US advances bipartisan bill that mandates disclosure of cybersecurity incidents by critical infrastructure firms

critical infrastructure firms

The Committee on Homeland Security advanced on Wednesday a bipartisan legislation bill that would require critical infrastructure firms to disclose cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery. The latest virtual meeting came following months of stakeholder engagement and bipartisan negotiations to tweak the bill, with the intention of carrying about further refinement to the “legislation to ensure it serves the purposes of the Federal government and will result in security benefits to covered entities.”

The Cyber Incident Reporting for Critical Infrastructure Act of 2021 calls for a Cyber Incident Review Office within the CISA to receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by covered critical infrastructure firms. The review office will also assess the effectiveness of security controls and identify tactics, techniques, and procedures (TTPs) adversaries used to overcome such controls and facilitate timely sharing between relevant critical infrastructure owners and operators.

In case of a cybersecurity incident, the Cyber Incident Review Office shall conduct a review of the details surrounding the cybersecurity incident or group of such incidents and identify ways to prevent or mitigate similar incidents in the future.

The U.S. has increasingly been hit by cybersecurity incidents affecting its critical infrastructure firms. Incidents, such as the SolarWinds supply chain cyber incident, Colonial Pipeline ransomware attack, and Oldsmar water plant hack have intensified the urgent need to strengthen critical infrastructure, reduce operational downtime, and protect from financial and reputational damage. Such attacks also prompted the Transportation Security Administration (TSA) to issue updated cybersecurity guidelines, in addition to a requirement to report attacks.

The bill also would direct CISA, after a 270-day period with mandatory windows for stakeholder consultation and comment, to issue an interim final rule describing which critical infrastructure owners and operators are subject to the reporting requirement, which cyber incidents need to be reported, a mechanism for submitting reports, and other details necessary for implementation.

“Importantly, our bill seeks to establish this new mandatory reporting program in a way that sets it apart from CISA’s voluntary cyber programs by establishing a new Cyber Incident Review Office and tasking this new office with the discrete mission of receiving, aggregating, analyzing, and securing cyber incident reports,” Yvette Clarke, a Democrat from New York and chairwoman of the subcommittee of Cybersecurity, Infrastructure Protection, and Innovation, wrote in a media statement.

The bill also aims to ensure that covered entities benefit from the new reporting requirement in three ways. It requires CISA to publish quarterly reports with anonymized findings to provide better situational awareness to its partners while directing CISA to identify any actionable threat intelligence that should be shared rapidly and confidentially with cyber ‘first responders’ to prevent or respond to other attacks. It also requires CISA to notify private sector entities that may have been impacted by data breaches or intrusions on federal networks.

“​​I am pleased with the progress we have made on this legislation but want to be clear that our work is ongoing. We remain open to additional questions and feedback because it is important to get this right,” according to Clarke. “I want to be clear that we do not expect all critical infrastructure owners and operators to be subject to this reporting requirement – rather we expect it to apply only to a subset. That said, I would certainly be happy to explore whether we need to add language directing CISA to provide additional compliance assistance to small businesses that are determined to be covered entities,” she added.

“Establishing a mandatory cyber incident reporting framework at CISA has been a priority for the Homeland Security Committee since last Congress. I applaud Chairwoman Clarke for engaging with stakeholders and working so hard to get the language right,” Bennie G. Thompson, a Democrat from Mississippi and chairman of the Homeland Security Committee, said in a media statement.

“I look forward to continuing to work with her as she continues to refine the text. I would also like to thank Ranking Member Katko for his support of this important legislation. For a decade and a half, I have served as either Chairman or Ranking Member of this Committee,” Thompson said.

“Over the years, there has been an evolution in thinking about how closely the public and private sector need to collaborate to protect our nation’s critical infrastructure. I have seen the Federal government struggle to find the right way for critical infrastructure owners and operators to share security information with the government and to zero in on how to turn that information into an actionable security product,” he added.

Industrial cybersecurity company Claroty observed that with CISA having oversight, the office would be an ​​important step toward building a future where the federal government obtains more actionable information from the private sector on cyber incidents so that the Internet ecosystem can be made more secure.

“From Claroty’s perspective, this proposed bill is an important step toward preventing disruptive attacks in the future and enabling the intelligence sharing between the private and public sector that has been missing,” Grant Geyer wrote in a company blog post. “Our perspective comes from a clear understanding of the role of the diverse private-sector ownership of critical infrastructure, as well as the need for the government to garner better visibility into operational technology networks vital to the country’s economic and national security.”