At a glance.

  • US DHS gets to work on cyber incident reporting standards.
  • Intelligence Authorization Act nears a US House vote.
  • CISA’s new procurement authority.

US DHS gets to work on cyber incident reporting standards.

The Cyber Incident Reporting Council met for the first time this Monday, officially starting the 180-day countdown to Department of Homeland Security (DHS) Secretary Alejandro Mayorkas’ deadline for providing Congress with guidelines for cyber incident reporting across the federal government. explains that the Council is composed of representatives from various federal agencies and departments including the Securities and Exchange Commission, the Federal Bureau of Investigation, the Office of the National Cyber Director, and the Treasury Department. DHS’s readout on the meeting states, “The [Cyber Incident Reporting Council] will meaningfully improve cybersecurity, reduce burden on industry by advancing common standards for incident reporting and inform a report [to Congress] from the Secretary.” The Cybersecurity and Infrastructure Security Agency has three and a half years from enactment of the recently passed incident reporting law to finalize rules for its implementation, which will vary across federal agencies. 

Intelligence Authorization Act is put to vote.

In the wake of the revelations of the Pegasus Project, the US House of Representatives is set to vote on the Intelligence Authorization Act, 9to5Mac reports. Passed by the House Intelligence Committee last week, the Act would allow the President to impose sanctions on companies that target the intelligence community with spyware, allocate more funding for investigations into the use of foreign commercial spyware, and authorize the Office of the Director of National Intelligence to ban contracts with foreign firms producing surveillance software. The Commerce Department has already named Pegasus-maker NSO Group a threat to national security and banned the import and the spyware. “Many companies like [Israeli spyware maker NSO Group] see entering the US market as the ultimate prize and what we’ve seen so far is that the US government does have the ability to chill investment interest in bad actors, and that’s really important,” said University of Toronto’s Citizen Lab’s John Scott-Railton, who is scheduled to speak at the hearing today. As CyberScoop notes, some experts worry the measures might not be enough, especially since private companies have surpassed nation-states as the main manufacturers of such surveillance software. Justin Sherman, a fellow at the Atlantic Council’s Cyber Statecraft Initiative said going after these companies’ profits is a good start, but feels the law should do more to protect not just the intelligence community, but American citizens at large. 

Looking ahead to CISA’s new procurement authority. 

The Cybersecurity and Infrastructure Security Agency (CISA) is being granted its own procurement authority (instead of relying on the Department of Homeland Security), and the Federal News Network spoke with Alan Thomas, former commissioner of the General Services Administration’s Federal Acquisition Service, to discuss what this means for CISA. The agency has said it plans to hire fifty more staffers, and Thomas says they’ll likely start there, finding employees with the necessary knowledge of emerging technologies. Thomas explains, “it’s a startup procurement organization. And in some sense, it’s really a startup within a startup. I mean, CISA is the newest component within DHS. So you’re doing a startup within a startup in an area that’s changing pretty rapidly, right?” Thomas notes that DHS plans to take it slow, with a ramp up of two years or more, which should help the new authority avoid the stumbles often experienced by organizations who rush to him milestones, He predicts the staff will be a mix of seasoned, Washington, DC-based government employees with experience in procurement as well as newer, remote workers: “Maybe people who are a little more fluent in technology, who need to be trained up to some extent.” He adds that lawyers will be necessary to make sure necessary rules and regulations are followed without curtailing innovation: “But I think, for the most part, you’ll find good lawyers in government service who say, ‘Hey, I’m happy to dig in early,’ and as I said, be solution oriented —help you figure out how to get to yes, but stay within some guardrails, which are there for generally pretty good reasons.”