New comprehensive Homeland Security cyber incident reporting rules

The extensive new rules for cybersecurity incident reporting are on the way and they will cover a lot. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The enabling legislation is CIRCIA: the Cyber Incident Reporting for Critical Infrastructure Act. To find out more about the recent hearing that took place on the voluminous rule making, the Federal Drive with Tom Temin talked with cyber policy expert Bob Metzger, a partner at the law firm, Rogers, Joseph O’Donnell.

Interview Transcript:

Tom Temin They’re coming: extensive new rules for cyber security incident reporting. They’ll cover a lot of industry. The issuing agency is the Cybersecurity and Infrastructure Security Agency. The enabling legislation is CIRCIA, the Cyber Incident Reporting for Critical Infrastructure Act. Recently, a hearing took place on the voluminous rulemaking. Cyber policy expert Bob Metzger, a partner at the law firm Rogers Joseph O’Donnell joins me in studio with the latest. Bob, good to have you in. And you have been on the forefront of covering all of these cyber policy developments. CIRCIA, just quickly redefine it for us, and then we’ll get into what’s the latest development here.

Bob Metzger Well, CIRCIA was a statute that was passed by Congress a couple of years ago in the wake of the SolarWinds event and the Executive Order 14028. And the combination of these evidence on the part of both Congress and the executive branch, including the President. Great concern about the impacts of contemporary cyber threats upon critical infrastructure. It wasn’t just SolarWinds, Tom. There were other things, such as Colonial Pipeline, that caused the leadership of our government on a bipartisan basis and bicameral basis to decide that we needed to do more. And the centerpiece of that effort was to direct the Department of Homeland Security and the Cyber Security and Infrastructure Security Agency which is a part thereof, to put out regulations that would broadly require increased reporting of cyber incidents affecting critical infrastructure. Now, the statute itself is quite compelling, but it’s also interesting in that it had a surprisingly long timeline. It was passed about two years ago. The notice of proposed rulemaking came out, I think, in April. The time for responses has been extended to early July of this year. The proposed rule was extensive to be charitable. In the pre-publication version, Tom, it was 441 pages in length, a daunting read, more than an evening’s requirement. The rule itself, for all of the attention it deserves, won’t be published in a final form probably until sometime around now or later in 2025. And if we take into consideration congressional review requirements, this rule won’t be effective until 2026.

Tom Temin Right, and now, it’s moved from the written proposal and written requirement for responses from industry to people talking about it in a congressional hearing. And you listened to the whole thing, I did not. So basically, what were the concerns and why so long?

Bob Metzger Well, you know, the hearing was very interesting on the congressional side. Several of the members clearly had a hand in the authorship of the underlying statute, and they naturally were supportive of the objectives of the legislation. There was remarkable bipartisan agreement on the importance of those objectives. And self-congratulation, perhaps earned, that, you know, the often divided Congress could come together and agree on this legislation and its purposes. But there was also something of a consensus of concern about the proposed regulations. Apart from the length, there’s a great deal of concern running across a number of the affected sectors, apparently shared by both Republicans and Democrats on the relevant House committee, that the rule is going to be too burdensome, especially on the smaller businesses, who could be subject to the present definitions of covered entities. There’s a great deal of concern that there will be overlap, duplication and inconsistency with the other incident reporting requirements of the sector-specific agencies. And there is widespread concern that DHS may set itself up to receive many tens of thousands of cyber incident reports at a level of detail that is too great and frequency that is too high, in a volume that is too much, and without the means to address those sensibly and turn them into actionable recommendations for the industries who are at risk.

Tom Temin We’re speaking with Bob Metzger, an attorney with Rogers Joseph O’Donnell. So really, the ballooning factor here is the types of items that would have to be reported, not the act of reporting, because you can report something in a simple form they could design next week. But the definition of what is a cyber incident is expansive. Is that what’s causing the ballooning of this whole thing?

Bob Metzger Well, there’s two parts to it. Part of the problem, as you point to, Tom, is the amount of detail that has to be reported when an incident occurs. It is substantial. It requires a description of the security defenses that were in place. Which vulnerabilities, if known, were exploited? A description of the techniques, tactics and procedures that were used by the adversary. Known indicators of compromise. And more and more and more. These are not things that are easy to collect in the first 72 hours when you are responding to an event. There’s not only a great deal of detail required, but the definitions themselves of a reportable incident, arguably, are quite broad and could reach things that don’t have a substantial or material impact upon the actual operation of the enterprise, or the security of the infrastructure to which it’s connected.

Tom Temin Well, does the proposal make the distinction between attacks and actual breaches? Because, you know, you look at the statistics, the government loves to say this. And, you know, our systems are attacked by the second. You know, tens of thousands of times a month or a year, we see incoming, they’re like meteorites. Very few actually reach Earth, but they’re flashing through the sky all the time.

Bob Metzger I would say yes, it does, and no, it doesn’t. There is qualifying language.

Tom Temin That’s why you’re a lawyer.

Bob Metzger Right. There’s qualifying language in the regulation that seems to allow an enterprise to decide whether the impact is substantial, which, you know, only calls for reports of certain serious events. But, you know, these are words that can be interpreted very widely. And several of those who testified before the House Committee were concerned that many companies would decide to report anything and everything that might prove to be substantial, even if it was not. And one or two of the witnesses said that their interpretation of the proposed rule would have them reporting on things that might prove to be incidental. Part of the problem, Tom, is that you’ve got to collect all this stuff within 72 hours. And if you don’t put enough in, you’re at risk of getting what they call charitably a request for information for more stuff. And if you declined to respond to that or you don’t respond sufficiently, then you can get a subpoena where bad things happen. So there is a hard edge to this, despite the sort of nicer seeming front end.

Tom Temin Yeah, the government always has that ultimate point of a gun to enforce what it is they want from industry. All right. So the hearing aired these issues, but it’s still basically in rulemaking response commenting stage at this point.

Bob Metzger Right. I did not hear strong opposition from the Hill side during the hearing. I did hear a number of the Republicans express great concern that the small businesses who would be subject to the rule might find this excessively burdensome, and there is a chance that it will be impossible for them, and here’s why, briefly. If you’re a large organization that’s a, you know, bank and subject to financial sector regulation, you already do a lot of great stuff. Or, you know, if you’re in information or communications, you got a lot of stuff.

Bob Metzger But if you’re a small or medium sized enterprise, you probably don’t have a forensics capability in-house in place and operating today. You probably don’t have a contact with technical enterprise that could help you. And the only way, in my judgment, and I have experience with cyber breaches, the only way to respond within the time required with the information demanded, is to have almost instantaneous ability to do internal assessment and forensics and to coordinate this with your insurance submissions. And this means you’ve got to have assistance running on a steady state. You can’t wait until the event happens to figure out what to do. Well, that implies a continuing expense for the medium sized and smaller businesses that is unlikely to be recoverable except through higher charges to consumers or ratepayers, and which really will be burdensome.

Bob Metzger I expect that Congress will want to see more relief for the smaller and medium sized enterprises who could be affected, and probably want to set a higher bar for how broadly incidents must be reported and how much information must be initially submitted.

Tom Temin Right. And the other important aspect, which is obvious, but we should mention it anyway. This applies to private sector operators and people involved with critical infrastructure, not just to government contractors.

Bob Metzger Oh, absolutely.

Tom Temin And that’s why it’s different.

Bob Metzger It also applies, Tom, to state and local governments in areas such as water, where they are the owner and operator. So it applies broadly to private sector enterprises in areas of regulated industries or who may not be directly regulated, but who are key participants in the performance of critical infrastructure. The aspiration is great. But, you know, whether this is an affordable and useful way to achieve that aspiration remains in doubt in my judgment.

Tom Temin Attorney Bob Metzger is a partner at Rogers Joseph O’Donnell. As always, thanks so much.

Bob Metzger Thank you.

Tom Temin And we’ll post this interview with federalnewsnetwork.com/federaldrive. Subscribe to The Federal Drive wherever you get your podcasts.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.