Members of Congress are moving toward a legislative push for mandatory cyber-incident reporting by critical infrastructure operators, while industry groups are beginning to shape their arguments against establishing such a regulatory requirement in response to the SolarWinds and Microsoft Exchange hacks.
A source close to the House Homeland Security Committee told Inside Cybersecurity: “We’re in the process of developing legislation that will require critical infrastructure owners and operators to report certain cybersecurity incidents to CISA for purposes of building CISA’s situational awareness of threats, facilitating rapid sharing of threat intelligence where possible, and informing our overall understanding of which security controls are working and how bad actors are defeating them.”
The source said, “We’re using Section 1637 of the House-passed fiscal 2021 [National Defense Authorization Act], offered by [former Rep. Cedric] Richmond, as a starting point but we expect the language to evolve based on ongoing conversations with stakeholders and CISA.”
Separately, Reps. Jim Langevin (D-RI) and Michael McCaul (R-TX) are in the process of drafting incident reporting and consumer breach notice bills, according to House sources, while Senate Intelligence Chairman Mark Warner (D-VA) has also expressed interest in incident-reporting legislation. The Cyberspace Solarium Commission in its landmark 2020 report called for establishing such a mandate.
And within the executive branch, financial regulators are accepting comment through April 12 on an incident reporting proposal for that sector that would require firms to report incidents within 36 hours. The proposal is expected to generate strong pushback from industry groups.
Industry sources say they recognize the strong desire on Capitol Hill to take action following the massive recent breaches of federal and private-sector networks, but are hoping to move the discussion more toward collaboration than regulatory mandates.
“The cyber reporting discussion, particularly vis-à-vis congressional hearings, needs more rigor,”’ an industry source stressed. “Job one is perhaps for lawmakers to better distinguish whether they are referring to disclosure, incident notification, or reporting. When it comes to legislation, the actors and policy implications in each space are potentially very different.”
On incident reporting, Larry Clinton of the Internet Security Alliance said, “There is useful data to collect, but mandatory reporting of incidents isn’t particularly useful. The core problem is the attackers are way ahead of us in their methods. Looking at it in a narrow regulatory sense is not going to work, it’s going to waste resources.”
He agreed “there is a lot of information that can be gathered and be valuable, but I don’t think that’s answered by a mandatory reporting requirement.”
For one thing, he said the occurrence and facts around cyber incidents are “not readily obvious.” For instance, “The SolarWinds story has already changed a couple of times. I’m very concerned about basing conclusions on incomplete data. That could lead to a garbage-in, garbage-out situation.”
Instead, Clinton called for “real partnership and collaboration” between government and industry. “The government looks at industry as a stakeholder, not as a partner.”