Extensive new rules on cybersecurity incident reporting will soon go into effect and will cover many topics. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The implementing law is the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). For more information about the recent public hearings on this massive rulemaking, see: Tom Temin and Federal Drive We spoke with Bob Metzger and Joseph O'Donnell, cyber policy experts and partners at the law firm Rogers.
Interview Transcript:
Tom Temin Broad new rules on cybersecurity incident reporting will soon go into effect. The rules will cover many industries. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The implementing law is CIRCIA (Critical Infrastructure Cyber Incident Reporting Act). There were extensive rulemaking hearings recently. Cyber policy expert Bob Metzger, partner at the law firm Rogers Joseph O'Donnell, joins us in studio to give us an update. Thanks for joining us, Bob. You've been on the front lines covering all of these cyber policy developments. So, CIRCIA, give us a quick redefinition, and then we'll talk about the latest developments.
Bob Metzger CIRCIA is a law that was passed by Congress several years ago in the wake of the SolarWinds incident and Executive Order 14028. There was great concern expressed by both Congress and the executive branch, including the President, about the impact of modern cyber threats on critical infrastructure. It wasn't just SolarWinds, Tom. There were also incidents, such as Colonial Pipeline, that caused government leadership, on a bipartisan and bicameral basis, to decide that more needed to be done. The core of that effort was to direct the Department of Homeland Security, and the Cybersecurity and Infrastructure Security Agency, which is part of it, to develop regulations that would broadly mandate reporting of cyber incidents that affect critical infrastructure. The law itself is very compelling, but it's also interesting in that it had a surprisingly long timeline. The law was passed almost two years ago. I think the notice of proposed rulemaking was issued in April. The deadline for responses was extended until early July of this year. The proposed rule was very long, to put it generously. Tom, the pre-publication version was 441 pages long and a daunting read; you can't get through it in one night. The rule itself, despite the attention it will receive, probably won't be released in final form until late 2025, or sooner. And given congressional review requirements, the rule won't go into effect until 2026.
Tom Temin Right. And now it's gone from written proposals and written requests for responses from industry to people talking about it in congressional hearings. You're hearing all that, I'm not hearing. So, basically, what were the concerns, and why did they last so long?
Bob Metzger Well, from the Congressional side, the hearings were very interesting. Several of the members were obviously involved in drafting the underlying legislation and naturally supported the objectives of the legislation. There was a surprising bipartisan agreement on the importance of those objectives. And there was perhaps a natural self-congratulation that an often-divided Congress could come together and agree on this legislation and its objectives. But there was also some consensus on concerns about the proposed regulations. Length aside, there are significant concerns in many affected sectors that the rule will be too burdensome, especially for small businesses that may fall under the current covered entity definition, and this appears to be shared by both Republicans and Democrats on the relevant House committees. There are significant concerns that there will be duplication, overlap, and conflict with other incident reporting requirements of sector-specific agencies. There are also widespread concerns that DHS is churning out tens of thousands of reports of cyber incidents that are too detailed, too frequent, too voluminous, and without the means to adequately address those reports and translate them into actionable recommendations for industries at risk.
Tom Temin We spoke with Bob Metzger, an attorney with Rogers Joseph O'Donnell. So the bloat here is the type of items that have to be reported, not the act of reporting them. You can report them next week on a form that's easy to fill out. But the definition of a cyber incident is very broad. Is that what's causing this whole thing to bloat?
Bob Metzger Well, there are two parts. As Tom pointed out, part of the problem is the amount of detail that must be reported when an incident occurs. And it's substantial. You need a description of the security defenses that were in place. Whether any known vulnerabilities were exploited. A description of the techniques, tactics, and procedures used by the adversary. Known indicators of compromise. And you need a lot more information. These are not easy things to gather within the first 72 hours of responding to an event. Not only is the required detail very extensive, but the very definition of a reportable incident is quite broad and can range from things that have no real or material impact on the actual operations of the enterprise or the security of the infrastructure to which the enterprise is connected.
Tom Temin Now, does this proposal distinguish between attacks and actual intrusions? You know, if you look at the statistics, the government says this a lot. And, you know, our systems are being attacked on a second-by-second basis. You know, tens of thousands of times a month or a year, we see them coming like meteors. Very few of them actually make it to Earth, but they're constantly flying through the sky.
Bob Metzger Yes, it is, and no, I don't think it is. There are qualifying words.
Tom Temin That's why you're a lawyer.
Bob Metzger That's right. There is some limited language in the regulations that allows companies to determine whether the impact is significant, and, you know, it only requires reporting of certain significant events. But, you know, these language can be interpreted very broadly. Several witnesses who testified before the House committee were concerned that many companies would decide to report everything that could be significant, even if it's not significant. And one or two witnesses said that their interpretation of the proposed rule would result in them reporting things that could be incidental. Tom, part of the problem is that you have to collect all of this within 72 hours. If you don't provide enough information, you run the risk of getting what they charitably call a request for more information. If you don't respond to that, or don't respond well enough, you could get a subpoena if something bad happens. So, although it seems positive at first glance, there is a tough side to this.
Tom Temin Yes, the government is always going to use the ultimate weapon to force industry to do what it wants. OK, so the hearings addressed these issues, but at this point we're still essentially in the response comment stage of the rulemaking.
Bob Metzger Well, I didn't hear any strong opposition from Congress in the hearings. I heard some Republicans expressing great concern that this is going to be an undue burden on small businesses that are subject to this regulation, that it may become impossible for them. And I'll give you a quick explanation of why. If you're a large company like a bank and you're subject to financial sector regulation, you've already done a lot of great things. Or if you're in the information and communications industry, you've already done a lot.
Bob Metzger But if you're a small or mid-sized business, you probably don't have an in-house forensic capability set up or currently operating, and you probably don't have connections to technology companies that can help you. My judgment, having experienced a cyber breach, is that the only way to respond in the time required with the requested information is to perform the internal evaluation and forensics almost instantly and coordinate with insurance claims. That means you need to have a steady-state of support up and running; you can't wait until it happens to figure out what to do. That means a very burdensome ongoing expense for mid-sized and small businesses that is unlikely to be recouped outside of rate increases to consumers and ratepayers.
Bob Metzger I expect Congress will want to provide more relief to small businesses that may be affected, and perhaps set higher standards for how extensively an incident must be reported and how much information must be provided initially.
Tom Temin Yes. And the other important aspect is, and it should be obvious, but it's worth mentioning: This applies not just to government contractors, but also to private businesses and people who work in critical infrastructure.
Bob Metzger Ah, of course.
Tom Temin That's why it's different.
Bob Metzger Tom, this also applies to state and local governments in areas such as water; they are owners and operators. So it applies broadly to private companies in areas of regulated industries; or maybe they're not directly regulated, but they're significant participants in the operation of critical infrastructure. This goal is a noble one. But, you know, my judgment is that whether this is an affordable and effective way to achieve that goal remains questionable.
Tom Temin Attorney Bob Metzger is a partner at Rogers Joseph O'Donnell. Thank you as always.
Bob Metzger thank you.
Tom Temin The interview will be posted at federalnewsnetwork.com/federaldrive Subscribe to The Federal Drive wherever you listen to podcasts.
Copyright © 2024 Federal News Network. All Rights Reserved. This website is not intended for users within the European Economic Area.