The future of the Cybersecurity and Infrastructure Security Agency, requests for a speedier implementation of new cyber incident reporting regulations, and a potential congressional authorization for the newly established Cyber Safety Review Board were all floated by members of the House Homeland Security Committee as they pressed Biden administration officials Tuesday on their cybersecurity plans for the coming year.
During the latest House hearing on worldwide threats facing the U.S., Secretary of Homeland Security Alejandro Mayorkas told lawmakers that CISA continues to implement legislation passed earlier this year putting new cyber incident reporting rules in place that compel critical infrastructure entities to notify the government when they are hit with a cyberattack or pay a ransomware actor.
The law specifies a two-year window for finalizing those regulations, but Rep. Yvette Clarke, D-N.Y., one of the House authors of the bill, expressed a desire to expedite that work “so we don’t have to wait years to see results.”
“My hope is that swift implementation will yield important security benefits, eliminate duplicative reporting frameworks and encourage harmonization across the interagency,” said Clarke.
Mayorkas said DHS and CISA must follow statutory rules in the law requiring engagement with the public and private sector prior to finalizing the regulations (something the agency is already doing) over the next 18 months, but that “we have what I would respectfully submit is the preeminent regulatory regime to ensure the swift promulgation” of the rules when they are ready.
“It is vitally important…the public-private partnership is the bedrock, the foundation of the cybersecurity ecosystem, so we have already begun to engage with the private sector in anticipation,” Mayorkas said.
While lawmakers are keen to move forward as quickly as possible so agencies like CISA and the FBI can begin parsing reporting and gain better visibility over the threat landscape, CISA hosted a public listening session on the proposed regulation last month in Washington D.C. that underscored a number of unsettled concerns that industry and policy groups continue to have around how the rules will be shaped.
At the session, agency officials received numerous questions from attendees around how they intend to define "significant" cyber incidents and which entities and products will ultimately be covered by the regulation. Of particular concern is how CISA’s reporting rules may complicate an already messy reporting environment for businesses as other agencies like the Securities and Exchange Commission, the Department of Energy, state governments and other entities have or pursue their own reporting requirements.
“The cybersecurity information-sharing and reporting landscape is confusing and noisy as new cyber incident reporting rulemakings are proposed,” wrote Ayan Islam, associate policy director for cyber and emerging threats at policy think tank R-Street, in comments submitted to CISA this week. “There has to be a balance in which [critical infrastructure] entities and businesses can provide accurate and timely threat information without burdening their operations.”
Clarke also pressed Mayorkas on whether the administration planned to pursue formal congressional authorization for the Cyber Safety Review Board, an entity loosely modeled on the National Transportation Safety Board and designed to investigate the aftermath of damaging hacks against American entities.
The board’s first report focused on the Log4j vulnerability, and Mayorkas said the department is “now preparing to issue [another] report and one of the things we are considering is the authorization of the CSRB and what further support we can receive from Congress.”
SC Media has reached out to DHS for more information on the timing and focus of the second report.
But beyond the mandatory incident reporting rules, Mayorkas indicated that CISA would continue to lean on a strategy of pursuing voluntary cooperation with the private sector and critical infrastructure entities who own and operate much of the nation’s information and operational technology.
“What we need to do is strengthen the public-private partnership that really defines the cybersecurity ecosystem,” Mayorkas said.
Old threats with a faster tempo and new twists
Those efforts will play out against the backdrop of a familiar cast of malicious cyber actors who are getting increasingly aggressive in their targeting and hacking of U.S. organizations for intelligence and financial gain.
Many of the primary threats in cyberspace remain the same but continue to evolve, with U.S. national security officials highlighting China, Russia, Iran and North Korea, as well as a still-burgeoning ransomware and cybercriminal ecosystem, as the most urgent digital threats facing American businesses and governments.
FBI Director Christopher Wray told the committee the bureau currently has open investigations related to Chinese influence, espionage and hacking threats across all of its 56 U.S. field offices around the country. He called China the greatest long-term threat to U.S. economic and national security, noting that Beijing continues to boast the world’s largest hacking program and “have stolen more of America’s personal and business data than any other nation combined.”
The FBI is also seeing an increased tempo of cyberattacks levied against U.S. critical infrastructure, both from financially motivated ransomware actors as well as foreign countries looking to spy on or disrupt high-value targets, with Wray saying: “It’s becoming more and more difficult to discern where the cybercriminal activity ends and the nation-state activity begins as the line between those two continues to blur.”
In particular, he echoed concerns expressed earlier this year by multiple U.S. officials that heightened tensions between the U.S. and Russia stemming from the war in Ukraine could lead to more aggressive or disruptive attacks on essential American services.
“I would say it’s become an increasingly crowded field of threat actors targeting critical infrastructure, whether it’s ransomware or some other kind of malicious cyber activity and one of the things we’re particularly concerned about during the Russia-Ukraine conflict, is the possibility that, for example, the Russian intelligence services which have long targeted our critical infrastructure for espionage purposes could choose to use the same access for more disruptive purposes,” said Wray.
Wray’s comments come as private researchers at the Stanford Internet Observatory and cybersecurity firm Dragos have independently tracked indications of a shift in the Russian ransomware ecosystem towards more politically motivated campaigns that may align with the larger geopolitical goals of their benefactor country.
While the evidence is not conclusive, Stanford researchers presented data at the CYBERWARCON conference last week suggesting that Russia-based ransomware attacks against six of the most-attacked countries (U.S., UK, Canada, France, Germany and Italy) increased significantly in the months leading up to their national elections.
There is also evidence that the ransomware ecosystem is becoming more decentralized as smaller affiliates increasingly eschew partnerships with larger Ransomware-as-a-Service operations.
Allan Liska, a ransomware analyst at Recorded Future, told SC Media last month that while the overall number of ransomware incidents captured through leak sites has remained stable over the past year, the number of sites from “new” groups has more than doubled, suggesting that many affiliates may be taking advantage of leaked source code from groups like Conti, REvil and LockBit to roll their own ransomware operations and avoid intense scrutiny from law enforcement and governments.
“You saw REvil and LockBit taken down by law enforcement, you saw Conti taken down by a Ukrainian researcher, and even LockBit had their builder released by a developer they refused to pay,” said Liska. “So whether it’s from law enforcement, internal infighting or other security researchers, when you become too big, you become a target.
"What we think is happening is that a lot of affiliates are looking at that RaaS model and saying, 'I don’t want to be a part of that because if I’m part of this, then I may be caught up whenever they are taken down,'” Liska continued.