CISA’s incident reporting requirements go too far, trade groups and lawmakers say
A draft rule for cyber incident reporting asks far too much of critical infrastructure entities and of the agency tasked with carrying out the law, trade groups representing the electric, telecommunications and finance sectors said during a House hearing Wednesday.
The cyber incident reporting mandate is one of the Cybersecurity and Infrastructure Security Agency’s biggest forays into a regulatory role — and it is proving to be a thorny one. The 447-page draft rule, released in March, would require select critical infrastructure companies to report significant cyber incidents within 72 hours and any ransomware payments within 24 hours. The rule was established largely for the government to better understand the cyber landscape after multiple major cyberattacks — such as the SolarWinds espionage campaign — highlighted the fact that many attacks go unnoticed.
Witnesses before the House Homeland Security’s cybersecurity subcommittee were largely in agreement that the rule is an important step for broader cyber awareness but also too broad, increasing the likelihood of CISA becoming overwhelmed by reports. Meanwhile, front-line defenders — particularly smaller organizations — could be hampered by trying to both file reports and deal with an attack. CISA will not be able to keep up with the amount of data due to the broad definition of cyber incidents and who should report, the witnesses argued.
While it’s no surprise that industry wants to shave off aspects of the regulatory requirement, that could mean the final version of the rule will be significantly pared down from the draft. Another aspect brought up by the witnesses is that there must be a greater focus on harmonizing other reporting requirements with the new mandate.
Lawmakers seemed to agree. Rep. Eric Swalwell, D-Calif., noted during his opening statement that “we have to make sure that we don’t wrap up non-relevant small and medium-sized businesses in reporting requirements that can both be cumbersome and expensive to businesses and provide worthless data to CISA.”
Rep. Yvette Clarke, the former chair of the subcommittee who sponsored the bill, also thought that CISA’s rule went too far. Citing testimony from 2021, the New York Democrat said that lawmakers did not intend to “subject everyone and every incident with reporting.”
As CISA’s definitions on what constitutes a significant cyber incident and what information should be provided were picked apart, the agency itself came under fire from witnesses who questioned its subject matter expertise as well as its ability to keep the information safe from hackers. The volume of reports will be so large that it will overwhelm the agency’s ability to parse all the information and send out actionable intelligence to defenders, witnesses said.
“CISA currently has challenges with having specific subject matter expertise to get through the noise,” said Heather Hogsett, the senior vice president of technology and risk strategy for the Bank Policy Institute.
CISA’s own cybersecurity breach serves as an example of the difficulty the agency might have in keeping sensitive data secure, said Scott Aaronson, senior vice president of security and preparedness at the Edison Electric Institute, an electric trade group that represents investor-owned utilities, which are for-profit electric utilities.
Additionally, CISA faces a sensitive balance in requiring a mandate from the same organizations that the agency needs to work with on a volunteer basis. Responding to a question about the electric sector’s relationship with the Department of Energy, Aaronson said that part of the reason the electric sectors work so well with DOE is because the agency “is not regulatory.”
