US Not 'Whacking' Cyberattackers Hard Enough: Katko

of them." Diplomacy doesn't work because countries that enable attacks understand only strength and power, which the U.S. isn't projecting, he said. Until recently, cyberattacks had little visible public impact, but the Colonial Pipeline hack let people see the disruption that stopped them from buying gas, he said. Katko criticized President Joe Biden's budget request for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, saying it doesn't appear to match Biden's rhetoric on cybersecurity. Information-sharing in the cybercommunity is in its infancy, and the U.S. needs better reporting of cyber incidents, Katko said. One key issue is how to encourage the private sector to share information without worrying about lawsuits and immunity from liability, he said. Colonial Pipeline, SolarWinds and other incidents show malefactors are ratcheting up attacks and have figured out that going for critical infrastructure is "where the rubber meets the road." Asked about possible regulation, Katko said it's under discussion. One idea would be to require companies to certify in SEC 10-K filings they're adhering to cybersecurity best practices. Katko has floated legislation aimed at beefing up cybersecurity standards in the critical infrastructure industry, and said such other measures could be rolled out sector by sector. Lack of chips is also a serious threat the U.S. must address by bringing some manufacturing home, he said. Asked what responsibility industry bears to balance security with new technologies such as 5G and quantum computing, the lawmaker sought standards. U.S. companies paid $350 million in ransomware payments in 2020, up 171% from 2019, said AEI Resident Fellow Klon Kitchen.