Back to General Resources

House Homeland Cybersecurity Hearing

House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation

Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021

Wednesday, September 1, 2021

 

Witnesses

  • Mr. Ronald Bushar, Vice President and Government CTO, FireEye Mandiant
  • Ms. Heather Hogsett, Senior Vice President, Technology & Risk Strategy for BITS, Bank Policy Institute (BPI)
  • Mr. John Miller, Senior Vice President of Policy and General Counsel, Information Technology Industrial Council (ITI)
  • Mr. Robert Mayer, Senior Vice President, Cybersecurity, USTelecom
  • Ms. Kimberly Denbow, Managing Director, Security & Operations, American Gas Association

 

Opening Statements
Chair Yvette Clarke (D-N.Y.)
In her opening statement, Clarke explained the process and details of the Cyber Incident Reporting for Critical Infrastructure Act. She added that work on the bill is ongoing and that she is open to questions and feedback. Addressing compliance concerns, she stated that she does not expect all critical infrastructure owners and operators to be subject to this reporting requirement, but that it would apply only to a subset. She concluded that she would be happy to explore whether it would be necessary to add language directing CISA to provide additional compliance assistance to small businesses that are determined to be covered entities.

Ranking Member Andrew Garbarino (R-N.Y.)
In his opening statement, Garbarino discussed the impact of recent ransomware attacks, including the SolarWinds incident and expressed interest in edits to the Cyber Incident Reporting for
Critical Infrastructure Act.

Rep. John Katko (R-N.Y.)
In his opening statement, Katko expressed the need for urgency and precision to address cybersecurity threats and described how bad actors have been successful targeting private and public sector. He also mentioned his Systemically Important Critical Infrastructure bill, which will be introduced in a few days and stressed his desire for bipartisanship on the issue of cybersecurity.

Testimony
Mr. Ronald Bushar, Vice President and Government CTO, FireEye Mandiant
In his testimony, Bushar said he was encouraged by the draft Cyber Incident Reporting for Critical Infrastructure Act of 2021 as a positive step forward in achieving important long-term goals of enabling early detection of malicious cyberattacks. Bushar explained that any legislation on this matter should take into consideration the evolving cyber threat landscape; the increasingly sophisticated tactics, techniques, and procedures used by adversaries; and lessons learned from existing voluntary information sharing models. He stated that any reporting framework must be agile and include opportunities for the federal government to pivot or adjust its reporting requirements to keep pace with the threat environment and bad actors. He further expressed the need for the U.S. government to consider a federal incident reporting program that goes beyond voluntary sharing of threat indicators and should also include mandatory disclosure requirements for cyber incidents. He explained potential major tenets of the program including: safeguarding the protection and integrity of electronic and other types of data, ensuring confidential sharing, encouraging entities to adopt recognized cybersecurity standards and practices with a minimum threshold, providing greater incentives for private sector entities, including liability protections and statutory privilege to not be disclosed in civil litigation, protecting privacy and civil rights, and providing outreach and technical assistance to entities that do not have cybersecurity expertise or capabilities. Bushar also asked lawmakers to consider the following components for a cyber incident reporting program: 1) reporting requirements should account for two key outcomes: a) timely and relevant reporting of critical intelligence to relevant government authorities for assessment, correlation, and decision support and b) reasonable latitude for the victim to determine the nature, extent, and potential impact of a breach; 2) a public-private partner approach to cyber security; 3) a reporting program must encourage cooperation and strengthen trust between the public and private sector; and 4) the program should highlight several clear benefits to broader cyber incident reporting and bidirectional information sharing.

Ms. Heather Hogsett, Senior Vice President, Technology & Risk Strategy for BITS, Bank Policy Institute (BPI)
In her testimony, Hogsett highlighted efforts by industry to improve cybersecurity, the industry’s mutual commitment to cybersecurity, the value in sharing threat and incident information, and support for efforts to fortify CISA as a leader in this space. She praised the bill for including the proper scope, the appropriate 72-hour timeline, harmonization, the Protections and Definitions in the Cybersecurity and Information Sharing Act of 2015 (CISA Act), and help for companies to understand if their data has been compromised. Hogsett concluded by highlighting the need for improvement in the bill on bi-directional information sharing.

Mr. John Miller, Senior Vice President of Policy and General Counsel, Information Technology Industrial Council (ITI)
In his testimony, Miller expressed appreciation that the Cyber Incident Reporting for Critical Infrastructure Act for leaving many of the details to be worked out through a rulemaking process and  highlighted ITI’s publication on its Policy Principles for Cyber Incident Reporting in the United States. He also made ten recommendations to policymakers in the Policy Principles publication to consider in drafting incident reporting legislation. Miller then summarized his written testimony, which focused on five recommendations including: 1) establishing feasible reporting timelines of no less than 72 hours; 2) ensuring appropriate confidentiality, nondisclosure, and liability protections; 3) limiting reporting to the impacted organization, rather than third-party vendors or providers; 4) harmonizing federal cybersecurity incident reporting requirements; and 5) limiting reporting to verified intrusions and incidents.

Mr. Robert Mayer, Senior Vice President, Cybersecurity, USTelecom
In his testimony, Mayer explained elements he believed were critical success factors in any incident reporting regime including: 1) the reporting window should be large enough for industry to triage the incident; 2) thresholds for incidents that merit reporting should be clearly defined by subject matter experts, and only confirmed incidents should be reported; 3) legislation should protect the government’s industry partners when they are victims of cyberattacks; 4) the government must safeguard the sensitive information it collects; and 5) reporting obligations should reside with the victims of cyberattacks and not intermediaries or third parties. Mayer then expressed appreciation for the following aspects of the proposed legislation: 1) cyber incident reporting is best enforced with subpoenas rather than fines; 2) CISA should serve as a hub for information sharing and incident reporting, but must work with its partner agencies; and 3) information sharing obligations should be reciprocal between government and industry partners.

Ms. Kimberly Denbow, Managing Director, Security & Operations, American Gas Association
In her testimony, Denbow explained a few provisions of the Cyber Incident Reporting for Critical Infrastructure Act that have industry’s support including report timing, supplemental reporting clarity, recognition of existing reporting requirements, Information Sharing & Analysis Centers (ISACs), and liability protections. She also offered a few recommendations for the bill including greater specific outreach to critical infrastructure organizations in developing the rule, flexibility and regular updating for the list of covered entities, ensuring CISA has the tools it needs, and narrowing Director authority to disclose certain information.

Question & Answer
Bi-Directional Information Sharing
Clarke asked what specific information CISA needs about a cyber incident in order to detect cyber campaigns early and help operators defend themselves and mitigate risk. Bushar referenced technical indicators of compromise (IOCs), which include IP addresses, domain names, malware and software, along with behavioral based techniques the victims observe like phishing and emails, which can all increase the accuracy of attribution of threat actors. Clarke asked what information and intelligence is needed by firms from CISA. Bushar said when the government has access to indicator information, the private sector can make use of that information in similar ways and understand where threat actors may be operating.

Rep. Sheila Jackson Lee (D-Texas) asked if it is important for CISA to share data with critical infrastructure operators and how this legislation would have impacted the Colonial Pipeline incident. Bushar and Miller said the bi-directional information sharing is critical. Denbow said the Oil and Natural Gas Sector Coordinating Council have been asking for a more streamlined reporting approach for many years, noting that it is a piece that must be worked out.

Impact of Cyber Incidents Definition
Clarke asked what the risks are with improperly scoping the definition of cyber incidents. Hogsett said financial institutions will see potentially thousands of pings against their systems, so if the definition is too broad, you would have hundreds if not thousands of reports going in from a single firm. She said the opportunity for public dialogue with sectors throughout the rulemaking process is crucial, and they do not want to put unnecessary noise into the system for CISA.

Solutions in Legislation
Garbarino said this is not a one size fits all approach and asked how to legislate properly. Denbow said the quickest way to an effective solution is to consult with the sector management risk agencies and the sector coordinating councils where there will be subject matter expertise. Mayer agreed with bringing subject matter experts to the discussion with CISA, arguing there is no way forward in making decisions around how to define a covered incident without industry specific input.

Rep. Bennie Thompson (D-Miss.) asked how to ensure this cyber incident reporting legislation is crafted in a way that brings real value to prevent another conversation like this in the future. Bushar said there needs to be some flexibility in the rulemaking process and the ability to adjust what is necessary for information collecting. Hogsett discussed setting up a process with a more regular feedback loop. Mayer said the 72-hour time period is important to filter noise out of the data before it goes to CISA and added that they need to build information up in general to see where we fail and what works for the future.

Time Period for Reporting to CISA
Rep. Andrew Clyde (R-Ga.) asked if 72-hours or 7-days is the appropriate period for reporting to CISA or if it is somewhere in between. Miller said 72 hours is a sufficient amount of time to determine what has occurred and provide additional contextual information. Hogsett agreed 72 hours provides industry a reasonable amount of time to do initial investigation and providing useful information for others. She pointed out that many firms operate on different standards and supports harmonization across industry for a reporting timeline. Mayer said 7 days would be too far down the road for potential damage. Denbow said the exact time does not matter as much, but the key is allowing operators to first confirm they have an incident rather than speculating and spitting out information.

Coordinated Reporting and Harmonization
Garbarino asked how to help harmonize reporting compliance and requirements for industries. Hogsett said they would encourage CISA to work with the Treasury, Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation to have a streamlined requirement so firms can provide information to one place. She said anything Congress can do to ensure required coordination would be helpful.

CISA Reporting
Garbarino asked if the current quarterly reporting is good enough. Mayer said CISA has been incredibly responsible in pushing information out about threats. He added that they engage with CISA nearly on a daily basis about alerts and threats. Denbow suggested working with CISA and sector risk management agencies, adding that it is important that the intelligence community comes together with operators to determine what is worth downgrading to avoid wasting time.

Reporting Requirements
Rep. James Langevin (D-R.I.) asked Mayer about his suggestion that only confirmed incidents be covered by the bill and asked how to be better positioned to proactively identify espionage campaigns if operators are not obligated to report suspicious activity to CISA. Mayer said if there is a significant cyber incident, operators will know it when they see it, and once a company realizes it has been hit in a significant way, he has every expectation it would result in a conversation with CISA. Bushar said there are many situations in which the initial indicators are not indicative of a true compromise, and they want to allow organizations time to fully analyze the data.

Promoting External Security Research
Clarke asked how CISA can use data on cyber incidents to empower security researchers outside of CISA to improve security systemically across sectors. Bushar said there are valuable use cases for information that CISA can share with universities and public or private sector research firms to allow a broader research community to hone in on key areas of resiliency or defensibility to protect our infrastructure. He added that this information can be shared anonymously or in a protected way.

 

For more information on this hearing, please click here.