The United States may soon look to regulate private companies, mandating higher standards for cybersecurity following a series of damaging hacks and ransomware attacks against key firms and critical infrastructure.
U.S. President Joe Biden's nominees to fill two top cyber roles in his administration warned Thursday that malign actors are currently operating with impunity and that too many private sector organizations have, so far, failed to take the necessary precautions.
"Enlightened self-interest, that's apparently not working," Chris Inglis, tapped to be the country's first national cyber director, told members of the Senate Homeland Security and Governmental Affairs Committee. "Market forces, that's apparently not working."
"When they're conducting critical activities upon which the nation's interests depend, it may well be we need to step in and we need to regulate or mandate in the same way we've done that for the aviation industry or the automobile industry," he added.
Jen Easterly, nominated to head up the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, agreed.
"As a nation, we remain at great risk of a catastrophic cyberattack," she said. "It seems to me that voluntary standards are probably not getting the job done and that there is probably some sort of role for making some of these standards mandatory, to include notification."
The question of how best to take on a range of cyberthreats, from state-sponsored hackers to ransomware networks, has been thrust into the spotlight following a series of high-profile attacks in recent months, starting with discovery of the hack of SolarWinds, a Texas-based software management company, last December.
That breach, described by U.S. intelligence agencies as a Russian espionage operation, exposed as many as 18,000 SolarWinds customers, allowing the Russian hackers to access information at major U.S. agencies, including DHS.
More recently, ransomware networks forced JBS, the world's largest meat supplier, to shut down operations in Australia and North America.
And, earlier this week, the chief executive of Colonial Pipeline, the largest fuel pipeline operator in the U.S., told lawmakers in Washington he felt he had no choice but to pay close to $5 million to the DarkSide Network following a ransomware attack in May that caused fuel delivery disruptions up and down the country's East Coast.
"We really are at a moment that requires an 'all hands-on deck' approach," said Easterly, who until recently led cyber-resilience efforts at U.S.-based financial giant Morgan Stanley, following a stint at the National Security Agency (NSA).
The call for more regulation is not new; a bipartisan group of lawmakers has been pushing for mandatory reporting requirements for companies hit by major hacks, ransomware attacks and other types of breaches.
"Congress needs to act," Mark Warner, the Democrat who chairs the Senate Intelligence Committee, told Axios Thursday at a virtual event, when asked about the recent attacks.
"The Biden administration has moved aggressively, but they can only do a certain amount of things," Warner said. "We need to put this mandatory reporting bill in place."
Last month, Biden signed an executive order that requires internet service providers to share certain information about breaches into their networks, mandates higher standards for software development, and creates a playbook for how government agencies should respond to a breach.
On Thursday, Inglis told lawmakers that the recent series of high-profile hacks and ransomware attacks "signal the urgent need to secure our national critical infrastructure" and that if confirmed as national cyber director, he would work to strengthen not just the technology but the people using the technology, as well.
"What we need to do is make these systems defensible — they'll never be secure," Inglis said. "We need to then defend them … such that we can change the decision calculus of adversaries.
"Every one of us needs to learn how to cross the cyber street in the same way we learned to cross a physical street when we were young," he added.