Private Sector Stakeholders Share Insights on Proposed Cyber Incident Reporting Rule, Potential Impact on Critical Infrastructure Sectors
May 2, 2024
WASHINGTON, D.C. — This week, the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, led by Chairman Andrew Garbarino (R-NY), held a hearing to obtain testimony from private sector stakeholders on the Cybersecurity and Infrastructure Security Agency’s (CISA) recent proposed rule to implement the bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). In this hearing, members were warned about the impacts of duplicative regulations on the cyber readiness of certain critical infrastructure sectors; the need for further clarity in the proposed cyber incident reporting requirements, including thresholds, level of detail, and definitions; and how the rule should increase cross-sector visibility for covered critical infrastructure entities without overburdening CISA and America’s small businesses.
Members heard testimony from Heather Hogsett, senior vice president of technology and risk strategy for the Business, Innovation, and Technology Division at the Bank Policy Institute; Scott Aaronson, senior vice president of security and preparedness at the Edison Electric Institute; Robert Mayer, senior vice president of cybersecurity and innovation at USTelecom for the Broadband Association; and Amit Elazari, J.S.D., CEO and co-founder of the OpenPolicy Group.
In his opening statement, Chairman Garbarino emphasized how getting this rule correct was essential and praised CISA’s announcement that it will extend the opportunity for affected stakeholders to comment on it:
“It is imperative that we get the CIRCIA rule right. CIRCIA should serve as the standard, not another regulation standing in the way of effective cyber defense. Because it is so important we get this right, I’m encouraged to hear that CISA is granting a 30-day extension for submitting comments.”
Chairman Garbarino questioned the panelon whetherthe rule’s requirements could overwhelm both CISA and businesses as they seek to effectively analyze and act on the information collected, to which Mayer answered:
“I think there is a theme here that runs across a lot of these issues, and that is lack of specificity and clarity. So, the rule talks about providing ‘new’ and ‘different’ information. I don’t know what new and different information means…It’s also not time-bound, so a company could be in a situation where they’re, into perpetuity, providing supplemental information that may not have any impact on improving security in the ecosystem. We need to tighten this up [and] get some clarity around what type of supplemental information is going to contribute to a better understanding, allowing CISA to more immediately respond to help victims and warn victims. If it doesn’t meet that criteria, we are going to be taking resources away from CISA’s people, and we are going to be taking resources away from frontline practitioners, who are going to be more concerned about complying with this supplemental requirement out of fear of some enforcement action, potentially. I don’t think that improves security at all.”
Garbarino also questioned witnesseson the overlap between a reporting requirement in the proposed rule and a requirement by the Security and Exchange Commission’s (SEC) Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure rules:
“We’ve heard a lot of anecdotal concerns about the chilling effect that this rule, the SEC Cybersecurity Rule, is having on cyber information. Ms. Hogsett, can you explain from the BPI’s perspective, I’d say negative impacts, but I’ll have you say potential impacts of the SEC’s rule on cyber information sharing?”
Hogsett answered:
“Our concern with the SEC disclosure rule is that, literally, the rule requires that four days after you’ve determined that you have a significant event, you are publicly disclosing that. If we look at CIRCIA, that means that basically CISA has about 24 hours, perhaps, to leverage the confidential reporting and then turn that back around into useful information to help prevent attacks or further harm. That, in this day and age, is an extraordinarily short period of time. So you’re really cutting short and undercutting the purpose and effectiveness of CIRCIA itself.
“Publicly disclosing gives attackers information they might not otherwise have. We have seen it being automated using bots to then start to automatically scan other companies to detect if they have a certain vulnerability. It also prioritizes the desire of investors to have transparency over the need for critical infrastructure to protect themselves. So we believe this is very harmful. In the short four months that it has been in effect, we have already seen it interfere with longstanding collective defense efforts because it has caused confusion about what information can and cannot be shared. And we have also seen attackers use it as an additional extortion method. So, if you don’t file with the SEC, your ransomware attacker will then threaten to report you to the SEC and it is now the third prong of an attack that they have started to use.”
Rep. Mike Ezell (R-MS) questioned Elazari on the potential impacts of the proposed rule on small businesses operating in a critical infrastructure sector:
“Can you highlight some areas where federal agencies could improve regulatory reporting requirements to help small businesses?”
Elazari replied:
“It is really striking that [a significant] amount of affected entities are actually smaller, and the threshold that is now proposed is building on the small and medium business side…this is a very large community, a lot of it—interestingly—from the defense industrial base. These are innovators, they are working to protect us. So, this is an area we must pay attention to. We are aware of a lot of duplicity and, actually, it’s striking––the congressional report’s research itself says it’s unlikely that some agencies would resist the urge to continue with their reporting requirements because they think it’s serving other goals. So, this is an area we would need Congress’ support.
“The duplicity issue is serious, and it’s discussed. There is a National Cyber Director report on it. It requires additional action. In the context of the CIRCIA agreement framework that CISA has put out, in the proposed rule, the use of the terminology is somewhat aspirational: ‘We would study the potential duplicity.’ There is ‘desire’ and ‘good faith desire’ to work with agencies. But we really need to be doubling down on those sectors where the duplicity is not just harmful for the businesses, it’s harmful for the nation. And in those areas where we have a lot of burden on small businesses…reach some common architecture for formats where we can achieve common goals.”
Rep. Laurel Lee (R-FL) questioned witnesses on the best possible threshold for required cyber incident reporting to CISA:
“Several of you have touched on this subject, and that is the idea that the threshold for the reporting requirement itself, you perceive it to be overly broad and that it is going to capture too many things—too much information…What should be a reportable event?”
Aaronson answered:
“The phrasing, ‘loss of integrity,’ and some of the supply chain aspects, that’s a lot of things. Without getting technical but things like password spraying, things like any sort of impact on a cloud provider, could impact integrity, could impact availability—that becomes a reportable event. Does that really matter? That’s the question we need to ask ourselves. What are those types of incidents that we truly need to be collecting?”
Hogsett added:
“We refer to it in our past comments to CISA as it should be with ‘malicious intent.’ So if you think about an event that is having an impact and causing harm, and it’s not just a technical glitch or a system misconfiguration that took things offline, I don’t think those are the things that CISA should be collecting on. But the way the definitions are currently crafted, it would capture that and we think that should be narrowed to accommodate that better.”
###