Two large associations urged CISA to set a high bar for incidents that should be reported and called for bidirectional information sharing at the agency’s Washington, DC listening session on Wednesday.
The U.S. Chamber of Commerce’s Matthew Eggers walked through several definitions in the incident reporting law, providing input on how they should be defined in the upcoming cyber regulation including what should be considered a “covered entity” and a “covered cyber incident.”
The law uses the definition for “covered entity” from an Obama-era presidential policy directive that is “too broad from a risk management perspective,” Eggers told CISA officials. “For CIRCIA to be effective, CISA should establish criteria that creates a narrow list of entities that if impacted could create significant consequences within the U.S.”
CISA is conducting a series of 10 public listening sessions across the country. The DC session was moderated by CISA’s Melanie Anton. Boyden Rohner, associate director for vulnerability management at CISA, provided opening remarks and interacted with industry participants.
Nine organizations provided feedback to CISA including the Chamber, American Gas Association, National Electrical Manufacturers Association, National Association of Chemical Distributors, Bank of America, Bank Policy Institute, R Street Institute, Express Association of America and Digital Asset Redemption.
The four-hour listening session wrapped up two hours earlier than expected. Approximately 100 people registered for the meeting, but the session room was not filled to capacity.
Summaries for each of the sessions will be made public, according to an agency official. CISA is running the 10 sessions through its stakeholder engagement division, while additional meetings for all 16 critical infrastructure sectors are being led by the sector risk management agencies, another official said.
Eggers, vice president for cybersecurity policy in the Chamber’s Cyber, Intelligence, and Security division, urged the agency to focus on the “types of significant cyber incidents that it wants covered entities to report” when it comes to the number of entities.
On the meaning of “covered cyber incident,” Eggers said, “The authors of CIRCIA did not want CISA to be overwhelmed with a flow of unusable cyber incident data because of overly broad and prescriptive reporting requirements. To enhance reporting efficiency, the covered cyber incident should be triggered only when there is a reasonable likelihood of a significant incident or harm to U.S. economic and national security.”
“The Chamber believes the covered cyber incident should be limited to incidents that directly disrupt the operation of U.S. infrastructure owned and operated by a company,” Eggers said.
A “substantial cyber incident” needs to clear a high bar for the types of incidents CISA determines to be reportable, Eggers said. “Unlike the term ‘significant cyber incident,’ the word ‘substantial’ is not defined in the legislation.”
When creating the law, Eggers said, “The Chamber stressed to lawmakers that the word ‘substantial’ would be unworkable in practice. The word substantial is problematic because it could be used by CISA to label almost any cyber incident as covered.”
On the 72-hour reporting deadline, Eggers said CISA should maintain the “prompt reporting deadline of not less than 72 hours. A 72-hour deadline reflects a flexible standard for notifying CISA about significant cyber incidents.”
Eggers said, “The rule should tie reporting to confirmed cyber incidents. Businesses need clarity in reporting requirements which should be targeted to well defined and confirmed cyber incidents.”
Eggers argued for “bidirectional information sharing” where CISA works in collaboration with industry. This should also include “helping law enforcement identify and prosecute bad actors,” Eggers said.
He also called for safeguards that are consistent with the Cybersecurity Information Sharing Act of 2015 and details on what CISA will do with “reported information to provide indicators and warnings to covered entities and other industry stakeholders.”
Kimberly Denbow, vice president of security and operations at AGA, urged CISA in her remarks to clarify the definitions on what kinds of incidents are reportable and the threshold. Information technology and operational technology have different thresholds, Denbow said, adding that a “covered entity” should be weighed against “criticality.”
Denbow said CISA needs to address how the information will be used, analyzed and stored.
On harmonization, Denbow said the Transportation Security Administration, North American Electric Reliability Corporation and Nuclear Regulatory Commission have standards for incident reporting. At the state level, some public utility commissions also have regulations in place, Denbow said.
She pointed to R Street’s overview of federal cyber incident and breach reporting requirements as a good place to start when it comes to reviewing what is currently in play.
On information sharing, Denbow emphasized how CISA needs to be a “producer” to provide details back to industry, and not just a “consumer.” -- Sara Friedman (sfriedman@iwpnews.com)