Representatives from the telecom, financial and gas industries responded to pending legislation that would require critical infrastructure to notify CISA in the event of a breach at a House Homeland Security Committee hearing Wednesday, hammering at differences between House and Senate versions of the bill.
In both the House and Senate, the Cyber Incident Reporting for Critical Infrastructure Act of 2021 would give the Cybersecurity and Infrastructure Security Agency nine months to develop a rule to require some portion of the critical infrastructure sector to notify the agency in cases of breaches of potential national concern.
While lawmakers have considered reporting bills of this sort for a decade, dating back to Sens. Susan Collins, R-Maine, and Joe Lieberman of Connecticut, recent interest was rekindled after the SolarWinds espionage campaign. That campaign was first publicly disclosed by FireEye, having noticed a breach into its own systems. The FireEye announcement kicked off a massive remediation effort in the public and private sectors. But FireEye was under no obligation to make such a report, leaving lawmakers to worry what would have happened if FireEye had chosen not to come forward.
The Senate bill, fronted by Collins, Mark Warner, D-Va., and Marco Rubio, R-Fla., and the House bill from Reps. Yvette Clarke, D-N.Y., Bennie Thompson, D-Miss., and John Katko, R-N.Y., differ in two key ways. The Senate bill requires CISA to mandate reporting within 24 hours of detection, whereas the House bill offers 72 hours. The Senate bill requires reporting when there is a potential breach, but the House bill requires more certainty before reporting.
Industry representatives strongly backed the longer time table and greater certainty.
“The timeline for reporting, no earlier than 72 hours after confirmation an incident has occurred, strikes the right balance to allow firm sufficient time for investigation and implementation of response measures while reporting timely, accurate and useful information to CISA,” said Heather Hogsett, senior vice president for technology and risk strategy for BITS, the technology policy center of the Bank Policy Institute, at the hearing.
“The initial stages of an incident response require all hands on deck and frontline cyber defenders should be focused on Investigation response and remediation, rather than completing compliance paperwork,” she said.
Hogsett noted that the lower standards of the Senate bill would leave CISA awash with reporting of false alarms stemming from the thousands of false positive alerts that come from any bank’s security software every day.
That point was echoed at the hearing by Ronald Bushar, vice president and government chief technology officer of FireEye Mandiant, the company lawmakers largely praised for its civic-minded, internal handling of the SolarWinds attacks. Bushar said the company paused in going forward for the public benefit, confirming that the attack was not an employee clicking on the wrong file or a glitch in the technology, before making a major announcement.
”I think the point [with a longer investigation period] is not that you would never disclose or you would wait until you had all the information available, but simply that you can have situations where initial indicators are indicative of an actual, true compromise; that you want to allow organizations time to fully analyze what's happening in their environment and determine that there is in fact a real impact,” he said.
The hearing was held in the Cybersecurity, Infrastructure Protection and Innovation Subcommittee of the Homeland Security Committee, chaired by Clarke. Clarke gave some indication to the scope she expected the CISA rules to abide.
“In recent days, I've been asked whether we would consider compliance challenges that certain small businesses may have,” she said. “I want to be clear that we do not expect all critical infrastructure owners and operators to be subject to this reporting requirement. Rather, we expected to apply only to a subset.”