Paul Eisler

Cyber Incident Reporting Legislation: Principles for an Effective Federal Program

There is no shortage of proposals on Capitol Hill to increase mandatory and voluntary reporting of cyber incidents by the private sector. Each proposed piece of legislation attempts to solve for what the U.S. government broadly regards as a visibility challenge. When high-profile cyberattacks occur, such as the attack on SolarWinds, policymakers want to make sure that relevant agencies have an appropriate degree of insight into what happened.

But as Congress looks to increase visibility, it shouldn’t lose sight of the tremendous amount of collaboration that already occurs in many sectors to keep government partners informed about cyber threats and intrusions.

The communications sector, for example, participates in FCC programs such as the Disaster Information Reporting System (DIRS)[1] and FCC Network Outage Reporting System (NORS)[2]. The sector has long-established, voluntary cyber incident reporting relationships with the FBI and the Secret Service. Communications providers are also subject to the SEC requirement for publicly traded companies to disclose cyber incidents.[3] The sector also closely partners with DHS across multiple venues to enhance the nation’s cyber readiness.

As the U.S. government considers changes to existing policies and new requirements for cyber incident reporting, it is important to deeply engage private sector partners – not only because the private sector is on the front lines and directly impacted by these proposals, but also because owners and operators of critical infrastructure have unique operational insights that can help the government effectuate its security goals with greater efficiency.

Each legislative proposal merits individualized consideration. However, certain principles are broadly applicable across the various proposals and should help advance the public-private dialogue on this important topic.

1. Reporting obligations should reside with victims of cyberattacks and not intermediaries.

ISPs should not have an obligation to report their customers or other compromised entities to the government. Any policy requiring ISPs to report customers would be cause for concern on a number of grounds, including public policy and privacy concerns, disruptions to business relationships and operations, and possible legal issues associated with those kinds of disclosures.

2. The reporting window should be large enough for industry to triage incidents.

When an incident occurs, industry will need at least enough time to investigate the incident, determine whether reporting criteria have been met, and comply with applicable best practices. Rather than establishing one-size-fits all solutions in legislation, Congress should consider giving CISA (or other relevant federal agency) discretion in establishing reporting windows within reasonable parameters. For example, while some types of incidents may be reportable within 72-hours, situations may arise where more time is necessary to avoid diverting resources from active mitigation and response efforts. Therefore, flexibility should be built into the reporting requirements in recognition that no two events are exactly the same.

Hours in the reporting window should only start counting after an incident has been determined to meet reporting criteria. Otherwise, out of an abundance of caution, industry would likely have to report many events that do not meet reporting criteria because of the remote possibility of escalation. This overreporting could strain government resources and be counterproductive for both sides of the public-private partnership.

3. Thresholds should be clearly defined by subject matter experts, and only confirmed (not potential) incidents should be reported.

Defining reporting thresholds is a highly technical exercise that requires extensive subject matter expertise. The thresholds need to be specific enough to avoid ambiguity, so that industry knows exactly how to comply with the reporting requirements. Given these complexities, policymakers should consider directing federal agency experts to define thresholds in consultation with industry, rather than attempting to include thresholds in legislation.

Only confirmed cyber incidents should be reported (not potential incidents) or else both government and industry resources will be strained by the problem of overreporting. The thresholds need to be grounded in criteria that are verifiable, attributable, and actionable. When defining reporting thresholds, it is important to avoid imposing the assumptions of one entity upon another. For instance, what counts as a major attack for one business may be far less significant for another business.

4. Federal legislation should protect government’s industry partners when they are victims of cyberattacks.

There are a number of important protections Congress should grant industry partners who report cyber incidents. To begin with, liability protections and safe harbors are essential. Congress should also ensure reported information is not used for regulatory purposes. Other considerations include protection of trade secrets; waiver of ex parte communications; and treatment of reported information (e.g., commercial, financial, proprietary). A good place to begin is the protections in the Cybersecurity Information Sharing Act of 2015, but there is no substitute for consulting industry. Different players may provide unique insights into how incident reporting affects them legally and operationally.

Consistent with creating good incentives, incident reporting legislation should avoid excessive penalties or other policies that create disincentives to industry investment in sophisticated threat monitoring capabilities.

5. The federal government should take steps to protect reported data.

When the government collects sensitive information from industry partners, it has a responsibility to protect that information. To that end, legislation should include provisions to ensure data from incident reports is not shared inappropriately or leaked once it is made available. There should be a rule to ensure victim names reported to CISA (or some other federal agency) are not shared outside the agency. This is essential to ensure the information is safeguarded appropriately and not misused. Incident reporting should be covered either by CISA’s Protected Critical Infrastructure Information (PCII) Program[4] or an equivalent program.

By following these principles, Congress and policymakers in federal agencies can move the conversation forward and develop incident reporting legislation that enhances the public-private partnership that is foundational to bolstering the country’s cyber readiness and resilience.

Paul Eisler is Senior Director, Cybersecurity at USTelecom – The Broadband Association. Twitter: @Paul_Eisler