A draft bill that would establish a mandatory cyber incident reporting framework at the Cybersecurity and Infrastructure Security Agency (CISA) received praise from stakeholders and industry leaders during a hearing on Sept. 1 from the House Committee on Homeland Security’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
Subcommittee Chairwoman Yvette Clarke, D-N.Y., and Committee Ranking Member John Katko, R-N.Y., plan to introduce the draft bipartisan bill, known as the Cyber Incident Reporting for Critical Infrastructure Act of 2021, soon, but first held the hearing to gather input from witnesses and continue to refine the bill’s text.
“The draft legislation we are discussing today is the product of months of dialogue with government officials and private sector stakeholders,” Rep. Clarke said in her opening statement. “We have worked hard to draft the legislation in a manner that will result in the
greatest security impact for both the Federal government and the private sector.”
Specifically, the bill would direct certain critical infrastructure owners and operators to report cyber incidents to a newly-established Cyber Incident Review Office within CISA.
Notably, the bill would give industry partners a 72-hour reporting window, which tech trade groups have recently pushed for and contrasts with the 24-hour cyber incident reporting window contained in Senate legislation introduced in July.
“The bill appropriately tailors the scope of incidents that should be reported to those that could cause actual harm. This will ensure our system receives accurate and useful data to help achieve its goal of greater situational awareness,” Heather Hogsett, senior vice president of technology and risk strategy for BITS at the Bank Policy Institute, said in her praise for the draft bill.
“The timeline for reporting no earlier than 72 hours after confirmation an incident has occurred strikes the right balance to allow a firm sufficient time for investigation and implementation of response measures while reporting timely, accurate, and useful information to CISA,” she added.
John Miller, senior vice president of policy and general counsel at the Information Technology Industrial Council, agreed that the 72-hour timeline is consistent with what his firm recommends as well.
“We recommend any legislation allow for feasible reporting timelines commensurate with incident severity levels, but of no less than 72 hours,” Miller said during the hearing. “Ensuring timelines are feasible is important for several reasons, including allowing entities sufficient time to determine what has occurred and ensuring an incident is properly contextualized, upholding cybersecurity while an entity investigates an incident, and [aligning] with global best practices. We appreciate the act makes clear CISA may not require reporting earlier than 72 hours after an entity confirms an incident has occurred.”
Other witnesses included Ronald Bushar, vice president and government CTO at FireEye Mandiant; Robert Mayer, senior vice president of cybersecurity at USTelecom; and Kimberly Denbow, managing director of security and operations at the American Gas Association. The other witnesses also agreed the 72-hour timeframe allows entities a proper amount of time and hits the “sweet spot” for an initial reporting requirement.
Witnesses also reminded members of the committee during the hearing that “bidirectional information sharing” will be critical going forward between industry and the Federal government.
“That bilateral part is so important. We feel like when we share with the government, it becomes a landfill of information with nothing valuable coming back out to us in a timely fashion,” Denbow said. “And that’s not to criticize the individuals that are working with the process on the government side. Much like having a valuable byproduct out of landfills, such as renewable natural gas, it would be valuable if we could have a valuable byproduct out of this data landfill, being bidirectional information sharing – in a timely fashion of actionable information.”
Miller offered that cybersecurity is a “team sport” and based on his initial conversations with CISA, he has found that the agency is truly interested in “driving deeper operational collaboration between CISA, other government partners, critical infrastructure owners, and operators.”
“We shouldn’t think of it as, does CISA have the information it needs to protect the world from cyber threats because they’re never going to have enough resources to do that,” Miller said. “So, they have to work with the private sector, and that’s why the private sector also needs this information.”