An information sharing group for the IT industry is concerned that liability language in cyber incident reporting legislation could encourage sharing incident data with the federal government, but act as a “disincentive” for companies to share with industry-facing organizations that have invested heavily in building ecosystems to exchange threat data.
Following the release of President Biden’s May executive order on cybersecurity, the Information Technology-Information Sharing and Analysis Center convened a working group to review its implications and other considerations around mandatory incident reporting. The EO contained incident reporting language aimed at federal IT and OT contractors, and pending legislation in the House and Senate would create mandatory incident reporting requirements for critical infrastructure operators.
Scott Algeier, executive director of the IT-ISAC, spoke with Inside Cybersecurity about how the conversation around mandatory reporting has evolved and the role of his organization, which gives companies a place where they can share details freely and hear back from their industry peers.
“We don’t want to create a scenario where there is a disincentive to share with industry,” Algeier said. “If you get greater liability protection from reporting to government than you do with reporting to industry, then you are not going to be sharing with industry because you are putting the information more at risk.”
Algeier referenced a case from 2017 where the Auto-ISAC was issued a subpoena to obtain their communications with a member company. The judge ruled the records were not subject to the case and denied the request.
“It is important to have the greatest liability protections on the information shared as possible and that information should be protected no matter where it is shared,” Algeier said. “If it is shared with the government or whether it is shared with industry, we should have the greatest possible protection for that information.”
Algeier said the IT-ISAC has not taken a position on any specific legislation, but has worked to determine what would be necessary for the equitable exchange of information between industry and government to “help inform the debate.”
Scope is an important component of any mandatory reporting proposal, Algeier said, and industry wants answers on “Who would the proposal apply to?” and “What needs to be reported?”
Algeier said another consideration is timing in terms of when a 24-hour or 72-hour clock on reporting would begin. Part of the conversation needs to be whether the clock should start when an incident was triggered or when it was discovered, he said.
Proposals that task the Cybersecurity and Infrastructure Security Agency with developing the new reporting requirements could impact the agency’s efforts to act as a partner with industry, Algeier said.
The IT-ISAC and its members have spent “a long time” working with DHS and CISA to build “public-private partnerships,” Algeier said, adding that there needs to be a discussion on what impact turning CISA into a “semi-regulator” will have on the partnerships and if “the benefits of this mandatory reporting and compliance outrank the costs.”
ISACs could also play a role in sharing incident reporting details with CISA and other agencies, Algeier said, calling the IT-ISAC a “natural conduit” that could make it “easier for companies to comply” with new requirements.
Algeier said, “We would not be looking to use the IT-ISAC as the only mechanism for reporting to the government, but if you are a member of the IT-ISAC, it seems to me like it should be as simple as possible for companies to report this information into the government.”
There is a “strong business case” for companies to share information with the IT-ISAC because of the mechanisms that the organization has put together, including the ability to control what information is shared and the opportunity to get responses back from industry peers quickly, he said. -- Sara Friedman (sfriedman@iwpnews.com)