FBI Director Christopher Wray continued to argue that his bureau should receive mandatory reports about hacks and other significant cyber incidents from critical infrastructure “in real time” and called for strong liability protections for businesses.
In testimony to the House Intelligence Committee Tuesday, Wray was asked to assess the impact of the Cyber Incident Reporting Act, which passed the Senate last week in a package of cyber-related legislation. Wray strongly endorsed the concept of the bill, but said the bureau had a number of issues with the way the reporting was structured.
“No one believes more in the importance of private sector reporting of cyber threat information than I do. I’ve been testifying and calling for it for quite some time. It’s important however that information flow real time,” said Wray.
The comments follow reporting from POLITICO that the bureau and Department of Justice are urging lawmakers to tweak legislation that passed the Senate last week requiring critical infrastructure companies to report to the Cybersecurity and Infrastructure Security Agency (CISA) when they suffer a breach or “significant” cyber incident. Under the Senate bill, the FBI would stand to receive such reports within 24 hours of submission to CISA, but FBI and DoJ officials have said that is not sufficient and want reporting to the two agencies to happen simultaneously.
Wray said that the FBI undertakes numerous activities around ransomware and other cyberattacks where earlier notification could result in better outcomes, from investigating hacking crimes and assisting with incident response to recovering ransom payments paid in cryptocurrency, warning potential future or downstream victims and disrupting adversary command and control infrastructure.
He also said it was important that the law shield companies from potential legal liabilities and create a direct reporting path to the FBI, arguing that relying on CISA to share such reports would only delay their work.
“We have agents out in the field who are responding — often within an hour or so — to a business that’s been hit and that’s happening thousands of times a year, so we need to make sure that information flow is protected,” Wray said. “Namely, that the businesses that come forward…have protection from liability for doing so and not just reporting, through some longer-term means, to some bureaucracy in D.C., so that part has to be taken care of. Time matters…our agents are using the information they get from businesses every day to go after the hackers, to seize their cryptocurrency, to take down their infrastructure.
CISA officials, for their part, have said they are willing to share reporting with the FBI in a timely fashion.
“We have a terrific operational partnership [with] our FBI teammates and will continue to do so, to include always ensuring that cyber incident reporting received by CISA is immediately shared with them,” CISA Director Jen Easterly tweeted last week.
Those comments were echoed this week by executive director Brandon Wales, CISA's third highest-ranking official.
"[Businesses] should immediately report cybersecurity incidents and anomalous activity to CISA or the FBI," Wales said Tuesday during an event hosted by the Aspen Institute. "By sharing that information with us, we can help make sure that the entire ecosystem is better protected."
Despite the push from FBI and DoJ officials, lawmakers continue to broadly support placing CISA — which does not investigate or prosecute cyber crimes — at the forefront of the federal government’s new cyber incident reporting regime. Some have questioned how the FBI prioritizes and balances its work assisting companies in the wake of a hack with its broader law enforcement mission.
The bureau was taken to task by members of Congress last year after it came to light that following the Kaseya ransomware attack that infected hundreds of companies, the FBI obtained the encryption key for the criminal group’s malware for nearly three weeks before handing it over to Kaseya, in part because they were planning to use it in a later operation to disrupt the group that never panned out. That spurred anger among some lawmakers who expressed concerns that the FBI may have left hundreds of businesses out to dry for weeks while they struggled to restore their systems.
At the same hearing, Director of National Intelligence Avril Haines acknowledged the FBI’s frustrations, but strongly endorsed the Senate legislation and CISA’s role.
“We are extremely supportive of the cyber reporting bill — essentially to CISA…I think we also agree there is additional reporting that might be done more generally, but I just want you to understand that our support is for the legislation,” said Haines.