Skip to content

News

“Implementation of CIRCIA is More Important Than Ever”: Chairmen Green, Garbarino Deliver Opening Statements

May 1, 2024

WASHINGTON, D.C.— Today, House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) and Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) delivered the following opening statements in a hearing to examine the Cybersecurity and Infrastructure Security Agency’s (CISA) recent proposed rule for the implementation of the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Image

Watch Chairman Green’s opening statement.

As prepared for delivery:

When we passed [CIRCIA], our goal was to ensure shared visibility of substantial cyber incidents impacting our homeland’s critical infrastructure.

With nation-state actors such as China and Russia continuing to target us, we knew that we needed to better understand and defend against increasingly fraught cyber threats. However, we knew we needed to do this without imposing undue regulatory burden on our companies that are already stretched very thin. Duplicative efforts tend to wind up costing businesses money that they could actually use on real cybersecurity, and so getting to the bottom of those is one of our priorities.

It is imperative that we strike this balance and ensure the rule is harmonized with regulations.

I look forward to hearing from our witnesses today.

Image

Watch Subcommittee Chairman Garbarino’s opening statement.

As prepared for delivery:

About two years ago, Congress woke up to the gaps in cyber incident reporting. Public and private sector entities have long complied with a patchwork of disparate, niche cyber incident reporting requirements managed by an array of regulators. As stated in the Notice of Proposed Rulemaking that we will discuss today, there are currently more than three dozen different federal cyber incident reporting requirements in effect.

In an age of increasingly sophisticated cyberattacks on our critical infrastructure, our fragmented approach to incident reporting has proven anything but nimble and useful. It is cumbersome and oftentimes redundant, creating a compliance burden on private sector partners who could be spending their resources on security rather than fulfilling multiple reporting requirements. A confusing and reactive, rather than proactive, reporting regime increases the risks to the security of our homeland.

After significant national attacks on Colonial Pipeline and SolarWinds, Congress recognized an urgent need for better and more coordinated cyber incident reporting for our critical infrastructure. This included a need to develop a process for reporting ransom payments, which didn’t exist despite the rise and impact ransomware attacks.

As a result, in March 2022, Congress passed the bipartisan Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA. This landmark legislation tasked the Cybersecurity and Infrastructure Security Agency, or CISA, to develop regulations to set the standard for cyber incident reporting across critical infrastructure sectors. As the nation’s risk manager, CISA must be empowered to identify cross-sector points of vulnerability and share information to mitigate such risks. And, as the lifeline of our national security, economic security, and public health and safety, critical infrastructure entities must be supported as they adapt to a world where cyberattacks are not an “if” but a “when.”

Since CIRCIA was signed into law, the American people have continued to feel the impacts of numerous costly intrusions into critical infrastructure sectors by cyber threat actors, from the water sector to the healthcare sector. This cannot continue.

It is imperative that we get the CIRCIA rule right. CIRCIA should serve as the standard, not another regulation standing in the way of effective cyber defense. Because it is so important we get this right, I’m encouraged to hear that CISA is granting a 30-day extension for submitting comments.

Members of this subcommittee have eagerly awaited the draft rule that we are going to discuss in depth, especially considering conflicting rules, such as the SEC’s public cyber disclosure rule. Therefore, we are devoting this hearing to CIRCIA because we know this is an opportunity: one to ensure regulatory effectiveness and harmonization.

I want to thank our witnesses—Scott Aaronson from Edison Electric Institute, Heather Hogsett from the Bank Policy Institute, Robert Mayer from USTelecom, and Amit Elazari from OpenPolicy Group—for being here today to help us understand how specific sectors will be impacted. We cannot effectively implement CIRCIA without the private sector perspective, so thank you for your partnership.

Implementation of CIRCIA is more important than ever for our cyber preparedness. The final CIRCIA rule, expected late next year, will mark a pivotal turning point for America’s ability to mitigate cyber risks and protect our national security, economy, and way of life.

I look forward to our witnesses’ testimony and discussing how the proposed CIRCIA rule can ensure a more capable and ready national cyber defense.