Greg Mcfee The U.S. government is proposing fines for companies that don’t report hacks and data breaches to the authorities, according to a proposal released by the Department of Homeland Security on Friday.
Top US cyber authorities urged Congress on Thursday to give any legislation requiring businesses that run vital infrastructure to disclose intrusions more teeth, asking for a short reporting window following a breach and penalties for those that don’t comply.
According to security experts, such requirements may aid government agencies and key economic sectors in responding to crises. However, many companies and legislators are concerned about the stricter regulation and possible fines advocated by the Biden administration.
On Thursday, Jen Easterly, the head of the Cybersecurity and Infrastructure Security Agency, said that faster disclosures by hacking victims will enable US authorities to examine the data and identify additional possible targets.
Ms. Easterly said in her testimony before the Senate Homeland Security and Governmental Affairs Committee that “cyber event reporting must be prompt, preferably within 24 hours of detection.”
Ms. Easterly, Federal Chief Information Security Officer Chris DeRusha, and Chris Inglis, National Cyber Director all spoke out against businesses that violate such regulations at the same session.
National Cyber Director Chris Inglis
Kevin Dietsch/Getty Images/Kevin Dietsch/Getty Images/Kevin Dietsch/G
Mr. Inglis said, “Of course, we don’t want to put an undue burden on the victims.” “However, this knowledge is critical for the general welfare.”
The comments indicate that the Biden administration views tough enforcement as critical to a prospective incident-reporting system, which Congress has failed to establish over the last decade due to private-sector opposition. States compel businesses to report data breaches that reveal personal information. Hacks of firms considered important to the US economy are subject to sector-specific regulations in regulated sectors like as financial services, but there is no federal reporting requirement for hacks of organizations deemed critical to the US economy.
A recent series of cyberattacks on government agencies and key infrastructure operators has given new life to the concept, persuading some businesses and business-friendly politicians that certain regulations are required. Lobbyists are urging legislators to create less stringent rules, such as a 72-hour reporting window, claiming that a shorter time would make it more difficult for businesses to react to events and would overwhelm the government with data.
However, subsequent congressional ideas have differed on the scope of incident reporting requirements and how to enforce them.
A Senate measure introduced in July would give selected companies a 24-hour reporting window and enable CISA to penalize them up to 0.5 percent of their previous-year revenue for each day they broke the regulations. A draft bill in the House would give CISA the authority to issue subpoenas—but not fines—to businesses who refuse to provide information after 72 hours. Fines were discussed by House members, according to an aide, but they think they would increase friction with businesses rather than enhancing CISA’s access to timely information.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
While Ms. Easterly said on Thursday that disclosures within 24 hours after a breach may assist CISA monitor risks, she cautioned that a reporting window that is too short could result in inaccurate data.
“We don’t need erroneous noise,” she added. “We need a signal.”
The meeting took place only one day after the government released new advice on how businesses in key infrastructure sectors like energy and transportation should strengthen their cyber security. Producing cyber risk assessments, performing continuous threat monitoring, and documenting all software and hardware inside computer networks are among the high-level suggestions.
More assaults on vital infrastructure, according to US authorities, may require obligatory restrictions, such as the Transportation Security Administration guidelines announced in May after hackers shut down the East Coast’s biggest gas pipeline for six days. Officials said that these rules force pipeline owners to disclose hacks within 12 hours or face possible fines of $7,000 per day.
Businesses are afraid of large-scale penalties for vital infrastructure.
Imposing penalties, according to John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a Washington-based trade association of technology companies, could push companies to structure compliance programs around avoiding fines rather than implementing best practices for cybersecurity.
Mr. Miller said that punitive actions would be detrimental to preserving the present relationship between the business sector and the government.
David Uberti can be reached at david.uberti@wsj.com.
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8
