Witnesses to Suggest Tailoring Cyber Reporting Bill
Industry witnesses will suggest refining cyber incident reporting legislation that the House Cybersecurity Subcommittee will consider at Wednesday’s noon virtual hearing (see 2108270066). The U.S. government should consider a federal incident reporting program that includes mandatory disclosure requirements, said FireEye Mandiant Global Government Chief Technology Officer Ronald Bushar in a statement. The focus of mandatory reporting should be compliance support, not punishment for noncompliance, said Bushar, who is to testify. “Fines and other financial or legal punishments do not properly reflect the truth that, barring gross negligence or willful misconduct, organizations that suffer a cyber attack are victims of a crime.”
The Information Technology Industry Council doubled down on recommendations for limiting the scope of cyber incident reporting legislation, in prepared testimony (see 2108300059). This includes feasible reporting timelines; appropriate confidentiality, nondisclosure and liability protections; limiting reporting to impacted entities; streamlined incident reporting requirements; and establishing “appropriate” reporting thresholds. General Counsel John Miller is to testify for ITI. Other witnesses didn’t comment Tuesday. They include USTelecom Senior Vice President-Cybersecurity Robert Mayer.
The bill would require “covered critical infrastructure entities to report certain cyber incidents” to the Department of Homeland Security Department’s Cybersecurity and Infrastructure Security Agency, said subcommittee Chair Yvette Clarke, D-N.Y., in a statement. She’s been working with ranking member John Katko, R-N.Y. The Cyber Incident Reporting for Critical Infrastructure Act “would direct CISA to work with stakeholders to craft requirements that are tailored to get CISA the information it needs to understand the cyber threat landscape,” said Clarke. The bill “strikes the right balance of carrots and sticks to close the centralized visibility gap around cyber incident reporting and provides CISA the needed visibility to protect our nation’s critical infrastructure and federal networks,” said Katko.
CISA published a cybersecurity advisory with the FBI Tuesday highlighting “precautions and mitigation steps” the public and private sectors can take to reduce “risk to ransomware and other cyber attacks, specifically leading up to holidays and weekends.” The agencies “strongly discourage” paying ransoms, which don’t “guarantee files will be recovered, nor does it ensure protection from future breaches.” They recommended offline data backups, avoiding suspicious links, updating operating systems and software, strong passwords, multifactor authentication and incident response plans.