Inside Cybersecurity

September 27, 2022

Daily News

Relief about passage, implementation concerns mark industry responses to incident reporting legislation

By Charlie Mitchell / March 14, 2022

Industry groups have begun weighing in on the cyber incident reporting mandate for critical infrastructure passed by Congress, expressing a mix of anxiety about implementation and support for the legislation’s goals.

“This legislation recognizes that front-line defenders can’t drop everything amid a cyber event to try and guess what to report to the government and how to do it,” the Bank Policy Institute said in a statement following passage late Thursday of an omnibus appropriations package carrying the incident reporting language.

“It establishes clear guidelines on what is required to be reported before an event takes place so cyber experts can focus on doing their jobs in a crisis, while still ensuring their government partners have what they need to warn others and coordinate a government response. BPI supports these reforms and calls on the President to sign this bill into law,” BPI said.

CISA Director Jen Easterly said Friday, “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

She said, “CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure.”

“This is a much needed and foundational element for stronger cybersecurity,” Christopher Painter, former State Department cyber leader and now head of the Global Forum on Cyber Expertise, said on Twitter. “Ransomware and Russian threats related to its invasion of Ukraine finally spurred action.”

Megan Brown, a partner at law firm Wiley, rejoined on Twitter, “DHS has its work cut out for it to make this workable for companies in an incident and to clarify application and triggers. Congress missed an opportunity to deconflict with other reporting. And now the SEC is layering on [with proposed reporting requirements].”

Painter replied, “I agree that implementation will be important & SEC thresholds should be better defined than in the past.”

Among the industry statements on final passage of the incident reporting bill, the Information Technology Industry Council’s Mike Flynn said, “Given the rapidly evolving threat landscape, a modern approach to cybersecurity that reflects this reality is essential. We commend the U.S. Congress for prioritizing meaningful reforms to bolster U.S. cybersecurity in the omnibus spending bill.”

“Specifically,” Flynn said, “we welcome lawmakers’ efforts to enhance cybersecurity incident reporting, which can play an important role in informing actions to respond to incidents and to contain or prevent further impacts, and to allocate key investments to ensure the Cybersecurity and Infrastructure Security Agency has the resources needed to effectively carry out this regime. We particularly applaud Congress for setting a reasonable reporting timeline. We look forward to working with the U.S. government to advance these critical measures in the U.S. as well as collaborating with global policymakers to align effective and consistent cyber incident reporting regimes around the world.”

Christopher Roberti, senior vice president for cyber at the U.S. Chamber of Commerce, said, “The U.S. Chamber is pleased to see passage of the Cyber Incident Reporting for Critical Infrastructure Act as part of the Fiscal Year 2022 Appropriations legislation. This bill is the product of year-long bipartisan discussions and will help close the visibility gap between the federal government and private sector on cyber threats to critical infrastructure. While the legislation is an important step forward, work remains to establish key definitions, foster public-private information sharing, and harmonize existing regulatory requirements.”

National Retail Federation vice president for retail technology and cybersecurity Christian Beckner said, “We appreciate the fact that Congress has taken a major step forward to protect our nation against cyberattacks while still focusing on the most truly critical elements of critical infrastructure.”

Beckner said, “Lawmakers have listened to the concerns of retail and other industries. This is a carefully crafted measure that will enhance the quality of cyber threat information that is shared with private industry and accomplishes its goals in a way that is balanced and risk-based. Retailers work every day to protect against cyber threats in coordination with the federal government and through threat-sharing programs such as those run by NRF. This legislation will complement those efforts and ensure that all entities play the appropriate role.”

The reporting requirement was a key recommendation of the Cyberspace Solarium Commission and that body’s executive director, Mark Montgomery, said, “I think the incident reporting provision being folded to the appropriations bill is good news.”

Montgomery, now a senior director at the Foundation for Defense of Democracies, told Inside Cybersecurity, “This bill properly prioritizes the leadership role of CISA in working the public private collaboration, and specifically information sharing. The FBI plays a crucial, supporting role in this effort.” -- Charlie Mitchell (cmitchell@iwpnews.com)