Kemba Walden, a top official in the Office of the National Cyber Director, is urging companies to report incidents to either the FBI or CISA and says officials are ironing out the process on the back end to ensure intelligence is shared appropriately between federal agencies.
“You should be able to share with one [of the agencies] and let the government figure out how to handle it on the back end,” Walden said Wednesday.
“I’m a creature of CISA but the FBI is fantastic” at nurturing relationships with industry partners and is often “pulled in quickly” when cyber attacks occur, according to Walden, the principal deputy national cyber director and a former CISA official. “My hope is that the victim company contacts the FBI, or CISA,” and then the interagency coordination is sorted out on the back end.
Kemba Walden, Principal Deputy National Cyber Director
The cyber incident reporting law enacted earlier this year is structured around critical infrastructure operators reporting breaches to the Cybersecurity and Infrastructure Security Agency, and lawmakers resisted a late push by the FBI to be designated alongside CISA as the portal for the reports.
Since the bill’s enactment, officials from both agencies have stressed their extensive collaboration and have downplayed concerns over which agency first receives incident reports. CISA, which is writing the regulations to implement the law, held its first stakeholder listening session on Wednesday.
Walden discussed a variety of cyber policy topics Wednesday in a fireside chat with CrowdStrike’s Shawn Henry at the security firm’s Fal.Con 2022 conference in Las Vegas. The agenda included a keynote by Reshma Saujani, the founder of Girls Who Code and Marshall Plan for Moms, who also discussed cyber workforce challenges with Amol Kulkarni, chief product and engineering officer of CrowdStrike.
On incident reporting, Walden said the government and industry alike each need actionable information at scale, and that the process improved in real-time amid the Ukraine crisis. “We’ve made progress, [but we] need exponential change,” she said.
“I have seen improvements, and I know the information these [private sector] organizations have could help improve resilience,” CrowdStrike’s Henry observed. He said it’s also important for officials to be clear on what the federal government can and will do to assist in an incident, as well as for spelling out the value proposition for companies participating in info-sharing.
On issues related to supply chain security, Walden said “the voluntary approach has worked to an extent [but] we need to look at some other approaches,” including what she characterized as “light regulation.”
Regulation needs to be “rationalized” including in the area of software, she said, noting that the economy currently features over-regulation in some areas and under-regulation in others. Walden mentioned “assembler liability” in particular as an area to be examined. – Charlie Mitchell (cmitchell@iwpnews.com)