Critical infrastructure operators would be required to report cyber incidents to the government’s cybersecurity agency within three days under a bipartisan bill from by House Homeland Security Committee leaders.
The draft legislation follows a large increase in cyberattacks across critical infrastructure sectors, including on energy firm Colonial Pipeline Co. and meat producer
The bill backed by Chair
The bill is expected to be formally introduced following Wednesday’s House Homeland Security Committee hearing, according to a person familiar with the legislation who asked not to be identified because the information isn’t public. The purpose of the hearing will be for lawmakers to discuss the bill text with industry stakeholders.
Witnesses scheduled to appear at Wednesday’s hearing include executives at cybersecurity firm Mandiant, and critical infrastructure sector associations, including the Bank Policy Institute, Information Technology Industrial Council, USTelecom and American Gas Association.
Parallel Senate Efforts
Senate Homeland Security and Governmental Affairs Chair
Senate Intelligence Chair
The forthcoming House bill doesn’t specifically spell out penalties for not reporting cyber intrusions. It directs CISA to further define four metrics including:
- Which critical infrastructure entities would be required to report cyber incidents;
- What a significant cybersecurity incident entails;
- The methods by which covered entities report incidents; and
- How CISA will enforce reporting noncompliance, including issuing subpoenas.
The draft legislation generally defines “significant cyber incident” as one that is likely to cause demonstrable harm to national security, foreign relations, the economy, public confidence, civil liberties, or public health and safety.
72-Hour Reporting Window
One significant difference in the House bill is the longer 72-hour reporting window, compared to the 24-hour window in the Senate bill from Warner and Rubio.
Grant Geyer, the chief product officer at Claroty, which provides cybersecurity services to companies to protect their industrial control systems, applauded the 72-hour reporting window.
“Within industrial environments, because of skill set gaps, environments are not as effectively positioned to spot cyberattacks — there’s definitely going to be a fog of what’s occurring within the first couple of days,” Geyer said in an interview.
He added that 72 hours “really gives organizations time to get a clear view and also ensures that CISA isn’t flooded with false positives that are really not incidents.”
The bill also has the backing of the American Gas Association, which represents large gas pipeline companies.
“AGA supports the draft bill since it establishes the criteria we believe is necessary for a workable incident reporting framework,” the association said in a statement. “We support the timing of incident reporting, supplemental reporting clarity, recognition of existing reporting requirements, Information Sharing & Analysis Centers, and liability protections.”