Officials representing the banking, information technology, natural gas and telecommunications industries all generally support a bipartisan draft bill in the House that would mandate that certain critical infrastructure owners and operators report certain confirmed cybersecurity incidents to the Department of Homeland Security.
The support from industry for federally-mandated cyber incident reporting is a significant change from recent past arguments that favored continuing a voluntary approach to alerting the government about network breaches.
The 33-page draft bill, the Cyber Incident Reporting for Critical Infrastructure Act of 2021, which was released last Friday, follows “months” of dialogue with government and industry stakeholders, Rep. Yvette Clarke (D-N.Y.), chairwoman of the House Homeland Security Subcommittee on Cybersecurity, said at a hearing Wednesday to get industry feedback on the pending legislation.
In her opening remarks, Clarke referenced an Aug. 27 letter from 18 industry associations representing various critical sectors of the economy to key congressional committees throwing their support behind cyber incident reporting legislation as long as it is “harmonized” with new cybersecurity requirements President Biden has directed for federal contractors and adheres to several principles, including allowing at least three days to report a verified incident, that only victims, not third parties, can report incidents, ensure information in reports is confidential, and streamlining federal reporting requirements.
“In the context of this hearing, we see the Cyber Incident Reporting for Critical Infrastructure Act of 2021 as another foundational building block in the growing whole-of-nation collaboration across industry and government,” Robert Mayer, senior vice president of cybersecurity for USTelecom-The Broadband Association, told the panel.
Some of the key features of the bill supported by all the industry officials include allowing victims of cyber breaches at least 72 hours to conduct “triage” of an incident to confirm that significant harm has been, or is being done, before reporting it to the DHS Cybersecurity and Infrastructure Security Agency (CISA).
The goal of the bill isn’t to “provide an avalanche of information” but rather to submit information that is “usable” to CISA and critical infrastructures, allows front line responders to gather context about an attack while also responding to incidents, John Miller, general counsel and policy chief at the Information Technology Industrial Council, told the panel. He also said the 72-hour timeframe is “in line with a global standard if you will.”
Heather Hogsett, senior vice president of technology and risk strategy for the Bank Policy Institute’s Technology Policy Division, said that giving time for victims to confirm and report on an actual harmful incident rather than every suspicious encounter prevents CISA being “deluged with information that’s not helpful to them, it’s not useful, and they also get bogged down with information that isn’t really the actual threat and the highest risks that we want them and everyone else to focus on.”
Rep. Jim Langevin (D-R.I.), one of the top cybersecurity experts in Congress, highlighted a potential problem with the bill’s emphasis on confirmed incidents, warning of a “gap I see between the amount of information CISA needs to meaningfully improve the cybersecurity of our critical infrastructure sectors and the amount of information that CISA would receive were it only to be notified of confirmed cyber incidents.”
One potential example provided by Langevin is a “hypothetical espionage campaign” by a foreign government against a critical infrastructure sector that has detected the bad behavior on its networks but not confirmed a breach. In such a case, how would the bill change the current security environment for the better?, he asked.
Mayer answered that confirming an incident doesn’t mean that “every aspect” is confirmed, whether that be attribution or all the systems that are impacted. An incident that impacts “confidentiality, integrity and availability” will be obvious and the government, including CISA, will probably already be aware of “these threats and events.”
“In the spirit of this legislation, once a company realizes that it’s been hit in a very significant way and has some visibility into that attack at some level and is maybe beyond the initial hours and days of triage, I would have every expectation, certainly in my sector, that there would be a conversation with CISA,” Mayer said.
The industry witnesses also lauded the bill for providing flexibility in determining the final reporting requirements, which would be done through a rulemaking process between CISA and critical infrastructure stakeholders.
Rep. Bennie Thompson (D-Miss.), chairman of the full committee, highlighted the 2015 Cybersecurity Information Sharing Act, which was also a product of government and industry collaboration but has never realized its full potential, with industry often still reluctant to voluntarily share information about cyber-attacks and breaches and the government in turn not quickly turning its analysis of threat data into actionable information for the private sector.
Ronald Bushar, government chief technology officer for the cybersecurity company FireEye [FEYE], replied that voluntary information sharing has limits to cooperation and there needs to be “flexibility in the rulemaking process” to enable more agile responses to rapid changes in threats.
Hogsett also pointed to the need for a “regular feedback loop so CISA is also regularly getting feedback from owners and operators of critical infrastructure about what they are finding valuable. That’s often been missing.”
All the industry panelists said that information sharing about threats and incidents needs to be bi-directional between industry and government. Hogsett and Kimberly Denbow, head of security and operations for the American Gas Association, said that government still needs to improve the timeliness and quality of information it provides critical infrastructure sectors about cyber threats.