Big Tech Tells CISA to Exempt Third-Party Providers from Incident Reporting Rule

Providers of commercial information and communications technology shouldn’t be required to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency, a trade association for some of the largest such companies told the agency, which is leading a rulemaking process to implement an incident reporting law for critical infrastructure.

In comments the Information Technology Industry Council promoted in a press release Tuesday, the group, which includes companies like Microsoft, CISCO and Zoom, argued “scoping should be consistent with a national criticality assessment.”

“Such an approach should be encouraged to narrow down when entities are truly carrying out national critical functions that matter to national security, such as satellite communications, versus commercial use cases,” the companies wrote. “If a system is not reasonably tied to a critical function at the national level, then it should not be covered.”

Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in March as a response to what is generally referred to as the SolarWinds hack. The hackers were able to access assets belonging to the commercial-off-the-shelf IT vendor, as well as Microsoft, in a campaign that ultimately compromised nine federal agencies and at least a hundred U.S. companies. The breaches did not come to light until they were voluntarily disclosed by the cybersecurity firm FireEye, which was among those compromised. 

Lawmakers advancing the legislation addressed a need to require reports of cybersecurity incidents in order to warn others in the connected ecosystem and mitigate the effect of cascading impacts to the economy, amid an increase in ransomware and other cyberattacks. But Congress left it largely up to CISA to decide what kinds of entities should be covered under the law and what sorts of incidents should require reporting.

“Critical infrastructure ‘owners and operators’ need to rely on and trust their technology vendors and service providers,” the tech companies wrote, referring to language in the statute. “As such, third-parties/third party vendors should be excluded from the scope of covered entities. Reporting should fall only on the impacted entity itself.”

Trade associations for the financial sector disagreed. In a press release promoting their own comments to CISA Tuesday, the American Bankers Association, the Bank Policy Institute and others said “the requirement to report should apply equally to critical and non-critical services.”

“Many technology providers like cloud services and data aggregators have access to large amounts of sensitive data,” the finance sector groups wrote. “Requiring reporting only from critical infrastructure sectors ignores the incident’s materiality and the possible systemic risks.”

The finance-sector’s comments also call for a higher threshold for requiring incident reports, even though one of its own executives—Mastercard Chief Security Officer Ron Green—recently advocated a lower reporting threshold, noting it would yield more success in line with the spirit of the law. At an event hosted by the Center for Strategic and International Studies, CISA Chief Strategy Officer Valeri Cofield also highlighted the benefits of the agency using a lower threshold to spur reporting.

“The criteria for reporting should be based on the incident’s circumstances and severity. Only incidents that are severe and threatening (i.e., have malicious intent) should require a report,” the banking groups said. “Entities should not be required to report technology outages or other service-related interruptions that, while inconvenient, do not pose systemic threats.”

The ITI comments also said CISA should, “limit reporting to severe and significant attacks that cause actual disruption or loss and include specific parameters,” among other criteria.

Public comments on CISA’s rulemaking effort were due Monday.