(Bloomberg) -- The head of the U.S. cybersecurity enforcement agency is supporting bipartisan legislation to mandate that operators of critical infrastructure report data breaches to the government.
Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, said she backs draft legislation from the Senate Homeland Security and Governmental Affairs Committee to require certain private companies, federal agencies and government contractors to report cyberattacks to the agency.
“The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims,” Easterly said in written testimony for the committee’s Thursday hearing.
An increase in cyberattacks, particularly from ransomware, has hit the private sector particularly hard, which owns and operates 85% of critical infrastructure.
Cyber incident reporting should be timely, Easterly said, “ideally within 24 hours of detection.” A draft bill from the panel’s chairman, Michigan Democrat Gary Peters, and top Republican Rob Portman, from Ohio, proposed a 72-hour time frame for reporting.
Incident reporting should also be “broad-based and not limited to type or sector,” Easterly said, adding that CISA and the U.S. Department of Justice should have joint authority over reviewing the reports from critical infrastructure operators as well as from federal agencies and government contractors. The mandatory report should include digital supply chain and ransomware attacks, she said.
Chris Inglis, the country’s national cyber director, said at the hearing cyber incident reporting would be “profoundly useful” and would be helpful in preventing future cyberattacks.
Both Easterly and Inglis said they supported fines on companies as an enforcement mechanism for not reporting cyberattacks.