CISA and the FBI,” Ugoretz explained.
Speed is of the essence when talking about the response to cyber incidents. Therefore, while CISA and the FBI have collaborated on cyber-related issues, it’s the speed at which cyber incident reports are shared that is critical.
“We are stronger when we can respond together on the basis of the same information. That’s how we try to operate in all cases now. And the speed of our being able to get that information makes a difference,” Ugoretz said.
The FBI still has wants some tweaks to legislative language, including language to specify “that information would be shared by CISA simultaneously and unfiltered with the FBI,” Ugoretz said.
One of the goals of that language, she said, is to reduce confusion for the private sector, and to provide clarity so private sector organizations know exactly what’s going to happen with their information when they share it.
In addition to legislative measures, for 2022 the FBI is focusing more on ransomware payment seizures, as it did during the Colonial Pipe Line cyber attack last year. The bureau specifically is moving away from an indictment and arrest-first model to imposing costs on adversaries, Ugoretz explained.
“The types of ransomware seizures that you saw us undertake with the Department of Justice last year are certainly things we want to replicate … and try to scale,” she said.
The bureau’s decentralized workforce is also an advantage in securing cyberspace, especially given the FBI’s statutory authority concerning incident responding, counterintelligence, domestic intelligence, and computer intrusions, she said.