Warner Predicts Cybercrimes Reporting Bill in Weeks
Mark Warner, D-Va., is confident the Senate Intelligence Committee he chairs will produce "strong" bipartisan legislation “within the next couple of weeks” on mandatory reporting of cyberattacks, he told an Axios webinar Thursday. He hopes the Biden administration endorses the legislation “since it will be strongly supported,” and that “we can move on this quickly,” he said.
When debate on the issue surfaced six or seven years ago, "the business community did not want any additional mandatory reporting," said Warner. "I think they now realize that they themselves are put in jeopardy if we don’t have mandatory reporting.” Warner expects the legislation will give companies “some limited immunity” for reporting cybercrimes and will protect their trade secrets from disclosure to anyone but law enforcement, he said.
Legislation on mandatory “incidents reporting” won’t solve “the whole problem” of U.S. vulnerabilities to cyberattacks, said Warner. “It will be an important first step to at least make sure that we can bring our capabilities to bear when these activities happen.” The U.S. long has “underestimated” its cybersecurity weaknesses, said Warner. When the Colonial Pipeline ransomware attack shut down a third of U.S. gas stations for several days, it was a turning point where the “reality” of cyberthreats “is now being felt by everyday Americans,” he said.
Companies “have been paying ransomware almost as a cost of business” for years, said Warner. “That’s not sustainable,” plus “as a practice, you don’t want businesses promoting criminal activity,” he said. “We would love to get to a place where there are no ransonmware payments.” In the “interim,” he said, “let’s at least make the payments much more transparent.”
The current state of cybersecurity is “chaotic,” and in a way “that shouldn’t be surprising” amid the pace of digitalization in “corporate and consumer activity,” Google Vice President-Security Royal Hansen told the webinar. “The pandemic has only accelerated that.” Each of those “new experiences online” brings with it an “increase in the attack surface for a much bolder and more aggressive set of attackers,” he said. “It’s an incredible and frightening time, but an opportunity for us also to get this right.”
Ransomware isn’t a new means of attack, “but it preys on the aging infrastructure,” said Hansen. In the physical world, “it takes decades for bridges and roads to decay,” he said. In the digital world, “those cycles are much faster,” he said. Anyone tasked with maintaining the digital infrastructure “inevitably falls behind” if not on the “cusp” of more “modern” digitalization platforms, he said.
Making technology “secure by default” is the only way “we can get into a mode we can sustain,” said Hansen. Google reconfigured Gmail to automatically remove phishing emails from a subscriber’s inbox, “and they never show up” again, he said. “We started in Chrome to have passwords filled, so you never have to write them on that yellow sticky. We have links that never show up because we know already that they’ve been clicked and proven bad.”