A House Democrat last Friday released a bipartisan draft bill that would mandate that certain sectors of industry report cyber incidents to the federal government to increase situational awareness about cyber threats and attacks.
The draft legislation was released by Rep. Yvette Clarke (N.Y.), whose House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation will host a virtual hearing on the bill with private sector witnesses.
Amid a constant wave of cyber attacks and intrusions, frequently using Ransomware aimed at owners and operators of the nation’s various critical infrastructures, there is a growing bipartisan consensus that the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) needs more visibility into the attack landscape to better coordinate and help stakeholders in government and industry mitigate their risk.
Currently, cyber incident reporting to the federal government is relatively limited. The Transportation Security Administration, which has regulatory oversight of pipelines, recently required pipeline owners and operators to report cyber incidents following a ransomware attack that led to a brief shutdown of one company’s pipeline operations.
The 33-page Cyber Incident Reporting for Critical Infrastructure Act of 2021 would direct CISA to work with the private sector over a nine-month period to sort out which entities would ultimately be covered by the legislation as well as the incidents and information to be reported. At the end of public-private dialogue, CISA would be required to issue an interim final rule with the reporting requirements.
“This bill would direct CISA to work with stakeholders to craft requirements that are tailored to get CISA the information it needs to understand the cyber threat landscape while also preserving CISA’s long-standing voluntary partnerships,” Clarke said in a statement.
The bill would also create a Cyber Incident Review Office within CISA to receive the incident reports from covered entities while also preserving the agency’s current voluntary approach to getting other portions of the private sector to report intrusions and attacks.
A fact sheet released by Clarke says that this approach provides “CISA with multiple avenues to obtain information about the incident (instead of traditional regulatory tools such as fines and penalties) that graduates to subpoenaing the information, but only after exhausting other options to bring the entity into compliance.”
Rep. John Katko (R-N.Y.), the ranking member on the House Homeland Security Committee, said in a statement that “This legislation strikes the right balance of carrots and sticks to close the centralized visibility gap around cyber incident reporting and provides CISA the needed visibility to protect our nation’s critical infrastructure and federal networks.”