Cyber experts warn against government overreach in defending against Russian threats

Cyber executives testifying before the House Homeland Security Committee on Tuesday warned against the government taking an oversize role in defending the private sector against threats coming from Russia.

Amit Yoran, chairman and CEO of cybersecurity firm Tenable, said the federal government should be less of a regulator and more of a partner for critical infrastructure as public and private entities respond to warnings of Russian cyberattacks amid its war on Ukraine.

“I don’t think the U.S. government should be in the cyber defense role where they’re defending critical networks and critical infrastructure where they might not understand the changes that they might make, and how those might impact critical infrastructure,” Yoran said.

Yoran was responding to a question raised by committee Vice Chair Ritchie Torres (D-N.Y.), who asked whether the U.S. government should take a greater role in defending critical sectors beyond the public guidance it has issued.

Yoran added that “it’s incumbent upon those operators [working in those critical sectors], who understand how the systems operate, to defend those networks with help from intelligence and information from their government partners.”

Yoran was one of four cyber experts invited to testify before House committee members on ways to secure critical infrastructure against Russian cyber threats. 

The experts were largely supportive of recent government efforts to coordinate cybersecurity, and said the focus should remain on guidance and information sharing, rather than regulation.

U.S. critical infrastructure have been on high alert following the “Shields Up” guidance issued by the Cybersecurity & Infrastructure Security Agency (CISA), urging businesses to remain vigilant amid the war in Ukraine and harsh Western sanctions on Russia.

The White House and the FBI have also issued similar warnings in the past few weeks, asking the private sector to shore up their cyber defenses following new intelligence suggesting that Russia is exploring “options for potential cyberattacks” against critical infrastructure.

Following up on his original question, Torres asked Yoran whether the federal government should mandate best cyber practices, like multifactor authentication, across all sectors of critical infrastructure.

Yoran said that although it’s important for the government to mandate best cyber practices, it’s also crucial for it to know that there is not a uniform best practice that would fit across all critical sectors.

“The regulatory agencies and sector-specific agencies should work with CISA and their private sector counterparts to develop and maintain those best practices,” he said. 

House members also praised a recent law that would require companies in critical sectors to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to CISA.

“This is one of the most important pieces of cybersecurity legislation in the past decade,” said ranking member Rep. John Katko (R-N.Y.).

“A significant cyber incident and ransomware attacks on critical infrastructure will mean greater visibility for the federal government,” he added.

During the hearing, Katko also asked one of the cyber experts how the government should help CISA strengthen its partnerships with the private sector.

Adam Meyers, senior vice president of intelligence at CrowdStrike, said CISA had done a “phenomenal job” of setting up information sharing systems, adding that fostering a collaborative environment between the government and the private sector is “absolutely critical.”

“I also think from a defensive perspective that the vulnerabilities that CISA has highlighted as being critical to fix, the Shields Up program as well as some of the other initiatives they’ve rolled out, have been very effective, and I’d like to see that continue,” he said.