Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate.
The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May.
At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if anyone.
That industry groups prefer legislation that would create less of a burden on businesses is unsurprising. The hearing Wednesday, however, made clear the gulf between the two chambers’ leading proposals and the hurdles to passage despite the early momentum.
Banking, energy, information technology and telecommunications industry organizations told the House Homeland Security Committee’s cybersecurity subpanel that they largely favored provisions in draft legislation sponsored by New York Reps. Yvette Clarke, the Democrat who chairs that subcommittee, and John Katko, the top Republican on the full panel.
That House bill would give the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency the authority to determine when critical infrastructure business owners and operators must report breaches to CISA. The bill would forbid CISA from writing rules requiring that they do so within 72 hours.
A comparable Senate bill, sponsored by Intelligence Committee Chairman Mark Warner, D-Va. and bipartisan members of his panel, imposes reporting requirements on additional companies, such as incident response firms and government contractors. It would set a 24-hour deadline.
The 72-hour window is “feasible,” said John Miller, senior vice president and general counsel of the Information Technology Industry Council.
“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue — is it a cyberattack or is it merely a network outage?” he said in written testimony.
A Senate aide countered that waiting 72 hours or longer could mean the incident had already spread and done major damage.
Ronald Bushar, vice president and government chief technology officer for FireEye Mandiant, told Clarke that he didn’t believe incident response firms — like his company — should be required to report clients’ incidents.
“You are in a situation of high trust with your clients,” Bushar said. “It puts us … in a real challenging position of betraying one trust to provide information to another partner.”
The differences go deeper, however.
The bill under discussion in the House would provide companies that share breach data protections against lawsuits, and specifies no punishments for not complying. The Senate bill authorizes financial penalties tied to a company’s gross revenue. Naturally, the private sector prefers not to face penalties, according to the Senate aide.
And while the Senate legislation leaves it to CISA to define what kinds of “cybersecurity incidents” trigger notification requirements, the House legislation defines them as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Further, the Senate version requires reporting of confirmed and potential intrusions, while the House bill only applies to confirmed intrusions.
Mandates on reporting potential intrusions could do more harm than good, said Heather Hogsett, senior vice president for technology and risk strategy for BITS, the technology policy division of Bank Policy Institute.
“You’re going to wind up with a situation where CISA is deluged with information that’s not helpful to them, it’s not useful, and they also get bogged down with information that isn’t really the actual threats and the highest risks we want them and everyone else to focus on,” she said.
Whether reporting only confirmed incidents would provide sufficient protection remains unclear in an era defined by large, spiraling attacks, said Rep. Jim Langevin, D-R.I.
“I’m a bit concerned about the gap I see between the amount of information CISA needs to meaningfully improve the cybersecurity of our critical infrastructure sector, and the amount of data CISA would receive if it were only notified of confirmed cyber incidents,” he said.
A spokesperson for Warner said “We’ve had many productive meetings with stakeholders about the bill and continue to work through their feedback.”