For nearly a quarter century, the government has been coaxing industry to report cyber security incidents. Now it’s the law, and the Cybersecurity and Infrastructure Security Agency has the task of writing the rules and making it happen. For one industry view of how it’s going, the Federal Drive with Tom Temin spoke with the Information Technology Industry Council’s Senior Director of Policy, Courtney Lang.
Tom Temin: Ms. Lang, good to have you on.
Courtney Lang: Thanks for having me, Tom. Great to be here.
Tom Temin: And in reading your comments, I found something that I didn’t even know. And that is, you tell CISA in your comments that there are already 25 cyber incident reporting mechanisms now in the federal government. Tell us more about that one.
Courtney Lang: Yes, that’s right. Throughout the course of our comments, you know, we were exploring all of the different federal incident reporting requirements that already are in existence. And there are quite a few that entities are already subject to most of them are coming out of different sectoral agencies. But the fact remains that there are a plethora right now of these federal cyber incident reporting requirements, and one of which we’re actually still waiting on pursuant to the executive order on improving the nation’s cybersecurity and that one will levy upon federal contractors additional cyber incident reporting requirements. And so one of the things that we’re really hoping to see CISA do as it kind of further seeks to hone this rulemaking is to leverage the Cybersecurity Incident Reporting Council that was created in the law to streamline and hopefully coordinate this very disparate set of incident reporting requirements to you know, streamline as appropriate and where it can all of these different requirements that entities might be subject to.
Tom Temin: In other words, harmonize the whole thing such that if the White House wants contractors to do such and such, that should stand as what is needed for the greater reporting that all industry has to do, including federal contractors.
Courtney Lang: Right. Absolutely. Because to the extent that, again, this all depends on how covered entity is defined, but it may be the case that a covered entity pursuant to the definition that CISA develops, may also fall under these rules that the FAR Council is revising in order to have federal contractors also report on potential incidents that they have experienced.
Tom Temin: Now in the CISA rulemaking that would be reports then to CISA, because when Homeland Security itself was set up, there were 17, 18, 19, I forget the exact number of sectors, and each industrial sector had a corresponding federal agency. A lot of them were DHS, but you also had Energy and Transportation and so on. The new law then is all reporting to CISA.
Courtney Lang: Correct. Right. So the new law will theoretically again, depending on the direction that these definitions take, we’ll have these covered entities reporting covered cybersecurity incidents, to CISA. So CISA will be kind of the clearinghouse for all of these incident reports.
Tom Temin: And did you recommend well, maybe take away some of the other reporting requirements that if say, I’m an energy sector entity, and I have to report to CISA now, do I also have to report to Energy?
Courtney Lang: Yeah, I mean, we’ve certainly encouraged that CISA, you know, again, work with some of these other agencies that perhaps have preexisting requirements, to try to align them where possible. And certainly we would prefer that CISA be kind of the first and only point of contact, and then from there, CISA can disseminate you know, the appropriate information to other people within the inter agency that are relevant to the situation and that may have that very specific need to know about that incident. So, you know, if it’s pursuant to something in the energy sector, CISA would then take that information and be able to disseminate it within the interagency appropriately, but really trying to streamline the process, right, because when an incident happens, companies are rightfully focused on figuring out what happened investigating the incident and then taking steps to remediate that incident. And so to have to report to multiple different agencies, that something has happened and a certain, you know, fairly quick timeframe, even after the incident has happened, you know, adds kind of additional pressure on to the company when they should be focused on remediating the incident as opposed to only focused on kind of maintaining compliance with all of these different regulations or requirements that they have levied upon them.
Tom Temin: We’re speaking with Courtney Lang, she is senior director for policy at the Information Technology Industry Council. And you’ve also expressed in the comments concern about what exactly is a covered entity, and you’re arguing certain types of industrial concerns don’t need to be covered. What’s the thinking there?
Courtney Lang: Yes. So we, you know, have offered in our feedback to CISA some initial scoping recommendations and these, you know, come from a lot of conversation with our membership around some of the things that we’re already seeing kind of being undertaken by the administration or by specific agencies at large. And so, you know, what we’re really encouraging CISA to do is leverage some of these existing processes that are ongoing in order to really significantly hone the scope because the way in which the rulemaking is tailored, including how a covered entity is defined, will then in turn impact the volume of information that CISA is receiving and then theoretically, also inform, you know, the kind of resources and capabilities that they might need to consume that information. So, you know, as an example, we recently saw President Biden send a letter to Congress, essentially saying that the administration would like to revise its current critical infrastructure policy, PPD 21. As a part of that letter, it also notes that the administration would like to delineate guidance to different agencies on what constitutes kind of the most critical critical infrastructure owners and operators within critical infrastructure sectors. And so this is something that I think will be very important to the certia rulemaking that CISA is attempting to develop, right, because one of the things that we think is most important is to focus really narrowly on that subset of critical infrastructure owners and operators that if they were to experience a cyber incident, it would have a significant and severe kind of actual disruption or loss or, you know, severe impact on things like national security, perhaps infrastructure that’s necessary for public health, safety, communications, financial operations, things like that. So the idea would be to kind of really tailor this to focus on that subset. So the efforts being undertaken by the administration will ideally help to inform that. We also know that CISA has been undertaking the Pisces are primarily systemically important entity effort to define, again, a subset of critical infrastructure providers that are kind of most important to the nation’s infrastructure. And so, you know, perhaps leveraging that may also be a way that CISA can further scope and hone what they see as a covered entity.
Tom Temin: It sounds like, though, then that companies that don’t contribute to national security say, I don’t know companies that make Barbie dolls or Frisbees would not be covered entities under this type of regime. But on the other hand, it seems like the learnings from the reporting that is done by critical infrastructure could also help non-critical infrastructure companies learn about cybersecurity. So do you envision a dissemination? If not the details of each attack, the generalized learning that could apply to anyone trying to protect their company?
Courtney Lang: Yeah, absolutely. I think that there are certainly kind of best practices and learnings that can be taken away when an incident occurs, the Cybersafety Review Board, I think, is a really good kind of example of folks getting together to review kind of what happened with an incident and then publishing a report and explaining kind of some of those findings, including what happened. And so, you know, something similar might be appropriate, you know, as the regime gets stood up, and, and really leveraging, I would say the the Cybersafety Review Board to kind of disseminate those more generalized learnings as appropriate, because as you know, it likely would not be appropriate to kind of share very specific details. But if there are things that can be kind of up leveled, to share with the broader community to uplift cybersecurity writ large, that’s something that’s very important.
Tom Temin: Of course, CISA does release weekly lists of bugs and errors and patches and advice as it is now. So maybe that’s kind of academic. And then what are you thinking about what should be the format and scope and detail of reports, because there’s incidents, and then there’s incidents? And when you really get down into the brass tacks of what you report on and how you report it, it can get awfully complicated awfully fast.
Courtney Lang: Yeah. So you know, we have done a little bit of thinking, I will note that there are already contents that are included in the law itself. So reports will have to include kind of a series of items already. And we largely think that that those are generally sufficient for kind of an initial incident report. We also suggested to CISA that it might be helpful to consider adding several categories, including, you know, information about whether an entity requires specific support from CISA what they think would be most useful to them if they do require specific support, what does that look like if they have an idea at that time, whether the incident has been reported to other entities ideally, you know if CISA is the clearinghouse for these incidents, that It won’t be necessary. But, of course, it may take some time to streamline and harmonize all of these requirements. So those were some other areas that we had encouraged them to think about, including also, having the option to voluntarily report additional types of information, I think is something that should be open to, you know, impacted entities should they think it prudent to kind of report additional information that’s not already required, that could help to identify emerging trends or other kinds of anomalous behavior that’s happening across the landscape. So I think, you know, those are a couple of things that would be important. CISA will also have to figure out how entities should actually submit the report to them. So you know, we’ve recommended kind of creating a secure and encrypted interface by which companies that are impacted can actually submit those reports with kind of a standardized set of fields that they could fill out, you know, to keep it easy and streamlined. And in the event that there is an incident that they’ve been trying to address, you know, you want to have that be something that’s easily accessible, but at the same time, think about what might happen if that system goes down, for whatever reason, you know, important to think about what a backup option for kind of that web based interface might be.
Tom Temin: And this is probably outside of the scope of the rulemaking and even the law, but you would think that in some instances, the National Security Agency, or even the CIA would want to know about what’s going on in critical infrastructure, especially if it could affect national security, any thoughts on some kind of mechanism to make sure that not just CISA, but everybody in the government that needs to know, would know.
Courtney Lang: So I think in the law, actually, there is some discussion of CISA’s role in disseminating the contents of report to you know, specific agencies that are kind of involved in or might need to know this information. So, you know, I think the important thing there is just making sure that the information that’s being disseminated is, is only being disseminated to those agencies that have a very specific need to know and then making sure that it’s, you know, adequately protected, right, because having all of this information about incidents or about, you know, potential vulnerabilities, which is another area that the RFI at least asked about, you know, could then represent kind of an additional attack surface. So really making sure that there are the appropriate kind of security tools in place to actually protect that information will be important, too.
https://federalnewsnetwork.com/cybersecurity/2022/12/industry-has-lots-to-say-about-the-homeland-security-plan-for-cyber-incident-reporting/ Industry has lots to say about the Homeland Security plan for cyber incident reporting