Participation in CISA’s ongoing incident reporting listening sessions is in line with expectations, according to CISA executive director Brandon Wales, who spoke with Inside Cybersecurity in a wide-ranging interview on the upcoming regulation and stakeholder engagements.
“The legislation that gave us this authority had a requirement that we go through a full notice and comment rulemaking, and required us to publish a notice of proposed rulemaking within two years of the legislation, which would be March 2024,” Wales told Inside Cybersecurity.
CISA officials realized they wanted a “lot more industry feedback and engagement” when developing the rule, Wales said, adding, “so even though we were not required to, we published the RFI and set up these listening sessions.”
Brandon Wales, Executive Director, CISA
The request for information released in September asks for feedback to help define the scope of reportable incidents, and poses questions on the reporting contents and submission procedures including what should be considered “reasonable belief” for the 72-hour reporting clock to start, and on other matters.
CISA is conducting a series of 10 in-person public listening sessions across the country and additional closed sector-specific sessions. At the Oct. 19 public session in Washington, DC, nine organizations provided feedback and the four-hour listening session wrapped up two hours earlier than expected.
“Frankly, there has only generally been a handful or two of people at the listening sessions who have provided feedback,” Wales said, explaining that it is “consistent with our thinking ahead of time” on how stakeholders would want to engage with the agency.
Wales said, “We always believed that the primary way most of industry will provide feedback is through the RFI because they will want it to be detailed and written, and so we always assumed the RFI would be the primary vehicle for industry perspectives, not the listening sessions.”
Responses to the RFI are due by Nov. 14. So far, there are 18 comments posted in the rulemaking docket with the most notable response from a coalition led by the Cyber Threat Alliance and the Institute for Security and Technology.
Wales said listening sessions tend to generate public interest when there is “something of import” such as environmental regulations. The CISA regulation is “fairly technical in nature and mostly deals with how industry works with the government,” he said.
“People have provided very thoughtful insights about incident reporting, the work between industry and government, so I think we’re taking all of that feedback whether it is provided through the RFI or through the listening sessions in the same way,” Wales said.
CISA Director Jen Easterly tasked Wales with leading work on the incident reporting regulation. He is the most senior civilian employee at CISA and served as acting director for eight months until Easterly was confirmed in July 2021.
Moving from voluntary to mandatory reporting
The new regulation will be a significant shift in how CISA typically engages with industry and has raised concerns among stakeholders on how the agency will balance the current voluntary model for information sharing with mandatory requirements authorized by Congress.
Under Easterly’s leadership, the agency has moved from being the nation’s risk advisor to joint operational collaboration and released a strategic plan in September outlining the path forward for several CISA initiatives.
Balancing voluntary efforts and regulation is “certainly a top priority for us,” Wales said. “I believe the way which Congress constructed this legislation is keeping that front of mind, that ultimately despite this legislation we are for the most part an agency that was built to have close and enduring relationships with industry in furtherance of the mission.”
Wales said, “This legislation doesn’t give us punitive authority and is not looking to punish companies because of the breaches and incidents they may suffer. In many respects, this legislation was designed to turbocharge our voluntary mission by giving CISA broader insight into the cyber threat landscape inside the United States, the goal being to use that information to feed back to industry to prevent future attacks and ensure they are able to quickly respond when incidents do happen.”
“Unlike in other regulatory contexts, this is not about holding companies accountable for the incidents that are happening on their networks. This is to make sure that the government can be as supportive as possible to the victims and to prevent future victims from being attacked,” Wales said.
Signal vs. noise
In comments to CISA, the U.S. Chamber of Commerce and the Information Technology Industry Council have sought to narrow the scope of covered incidents to those that present national security or economic risk, to differentiate between the signal and the noise on information shared.
Wales said, “We are trying to take as many perspectives as possible so that we ultimately craft a rule that strikes the right balance. We are trying to get as much quality information in to advance [the] cybersecurity mission, while minimizing the burden on industry, and ultimately what comes out in our proposed rule once that is published will show how we have struck that balance.”
The law requires DHS to set up a Cyber Incident Reporting Council to deconflict existing regulations across government. The council is chaired by DHS under secretary for policy Rob Silvers and met for the first time in July.
Wales said, “There have been a large number of engagements between CISA and DHS to those various members of the council, those other regulators including the independent regulators, to have discrete discussions about harmonization related topics. So that work is ongoing. It is not just happening at the meetings of the council.”
When asked to comment on a controversial SEC cyber proposal, Wales said, “We have spoken to the SEC. Although I would note that the SEC regulation is about public reporting of cyber incidents. Obviously, that is distinct from reporting to the government, but we have had conversations with the SEC and other regulators on these topics.”
Wales emphasized how the RFI and listening sessions are designed to get as much feedback as possible to address potential industry concerns ahead of the NPRM.
“The rule will describe the thresholds for reporting, what the expectations are on industry, and what is required to be reported,” Wales said.
Next steps for future engagements are to be determined. Wales said, “Any future engagements we have will be consistent with the approach we have taken here [to] provide a high degree of consistency and transparency, but I can’t commit to any specific actions.”
Wales said, “Once we draft the rule, it enters a lengthy clearance process inside the executive branch, that doesn’t give us many opportunities to engage [outside] the executive branch because we are waiting for and engaging with feedback we receive” from the interagency process.
Wales said, “If there are specific items that come out of that, we think we want to get additional industry perspective, we will work through that process at the time.”
Once the NPRM is published, industry will “absolutely” have the opportunity to provide feedback to CISA, Wales said, adding that “feedback would need to be specifically addressed in the final rule that will be published no [more] than 18 months later.”
As for the listening sessions, CISA is planning to publish the full transcripts within 30 to 45 days once the public and the sector-specific closed meetings have fully concluded. The last public session is Nov. 16 in Kansas City, MO. -- Sara Friedman (firstname.lastname@example.org)