Cyber executives who testified before the House Homeland Security Committee on Tuesday warned against the government taking too large a role in defending the private sector against threats from Russia.
Amit Yoran, president and CEO of cybersecurity firm Tenable, said the federal government should be less of a regulator and more of a partner for critical infrastructure as public and private entities respond to warnings of Russian cyberattacks amid of his war against Ukraine.
“I don’t think the US government should play a cyber defense role where they defend critical networks and critical infrastructure where they may not understand what changes they might make and how they might affect critical infrastructure,” Yoran said. .
Yoran was responding to a question posed by the committee’s vice president, Ritchie Torres (DN.Y.), who asked if the US government should take a larger role in defending critical sectors beyond public guidance. that you have issued.
Yoran added that “it is up to those operators [working in those critical sectors]who understand how the systems work, to defend those networks with the help of intelligence and information from their government partners.”
Yoran was one of four cyber experts invited to testify before House committee members on ways to protect critical infrastructure against Russian cyber threats.
Experts largely supported recent government efforts to coordinate cybersecurity, saying the focus should remain on guidance and information sharing, rather than regulation.
Critical infrastructure in the US has been on high alert following “Shields Up” guidance issued by the Cybersecurity and Infrastructure Security Agency (CISA), urging businesses to remain vigilant amid the war in Ukraine and the harsh Western sanctions against Russia.
The White House and the FBI have also issued similar warnings in recent weeks, calling on the private sector to beef up its cyber defenses after new intelligence suggested Russia is exploring “options for potential cyberattacks” against critical infrastructure.
Continuing his original question, Torres asked Yoran if the federal government should mandate cyber best practices, such as multi-factor authentication, across critical infrastructure sectors.
Yoran said that while it’s important for the government to mandate cyber best practices, it’s also crucial that they know that there is no uniform best practice that fits all critical sectors.
“Regulatory agencies and sector-specific agencies must work with CISA and their private sector counterparts to develop and maintain those best practices,” he said.
House members also praised a recent law that would require companies in critical sectors to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to CISA.
“This is one of the most important cybersecurity bills of the last decade,” said Ranking Member Rep. John Katko (RN.Y.).
“A significant cyber incident and ransomware attacks on critical infrastructure will mean increased visibility for the federal government,” he added.
During the hearing, Katko also asked one of the cyber experts how the government should help CISA strengthen its partnerships with the private sector.
Adam Meyers, senior vice president of intelligence for CrowdStrike, said that CISA had done a “phenomenal job” of setting up information-sharing systems, adding that fostering a collaborative environment between government and the private sector is “absolutely critical.”
“I also think that from a defensive perspective, the vulnerabilities that CISA has highlighted as critical to fix, the Shields Up program, as well as some of the other initiatives that they have put in place, have been very effective and I would like to see that continue,” he said. .