October 19, 2021

Excellent Pix

Unlimited Technology

Why the U.S. Cyber Agency Doesn’t Want to Be a Regulator – Tech News Briefing

This transcript was prepared by a transcription service. This version may not be in its final form and may be updated.

Zoe Thomas: This is your tech news briefing for Wednesday, October 13th. I’m Zoe Thomas for The Wall Street Journal. Cyber attacks are growing threat to business, and particularly to the nation’s critical infrastructure. But when it comes to reporting breaches, there are a few rules. Lawmakers would like to change that. But the head of the agency that would implement the new rules is pushing back. On today’s show, WSJ pro cybersecurity reporter David Uberti will be here to discuss why and where it leaves the efforts to beef up the nation’s cyber defenses. That’s after these headlines.
General Motors says LG electronics will cover nearly all of the $2 billion at cost to recall over a 100,000 electric vehicles whose batteries had manufacturing defects. GM recalled nearly all of its electric Chevy Bolt’s produced since 2016, due to flaws in the batteries that can cause fires. The automaker has said the defect involved a likely manufacturing problem in LG factories. Other automakers have had similar problems with electric cars, but the high-profile recall of the Bolt has been a particular hurdle for GM, as it prepares to roll out dozens of new electric models in the coming years. LG didn’t immediately respond to a request for comment.
Car sales in China are falling amid the global chip shortage. Last month, just over one and a half million passenger vehicles were sold. According to the China passenger car association. That’s a 17% drop from a year earlier. And it marked the worst decline for the world’s biggest auto market since March, 2020. Part of the blame lies in the semiconductor shortage, which has halted auto production in parts of the US and Japan in recent months.
And Door Dash is adding more ads to its app. The food delivery giant already runs ads offering free delivery or discounts as well as banner ads. Now they’re selling ad space above the search results. The move signals how companies in the money losing food delivery industry are diving deep into advertising as they battle for revenue.
Okay, coming up, if it looks like a regulator and it sounds like a regulator, well, we’ll discuss why the federal agency that’s responsible for addressing cyber attacks doesn’t want to actually be a regulator. That’s after the break.
The US government sees cyber attacks as a growing threat to national security. So three years ago, it created the Cybersecurity and Infrastructure Security Agency, or CySA for short to, help it defend against and respond to hacks and cyber strikes. The agency currently works with businesses that have been hacked, including companies that operate critical infrastructure, to get them to report mostly voluntarily when they fall victim to an attack.
But lawmakers want that to change. Some are pushing for rules, requiring companies to report hacks, and federal enforcement to make sure they do. CySA isn’t so sure. Leaders there say they want new rules, but they don’t want to become regulators. Joining us to discuss the tight rope CySA is walking and how things might change is our cybersecurity reporter David Uberti. Hey David.

David Uberti: Hey Zoe.

Zoe Thomas: So we’ve heard a lot about cyber attacks recently. Who regulates this space now?

David Uberti: It’s really a patchwork across the US government. You have different state regulators in, say, New York that may regulate financial services firms. You have the TSA, the organization that checks your bags at the airport, that has rolled out new regulations for railway operators, and previously, pipeline operators as well. But broadly speaking, there is no cybersecurity regulator for the US government. So we really have this patchwork situation. And the upshot is that for most companies, if they have a serious cyber attack, there’s no obligation for them to actually report that to authorities, which oftentimes leave law enforcement agencies in the dark.

Zoe Thomas: Yeah. So it sounds like the government wants CySA to become a regulator to take on some of the responsibilities that we might see with traditional financial or other regulators. What would lawmakers have to do to make this into a regulator?

David Uberti: So lawmakers are considering a few different bills on Capitol Hill. The gist is that it would require companies that are known as critical infrastructure firms. So these are companies that operate, say, dams or airports or electric utilities to report a major cyber attack to CySA within a certain amount of time. Now there’s some debate within the details that what cyber incidents would be covered, what period of time companies would have to actually report them and crucially whether they would be able to be penalized for not reporting cyber incidents.
And so this is where it gets somewhat contentious among folks in both the public and private sectors, because while CySA is asking lawmakers to impose some strict rules for companies, they want, in some cases, a quicker reporting timeline. They want companies to be potentially penalized if they don’t report. CySA also doesn’t want to be seen as a regulator in this respect.

Zoe Thomas: So let’s break that down a little bit. What is CySA saying about lawmakers wanting it to act like a regulator and it not wanting to be a regulator? How is it walking that tight rope?

David Uberti: So CySA does not want to be a regulator. That is their public position. At the same time, as I said, they want companies that don’t report cyber attacks to CySA to be fined. They see that as essential to enforcement. So we have a situation where it could be a distinction without a difference, if CySA does have the ability to write rules, to designate companies as critical infrastructure and potentially impose fines on them, would they be in fact, a regulator, even though they don’t like that term. And that’s what lawmakers are really grappling with. And they’re trying to thread this needle now to give CySA some of this power while also not alienating CySA from the private sector, which it relies on for a lot of public private partnerships to share some of this cybersecurity information, particularly these large internet service providers or cloud service providers, which have not been the target of regulations thus far.
Those companies have so much data about what happens over US computer networks. So CySA is at a point right now where it’s really relying on them for a lot of these voluntary partnerships and it’s shirking away from this regulatory or at least the appearance of regulatory role, because it wants to have a good relationship, maintain a good relationship with some of those firms.

Zoe Thomas: And what is the private sector saying about that? What’s their take?

David Uberti: I mean, unsurprising, they want more lax regulations to back up a second. I mean, this discussion has been happening on Capitol Hill for about 10 years. And until we saw this spate of ransomware attacks and other cyber attacks over the last year, businesses really oppose these sorts of reporting requirements. But increasingly, they’ve bought into the idea because they understand that there’s a lot of connectivity between different businesses in the economy and then also federal agencies.
So the working theory is that if the government can act as a clearing house for a lot of this data that we supply either voluntarily or through these required reporting regimes, maybe the government can in fact share this data with different companies and help us respond to some of these hacking campaigns.

Zoe Thomas: Yeah. I mean, it seems unsurprising, of course, that an industry wouldn’t want more regulations, but we keep seeing these ransomware attacks, these hacks, these cyber strikes. So the current system doesn’t seem to be working.

David Uberti: It certainly doesn’t. I think there’s a realization that US cyber security needs to be shored up, both by the public and the private sectors. And we do see this moment as something of an inflection point. We had the hack of a company called SolarWinds last year, which affected federal agencies. We had the hack of Colonial Pipeline in May, which disrupted a huge conduit for fuel. We had the hack of one of the largest meat processing companies in the world.
So we have this moment where the US is slowly moving from this truly voluntary approach to cybersecurity regulations to gradually incorporating more mandatory regulatory regime. So the Biden administration is rolling out new rules, different federal agencies are regulating specific sectors of the economy. And then crucially, at this centerpiece, we have what CySA could potentially do through mandatory reporting of cyber attacks and acting as that crucial clearing house.
And the reason why we’re following this debate so closely is because congressional staffers and lawmakers and people in the private sector who are taking part in this discussion, see this as sort of a first step. As CySA becomes more of a central part of US security, broadly speaking, what role will it actually play? Will it become more of a regulator in the traditional sense of the term? Or will it truly have that public private partnership at the center of its mission?
Right now, it’s trying to tiptoe that line, but how these details actually shake out over the coming months and years could determine which direction it ends up taking.

Zoe Thomas: And we’re used to things moving pretty slow when it comes to Washington. But obviously, you said this debate’s been going on for 10 years, there’s a lot of push at the moment to get something done. But how quickly do we expect things to change?

David Uberti: Well, right now, lawmakers and congressional staffers are trying to iron out differences between the three bills that I mentioned. And currently, one of those versions has been attached, as many pieces of legislation are, to next year’s defense spending bill, which is how various pieces of legislation end up getting made into law. So folks think that this could actually happen this time around, barring some sort of late push by either business friendly lawmakers or corporate lobbyists.
The question, as I said earlier, is just exactly what the details turn out to be, how long companies would have to report incidents and whether they would actually have to face some sort of penalty for not doing so.

Zoe Thomas: All right. That was our cyber security reporter David Uberti. Thanks for joining us, David.

David Uberti: Thanks Zoe.

Zoe Thomas: And that’s it for today’s tech news briefing. If you’re looking for more tech stories, check out our website wsj.com. And if you liked the show, please rate and review it. You can do that wherever you get your podcasts. I’m Zoe Thomas for The Wall Street Journal. Thanks for listening.

Source News