Cyber Agency Wants Law to Improve Private Sector Data Sharing

  • Law could create incentives to share vulnerabilities
  • Acting agency head sees bipartisan support in Congress

The government needs legislation to encourage the private sector to share its information about cyber vulnerabilities, the acting head of the Cybersecurity and Infrastructure Security Agency said Thursday.

“Without legislation, you’re not going to have consistent information sharing,” Brandon Wales, the acting director, said Thursday during the Billington CyberSecurity Defense Summit.

CISA wants to work with lawmakers to craft legislation that gives the government access to information that could help defend networks across industries, while still protecting sensitive private sector data, Wales said, adding that there is already bipartisan support in Congress to develop new authorities.

Security software company FireEye Inc. was the first to alert authorities about a hack to its systems that resulted from the SolarWinds Corp. cyberattack—an attack that also affected multiple federal departments and agencies and more than 100 U.S. companies. FireEye’s stock prices dropped with the initial news and later recovered; the company has been credited by CISA and lawmakers for its forthright response to the wide-ranging attack. But such responses tend to be the exception, rather than the rule, for companies worried about their reputation.

Companies Must Report Hacks to U.S. Under Proposed Order

Wales is the acting CISA head, but the Biden administration on Thursday formally sent Jen Easterly’s nomination to the Senate to serve as CISA director. Easterly is head of resilience at Morgan Stanley and a former National Security Agency official.

Attacks From China

The threat to the private sector is only increasing, especially from countries like China, which is using cyberattacks on private companies as a new form of national power, retired Gen. Keith Alexander, founder and co-CEO of IronNet, said during the same summit.

“When China and other countries steal that intellectual property that hurts and hurts our nation. That’s our future economic wealth,” he said at a separate panel discussion.

As long as private sector victims don’t share information that could then impact their value or trust in their products, other industries and companies will suffer similar fates, Wales said.

CISA needs a better value proposition, something new legislation could address, he said.

To contact the reporter on this story: Shaun Courtney in Washington at scourtney@bgov.com

To contact the editor responsible for this story: Anna Yukhananov at ayukhananov@bloombergindustry.com

Top