U.S. Sen. Gary Peters (D-MI), chair of the Homeland Security and Governmental Affairs Committee, convened a hearing Thursday to examine the Biden Administration’s actions to beef up the nation’s cybersecurity defenses.
Peters and witnesses discussed what the federal government needs in order to deter cyber-attacks, including how Congress can establish incident reporting requirements.
“Whether it’s widespread spyware, or a ransomware attack, the federal government needs to know when cyber incidents have occurred, so they can determine if there are patterns, alert future potential targets, and help seal up any vulnerabilities. This information is especially vital when it comes to our nation’s critical infrastructure, 85 percent of which is privately owned and operated,” Peters said during his opening statement. “Despite this vulnerability there is currently no national requirement for all critical infrastructure owners and operators to report to the federal government when they have been hit with a significant attack. That needs to change.”
Witnesses at the hearing included National Cyber Director Chris Inglis, Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly, and Office of Management and Budget Federal Chief Information Security Officer Chris DeRusha.
Peters said the Federal Information Security Modernization Act, last updated more than six years ago, was no longer sufficient to protect federal networks.
Sen. Rob Portman (R-OH), ranking member of the committee, said the federal government needed to be accountable for cybersecurity to ensure a more effective national defense against cyberattacks.
In 2019, Portman, then chairman of the Permanent Subcommittee on Investigations (PSA), released a report on federal agency cybersecurity failures. Last month, Peters and Portman released a bipartisan report that showed seven federal agencies — the Department of State; the Department of Transportation; the Department of Housing and Urban Development; the Department of Agriculture; the Department of Health and Human Services; the Department of Education; and the Social Security Administration — continue to fail at protecting the data of American citizens.
“In recent years, hostile cyber adversaries, both foreign and domestic, have executed some of our most damaging cyberattacks ever and we all know about these,” Portman said. “We’ve had hearings about them — Colonial Pipeline most recently. Both the federal government and the private sector companies have been targeted. We held hearings on SolarWinds, Colonial Pipeline, and others. These events are stark reminders of the wide-ranging and real-world impacts of sophisticated cyberattacks and impacts on people. These attacks have become more and more common, and so it’s important that we work to protect ourselves and our networks. One of the best strategies for preventing these attacks, of course, is to improve baseline cybersecurity practices, basic cyber hygiene.”
Peters said legislation was needed to protect systems and agencies against cyberthreats.
“We also need to ensure the federal government is sharing this same information in a timely manner,” Peters said. “We need to pass updated legislation that clarifies CISA’s roles and responsibilities in federal information security, improves how incidents on federal networks are reported to Congress, and ensures that our cybersecurity resources are effectively aligned with emerging threats.”