New comprehensive reporting rules for cyber incidents from the Department of Homeland Security

The extensive new rules for reporting cybersecurity incidents are on the way and will cover a lot. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The enabling law is CIRCIA: the Cyber ​​Incident Reporting for Critical Infrastructure Act. To learn more about the recent hearing that was held on the extensive rulemaking, the Federal Drive with Tom Temin spoke with cyber policy expert Bob Metzger, a partner at the Rogers law firm, Joseph O’Donnell.

Interview transcript:

Tom Temin They’re coming: sweeping new rules for cybersecurity incident reporting. They’re going to cover a huge part of the industry. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The enabling legislation is CIRCIA, the Cyber ​​Incident Reporting for Critical Infrastructure Act. There was a hearing recently on this sweeping legislation. Cyber ​​policy expert Bob Metzger, a partner at the law firm Rogers Joseph O’Donnell, is in the studio with me reporting on the latest developments. Bob, great to have you here. And you’ve been on the front lines reporting on all these developments in cyber policy. CIRCIA, define it again for us briefly, and then we’ll get to the latest developments here.

Robert Metzger Well, CIRCIA was a law that was passed by Congress a couple of years ago in the wake of the SolarWinds incident and Executive Order 14028. And the combination of that evidence from Congress and the executive branch, including the president. There was a lot of concern about the impact of current cyber threats on critical infrastructure. It wasn’t just SolarWinds, Tom. There were other things, like Colonial Pipeline, that caused the leadership of our government on a bipartisan and bicameral basis to decide that we needed to do more. And the centerpiece of that effort was to direct the Department of Homeland Security and the Cyber ​​Security and Infrastructure Security Agency, which is a part of it, to issue regulations that would generally mandate increased reporting of cyber incidents that affect critical infrastructure. Now, the law itself is pretty compelling, but it’s also interesting in that it had a surprisingly long time frame. It was passed about two years ago. The notice of proposed rulemaking came out in April, I believe. The deadline for responses was extended to early July of this year. The proposed rule was so large it was generous. In its pre-print version, Tom, it was 441 pages long, a massive read that would take more than an evening. The rule itself, for all the attention it deserves, probably won’t be published in final form until sometime now or later in 2025. And if we take into account congressional review requirements, this rule won’t take effect until 2026.

Tom Temin Right, and now it’s not just a written proposal and a written request for responses from industry, but it’s about people talking about it in a congressional hearing. And you listened to the whole thing, I didn’t. So essentially: what were the concerns and why so long?

Robert Metzger Well, you know, the hearing was very interesting on the Congressional side. Several members were obviously involved in the creation of the underlying legislation and of course supported the objectives of the legislation. There was a remarkable bipartisan consensus on the importance of those objectives. And there was some self-congratulation, perhaps deserved, that the often divided Congress could come together and agree on this legislation and its objectives. But there was also some consensus on the concerns about the proposed regulations. Aside from the length, there is a great deal of concern in some of the affected sectors, shared apparently by both Republicans and Democrats on the relevant House committee, that the regulation will be too burdensome, particularly for smaller entities that may be subject to the current definitions of covered entities. There is a great deal of concern that there will be overlap, duplication and inconsistency with the other reporting requirements of the sector-specific agencies. And there are widespread concerns that DHS could find itself receiving tens of thousands of cyber incident reports, at too high a level of detail, too high a frequency, and too high a volume, without the resources to meaningfully process those reports and turn them into actionable recommendations for the industries at risk.

Tom Temin We’re talking to Bob Metzger, an attorney at Rogers Joseph O’Donnell. So the real reason for the bloat is the type of things that need to be reported, not the fact of reporting, because you can report something in a simple form that they might draft up next week. But the definition of a cyber incident is broad. Is that why the whole thing is bloated?

Robert Metzger Well, there are two sides to this. Part of the problem, as you note, Tom, is the amount of detail that needs to be reported in an incident. It’s significant. It requires a description of the security precautions that were taken. What vulnerabilities, if known, were exploited? A description of the techniques, tactics, and procedures that the attacker used. Known indicators of an attack. And so on and so forth. These are not things that can easily be pieced together in the first 72 hours of responding to an event. Not only is there a lot of detail required, but the definitions of a reportable incident itself are arguably quite broad and could include things that don’t have a significant or material impact on the actual operations of the business or the security of the infrastructure to which it is connected.

Tom Temin Does the proposal distinguish between attacks and actual security breaches? Because, you know, if you look at the statistics, that’s what the government likes to say. And, you know, our systems are attacked every second. Tens of thousands of times a month or a year, we see attacks that hit like meteorites. Very few actually reach the earth, but they’re whizzing through the sky all the time.

Robert Metzger I would say yes, it does and no, it doesn’t. There is restrictive language.

Tom Temin That’s why you are a lawyer.

Robert Metzger Right. There is some restrictive language in the regulation that seems to allow a company to decide whether the impact is significant, and that, as you know, only requires reporting of certain serious events. But, as you know, that language is very broadly interpreted. And several of those who testified before the House committee were concerned that many companies would choose to report anything and everything that might prove to be significant, even if it wasn’t. And one or two of the witnesses said that, in their interpretation of the proposed regulation, they would report things that might prove to be inconsequential. Part of the problem, Tom, is that you have to collect all of that information within 72 hours. And if you don’t submit enough information, you run the risk of getting what is charitably called a request for information for more information. And if you refuse to respond to that, or if you don’t respond sufficiently, you can get a subpoena if bad things happen. So there’s a hard side to that, despite the nicer-seeming facade.

Tom Temin Yes, the government always has the ultimate weapon in its hand to impose its demands on industry. OK. The hearing has addressed these issues, but basically at this point it is still in the comment phase of responding to the legislation.

Robert Metzger Right. I didn’t hear any strong opposition from the Hill’s side during the hearing. I heard some Republicans express a lot of concern that the small businesses that would be subject to this rule might find this an undue burden and there’s a possibility that it’s going to be impossible for them, and here’s why in a nutshell: If you’re a large organization, like a bank, that’s subject to financial sector regulation, you already do a lot of great stuff. Or, you know, if you’re in the information or communications industry, you have a lot of stuff.

Robert Metzger But if you’re a small or medium-sized business, you probably don’t have your own forensics department already in place. You probably don’t have contact with a technical company that could help you. And in my opinion – and I have experience with cyber attacks – the only way to respond within the time required with the information required is to have the almost instantaneous ability to do internal assessments and forensics and coordinate that with your insurance filings. And that means you need ongoing support all the time. You can’t wait until the event happens to figure out what to do. Well, that means ongoing costs for medium-sized and smaller businesses that will probably only be recouped through higher charges for consumers or utility payers, and that’s really going to be a burden.

Robert Metzger I expect Congress will push for more relief for potentially affected small and medium-sized businesses and will likely also raise the bar on how comprehensively incidents must be reported and how much information must be submitted initially.

Tom Temin Right. And the other important aspect is obvious, but we should mention it anyway. It applies to private operators and people dealing with critical infrastructure, not just government contractors.

Robert Metzger Oh, absolutely.

Tom Temin And that’s why it’s different.

Robert Metzger That also applies to state and local governments in areas like water where they own and operate, Tom. So it applies more generally to private sector entities in areas of regulated industries or that are perhaps not directly regulated but are important participants in the performance of critical infrastructure. That’s a lofty goal. But, you know, whether that’s an affordable and useful way to achieve that goal remains, in my opinion, questionable.

Tom Temin Attorney Bob Metzger is a partner at Rogers Joseph O’Donnell. Thanks as always.

Robert Metzger Thank you very much.

Tom Temin And we’ll post that interview at federalnewsnetwork.com/federaldrive. Subscribe to The Federal Drive wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users in the European Economic Area.