Generating more information from industry can help government determine trends and share information back to the private sector, but industry info-sharing leader Scott Algeier has concerns about the burden mandatory incident reporting will place on industry to stand up their own compliance mechanisms.
Creating mandatory requirements is “a completely different model” than what is currently in place, Algeier said at an event on Monday. By making incident reporting mandatory, Algeier said government is turning it “into a compliance regime. Industry needs to set up a compliance regime internally to make sure they are complying with the requirements.”
Algeier is the executive director of the Information Technology Information Sharing and Analysis Center, an industry-only group where technology companies operating in the IT sector voluntarily share information with each other and receive intelligence in return. He spoke at an event focused on protecting critical infrastructure co-hosted by the Intelligence and National Security Alliance and Defense One.
Under a mandatory incident reporting regime, “all of a sudden there is a large individual checklist that industry needs to develop, a process they need to develop,” Algeier said. “That’s probably going to take resources from security budgets. You have security teams that are responsible for responding to attacks. Now you are developing a compliance regime where these same people need to comply so there is an investment tradeoff.”
Algeier said the government has the ability to “easily build” the structures needed to process the data “because they have more money. They can issue debt to finance government operations. A lot of industry do[es] not have that same flexibility.”
In addition, Algeier said “it’s hard to believe government doesn’t have broad situational awareness of where the threats are so there is already a lot of information out there that government has. If they need more, requiring industry to share is one way to get it but how is the government going to handle all of the information.”
Agleier said the government would need to determine “how they are going to make sense” of “hundreds of thousands more reports coming potentially every day.” He said industry needs to get more clarity on the “analysis benefit” that they are “going to be getting in return.”
“There are a lot of challenges in implementing this and from an industry perspective we are interested in working with the government to identify what these challenges are and set up frameworks that address them,” Algeier said.
Algeier spoke on a panel with Energy Department cyber leader Cheri Caddy; Lauren Elinsky of the National Counterintelligence and Security Center at the Office of the Director of National Intelligence; and the FBI’s David Ring.
Caddy said one of the current challenges is the “lack of specific use cases” for what information should be shared between government and industry.
On Capitol Hill, several bills with incident reporting requirements are in the works.
Senate Intelligence Chairman Mark Warner (D-VA), ranking member Marco Rubio (R-FL), Sen. Susan Collins (R-ME) and colleagues from both parties introduced a bill that has been referred to the Senate Homeland Security and Governmental Affairs Committee.
The Warner-Rubio-Collins bill would require critical infrastructure operators, government agencies and contractors to report within 24 hours of discovering a cyber intrusion, one of numerous provisions stirring industry concerns.
Cyberspace Solarium Commission leaders Reps. Jim Langevin (D-RI) and Mike Gallagher (R-WI) are also working on draft legislation, and House Homeland Security cyber subcommittee Chairwoman Yvette Clarke (D-NY) is expected to introduce a bill soon. -- Sara Friedman (sfriedman@iwpnews.com)