Lawmaker to Propose Bill to Incentivize Industry Cybersecurity Cooperation Within Days

FILE - In this Sept. 20, 2020, file photo, Rep. John Katko, R-N.Y., questions witnesses during a House Committee on Homeland Security hearing on Capitol Hill Washington.

FILE - In this Sept. 20, 2020, file photo, Rep. John Katko, R-N.Y., questions witnesses during a House Committee on Homeland Security hearing on Capitol Hill Washington. (Chip Somodevilla/Pool via AP, File)

During congressional testimony, cybersecurity firm FireEye pushed for greater liability protections to be included in a draft cyber incident reporting bill.

Rep. John Katko, R-N.Y., plans to soon introduce legislation based on the idea that private companies will implement appropriate cybersecurity measures in exchange for a safe harbor from liability if attackers breach their systems.

“I look forward to continuing to prioritize major cybersecurity reforms through this committee on a bipartisan basis, including my [Systemically Important Critical Infrastructure] bill, which is coming up in the next few days,” Katko, ranking member of the House Homeland Security Committee, said during a hearing Wednesday. 

The goal of the hearing was to receive feedback from industry stakeholders on a different proposal—the Cyber Incident Reporting for Critical Infrastructure Act of 2021—a draft of which the committee released in advance of the hearing.

The effort to pass cyber incident reporting legislation relates to the voluntary disclosure of an intrusion at IT management company SolarWinds by cybersecurity firm FireEye, which was among about 100 private companies and nine federal agencies affected by the supply-chain attack. 

Lawmakers are concerned that if FireEye had not come forward on its own they would never have known about the widespread compromises. Officials have since attributed the attacks to Russian government actors conducting an espionage campaign. Current breach reporting laws only cover select sectors and are based primarily on the exposure of personally identifiable information.

The reporting law discussed during the hearing would require that the Cybersecurity and Infrastructure Security Agency establish a new office to receive mandated reports of cyber incidents based on criteria that the agency establishes through a rulemaking process allowing industry input.

Representatives from the information technology, communications, finance and pipeline sectors largely praised the proposal. They noted the draft’s use of subpoenas over fines for pursuing covered entities that fail to submit incident reports accordingly and were supportive of a provision preventing the CISA director from requiring those reports any earlier than 72 hours from when a cyber incident is confirmed.    

Rep. Jim Langevin, D-R.I, a member of the congressionally mandated Cyberspace Solarium Commission, expressed concern that sitting on information while pursuing such confirmation wouldn’t allow CISA to warn others of an impending attack.

He noted testimony of FireEye CEO Kevin Mandia, who said they were investigating the SolarWinds event weeks ahead of disclosure.

It was “not 72 hours, it was weeks, and you know those were weeks where Russia was stealing data,” Langevin said. “As we continue to consider this bill, I hope that we're going to continue to work out what definition of ‘cyber incident’ will best ensure that CISA is able to do its job and proactively warn critical infrastructure providers of threats.”

Responding to Langevin’s concern during the hearing, Ron Bushar, FireEye’s senior vice president and global government chief technology officer, said 72 hours is a reasonable time for an initial disclosure and noted provisions in the bill requiring continual updates to disclosure reports. Those would be important, he said.

Bushar also pushed for the bill to include additional incentives to encourage private companies to share information with the government. 

“Major tenants of such a program should ... encourage entities to adopt recognized cybersecurity standards and practices with a minimum threshold, provide greater incentive for private sector entities including liability protections and statutory privilege to not be disclosed in civil litigation, protect privacy and civil rights and provide outreach and technical assistance to entities that do not have cybersecurity expertise or capabilities,” he said.

His comment echoes the model for systemically important critical infrastructure, or SICI, that is recommended by the Solarium Commission and supported by Katko, “if done right.” But liability protections for industry during civil suits has been a huge political sticking point in related debates about data privacy and breach notification. 

During his remarks, Katko praised the committee’s bipartisan effort to advance the incident reporting bill. “But going forward,” he said, “there's a lot of other things, like my systemically important critical infrastructure bill and many others, that are going forward and I hope we can have the same type of team work on that as well.”