CISA to Seek Input for Cyber Incident Reporting Council

The Cybersecurity and Infrastructure Security Agency will soon seek input from public and private stakeholders for the rulemaking process around cyber incident reporting, CISA Director Jen Easterly said Wednesday at the Billington Cybersecurity Summit. Expect an RFI “in a couple days,” she added.

The news follows the federal cyber incident reporting mandate rolled into the 2022 federal spending bill, passed into law earlier this year, and the voracious uptick in cyber attacks against the nation’s critical infrastructure. Easterly also signaled her intent to establish a cyber incident reporting council to process cyber incident reports.

“My goal is to ensure maximum transparency and that will happen with the incident reporting council,” she said during Billington’s opening fireside chat. “To make sure we’re not overburdening the private sector, particularly private companies under duress. We’re all about helping. We’re here to render assistance and get information we can share with our partners while protecting privacy and the victims. We don’t want to burden the federal government with noise, either.”

Easterly and other leading cyber SMEs stressed the importance of information-sharing and public-private collaboration at the summit.

‘Go Fish’

National Cyber Director Chris Inglis called for greater “professional intimacy” between relevant parties to bulwark cyber defenses.

“The aggressor has to beat all of us to beat one of us, that is the new way forward,” Inglis said. “I think that idea is now more firmly entrenched than it was a year or two ago.”

Inglis warned federal agencies and private companies against playing “Go Fish” with one another by withholding information or asking questions about pertinent cyber information without offering proper context. Gatekeeping efforts such as these, he said, only benefit cyber adversaries.

“Collaboration has to be built on common cause,” he said during a fireside chat at the summit Wednesday. “There has to be a degree of professional intimacy so that you’re not playing ‘Go Fish.’ We don’t want two scoreboards, we want one. We will suggest things to one another no one could’ve done alone. We will solve things no one could’ve solved alone. Too few, none I would say, have a god’s eye view of this space. That’s the importance of information-sharing. Share information at the lowest possible level, not the highest possible level, it beats so many of the problems we’ve had.”

Easterly said trust is “the most important currency” in cyberspace and “underpins” all relationships between public and private entities and will be key to successful information-sharing.

Make cyber defense ‘sexy’

The Biden administration made cybersecurity a key priority. Easterly wants to capitalize on that and make cyber defense “sexy” to ensure higher resiliency in cyberspace.

“I spent a lot of time on the offensive side, and offense is seen as sexy, right? I think defense is sexy,” she said. “I want to harness the power of defenders here in the United States and across the planet and make defense the new offense.”

Easterly hopes this new cyber defense messaging can encourage greater collaboration between government and industry.

“It’s really about working together to defend the ecosystem,” she said. “Everything we’ve learned over the past year as we have been building our partnerships through JCDC, Log4Shell, the Shields Up campaign, it really capitalizes on our superpower. We all need to work together, all of our defender partners. It’s industry, it’s state and local, it’s nonprofit partners, research community, and the privacy community. Attackers have budgets too. We have to work together to make sure we’re increasing the marginal cost so attackers have to burn a zero day if they want to go after critical infrastructure.”