Witnesses Suggest 3 Days for Cyber Reporting
Congress should establish a 72-hour window for critical infrastructure entities to report confirmed cyber breaches, industry witnesses told the House Cybersecurity Subcommittee (see 2108310060). A hearing considered draft legislation from Chairwoman Yvette Clarke, D-N.Y., and House Homeland Security Committee ranking member John Katko, R-N.Y.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
President Joe Biden’s cybersecurity executive order recommended three days for federal agencies and contractors to report severe cyber incidents, noted USTelecom Senior Vice President-Cybersecurity Robert Mayer: It’s a “reasonable” timeline in line with general standards.
Many cyber professionals say that’s sufficient to determine what occurred and provide additional context for investigations, said Information Technology Industry Council General Counsel John Miller. Heather Hogsett, Bank Policy Institute senior vice president-technology and risk strategy, agreed, saying a clear baseline is needed so reporting expectations are standardized. There’s not a perfect answer for the timeline, said American Gas Association Managing Director-Security and Operations Kimberly Denbow: The key is to allow entities to confirm incidents, rather than rushing information to the Department of Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, which is going to have follow-up questions.
Congress should narrow the definition of confirmed incidents to avoid CISA receiving a deluge of unnecessary and unhelpful information, witnesses said. Focusing on confirmed incidents takes “the noise” out of the data delivered to CISA, said FireEye Mandiant Global Government Chief Technology Officer Ronald Bushar. He called for guidelines and criteria to create a clear structure for entities to report. An efficient rulemaking process will allow for sector-specific engagement, said Hogsett, warning about overreporting to CISA. Rep. Jim Langevin, D-R.I., questioned why suspicious activity shouldn’t also be reported. He suggested legislators further define what constitutes an incident.
There was concern in recent days about the draft bill’s potential impact on small businesses, said Clarke. She’s open to exploring language for CISA to provide small-business compliance assistance. Legislators should find a way to allow DHS to deal with the 16 critical infrastructure subgroups separately, said subpanel ranking member Andrew Garbarino, R-N.Y., suggesting separate rules that apply to each.
The rulemaking process needs flexibility, said Bushar, citing rapidly evolving threats. Agencies need to be able to adjust the types of information they’re collecting over time, he said. The rulemaking process will allow for sector-specific engagement, agreed Hogsett. Committee Chairman Bennie Thompson, D-Miss., said he’s looking forward to refining and passing the legislation so Congress can avoid having the same conversation years down the road.
Rep. Sheila Jackson Lee, D-Texas, questioned how the draft bill would have affected the Colonial Pipeline cyberattack, saying the company didn’t deliver information “very quickly.” Denbow defended the energy sector, saying it has been asking for a more streamlined reporting process for years. Sharing information with the government sometimes becomes a data landfill without much return value from the government, she added.
Also Wednesday, Commerce Secretary Gina Raimondo and Rep. Lizzie Fletcher, D-Texas, hosted a roundtable on critical cybersecurity issues with industry and academia. Raimondo called cyber a top priority for the administration. She highlighted National Institute of Standards and Technology efforts to define cyber issues.