[House Hearing, 117 Congress] [From the U.S. Government Publishing Office] STAKEHOLDER PERSPECTIVES ON THE CYBER INCIDENT REPORTING FOR CRITICAL INFRA- STRUCTURE ACT OF 2021 ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED SEVENTEENTH CONGRESS FIRST SESSION __________ SEPTEMBER 1, 2021 __________ Serial No. 117-28 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.govinfo.gov __________ U.S. GOVERNMENT PUBLISHING OFFICE 46-175 PDF WASHINGTON : 2021 ----------------------------------------------------------------------------------- COMMITTEE ON HOMELAND SECURITY Bennie G. Thompson, Mississippi, Chairman Sheila Jackson Lee, Texas John Katko, New York James R. Langevin, Rhode Island Michael T. McCaul, Texas Donald M. Payne, Jr., New Jersey Clay Higgins, Louisiana J. Luis Correa, California Michael Guest, Mississippi Elissa Slotkin, Michigan Dan Bishop, North Carolina Emanuel Cleaver, Missouri Jefferson Van Drew, New Jersey Al Green, Texas Ralph Norman, South Carolina Yvette D. Clarke, New York Mariannette Miller-Meeks, Iowa Eric Swalwell, California Diana Harshbarger, Tennessee Dina Titus, Nevada Andrew S. Clyde, Georgia Bonnie Watson Coleman, New Jersey Carlos A. Gimenez, Florida Kathleen M. Rice, New York Jake LaTurner, Kansas Val Butler Demings, Florida Peter Meijer, Michigan Nanette Diaz Barragan, California Kat Cammack, Florida Josh Gottheimer, New Jersey August Pfluger, Texas Elaine G. Luria, Virginia Andrew R. Garbarino, New York Tom Malinowski, New Jersey Ritchie Torres, New York Hope Goins, Staff Director Daniel Kroese, Minority Staff Director Natalie Nixon, Clerk ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND INNOVATION Yvette D. Clarke, New York, Chairwoman Sheila Jackson Lee, Texas Andrew R. Garbarino, New York, James R. Langevin, Rhode Island Ranking Member Elissa Slotkin, Michigan Ralph Norman, South Carolina Kathleen M. Rice, New York Diana Harshbarger, Tennessee Ritchie Torres, New York Andrew Clyde, Georgia Bennie G. Thompson, Mississippi (ex Jake LaTurner, Kansas officio) John Katko, New York (ex officio) Moira Bergin, Subcommittee Staff Director Austin Agrella, Minority Subcommittee Staff Director Mariah Harding, Subcommittee Clerk C O N T E N T S ---------- Page Statements The Honorable Yvette D. Clarke, a Representative in Congress From the State of New York, and Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 1 Prepared Statement............................................. 10 The Honorable Andrew R. Garbarino, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Oral Statement................................................. 12 Prepared Statement............................................. 12 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Chairman, Committee on Homeland Security: Prepared Statement............................................. 21 The Honorable John Katko, a Representative in Congress From the State of New York, and Ranking Member, Committee on Homeland Security: Oral Statement................................................. 13 Prepared Statement............................................. 14 Witnesses Mr. Ronald Bushar, Vice President and Government CTO, FireEye Mandiant: Oral Statement................................................. 15 Prepared Statement............................................. 18 Ms. Heather Hogsett, Senior Vice President, Technology & Risk Strategy for BITS, Bank Policy Institute: Oral Statement................................................. 21 Prepared Statement............................................. 23 Mr. John S. Miller, Senior Vice President of Policy, and General Counsel, Information Technology Industry Council: Oral Statement................................................. 29 Prepared Statement............................................. 30 Mr. Robert Mayer, Senior Vice President, Cybersecurity, USTelecom: Oral Statement................................................. 40 Prepared Statement............................................. 42 Ms. Kimberly Denbow, Managing Director, Security and Operations, American Gas Association: Oral Statement................................................. 44 Prepared Statement............................................. 46 For the Record The Honorable Yvette D. Clarke, a Representative in Congress From the State of New York, and Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation: Letter From Claroty............................................ 3 Statement of Accenture......................................... 5 Letter From Multiple Associations.............................. 6 Letter From NTCA--The Rural Broadband Association.............. 8 Statement of the American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA).. 9 STAKEHOLDER PERSPECTIVES ON THE CYBER INCIDENT REPORTING FOR CRITICAL INFRASTRUCTURE ACT OF 2021 ---------- Wednesday, September 1, 2021 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, Washington, DC. The subcommittee met, pursuant to notice, at 12 p.m., via Webex, Hon. Yvette D. Clarke [Chairwoman of the subcommittee] presiding. Present: Representatives Clarke, Jackson Lee, Langevin, Thompson (ex officio), Garbarino, Clyde, and Katko (ex officio). Ms. Clarke. The Committee on Cybersecurity, Infrastructure Protection, and Innovation will come to order. The subcommittee is meeting today to receive testimony on ``Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021.'' Without objection, the Chair is authorized to declare the committee in recess at any point. So good afternoon, everyone. I would like to thank the witnesses for participating in today's hearing on the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Earlier this year, this committee held a joint hearing with the Committee on Oversight and Reform to examine the SolarWinds supply chain attack. Our oversight revealed a number of gaps in Federal authorities, policies, and capabilities that Congress must address to secure its own networks and better serve its private-sector partners. But what stood out to me was how lucky we were that FireEye disclosed that it had been compromised. Where would we be if they had chosen not to? At this hearing--at the hearing, excuse me, I asked whether we would benefit from implementing a mandatory cyber incident reporting framework. Microsoft President Brad Smith observed that today information is siloed and that we need one entity in a position to scan the entire horizon and connect the dots between all of the attacks or hacks that are taking place. SolarWinds President Sudhakar Ramakrishna testified having a single entity to which all of us can report will serve the fundamental purpose of building speed and agility and argued that private enterprises, ``should be instructed with reporting requirements and be made part of this community vision where public and private sectors can work together on addressing this issue.'' At the same hearing, FireEye CEO Kevin Mandia testified about the importance of centralizing intelligence to improve the speed at which the picture and vision will come together, end quote. That hearing convinced me that Congress must act to ensure the cybersecurity and infrastructure security agency known as CISA receives timely cyber incident information from critical infrastructure owners and operators. Since then, I have worked with Chairman Thompson, Ranking Member Katko to draft legislation to establish a mandatory cyber incident reporting framework at CISA. I would like to thank them both for their support in this effort. The draft legislation we are discussing today is the product of months of dialog with Government officials and private-sector stakeholders. I want to express my gratitude to those who worked with the committee to provide feedback on various drafts of the legislation. We have worked hard to draft the legislation in a manner that will result in the greatest security impact for both the Federal Government and the private sector, and I am proud of the draft we have developed. Our bill would direct CISA, after a 270-day period with mandatory windows of stakeholder consultation and comment, to issue an interim final rule describing, No. 1, which critical infrastructure owners and operators are subject to the reporting requirement; No. 2, which cyber incidents need to be reported; No. 3, the mechanism for submitting reports; and, No. 4, other details necessary for implementation. Importantly, our bill seeks to establish this new mandatory reporting program in a way that sets it apart from CISA's voluntary cyber programs by establishing a new cyber incident review office and tasking this new office with a discrete mission of receiving, aggregating, analyzing, and securing cyber incident reports. The bill also aims to ensure that covered entities benefit from the new reporting requirement in three ways: First, our bill requires CISA to publish quarterly reports with analyzed findings to provide better situational awareness to its partners. Second, it directs CISA to identify any actionable threat intelligence that should be shared rapidly and confidentially with cyber, ``first responders,'' to prevent or respond to other attacks. Third, it requires CISA to notify private-sector entities that may have been impacted by data breaches or intrusions on Federal networks. I am pleased with the progress we have made on this legislation but want to be clear that our work is on-going. We remain open to additional questions and feedback because it is important to get this right. In recent days, I have been asked whether we would ask compliance challenges that certain small businesses may have. I want to be clear that we do not expect all critical infrastructure owners and operators to be subject to this reporting requirement. Rather, we expect it to apply only to a subset. That said, I would be certainly--I would certainly be happy to explore whether we need to add language directing CISA to provide additional compliance assistance to small businesses that are determined to be covered entities. I look forward to hearing additional stakeholder perspectives on the legislation today. Before I close and without objection, I would like to include in the record letters of support from Claroty and Accenture, as well as a letter signed by 18 associations, including ITI, the Cyber Threat Alliance, the American Gas Association, Airlines for America, and the Cyber Coalition, among others. [The information follows:] Letter From Claroty September 1, 2021. Rep. Yvette Clarke, Chairwoman, Cybersecurity, Infrastructure Protection & Innovation Subcommittee, House Committee on Homeland Security, Washington, DC 20515. Rep. John Katko, Ranking Member, House Committee on Homeland Security, Washington, DC 20515. Dear Reps. Clarke and Katko: On behalf of Claroty, a leading worldwide provider of industrial cyber security solutions with the mission to drive visibility, continuity, and resiliency in the industrial economy, it is my pleasure to send this letter in support of your ``Cyber Incident Reporting for Critical Infrastructure Act of 2021''. By way of background, Claroty's solutions are deployed in thousands of industrial locations and facilities, in over 50 countries across all seven continents. We serve hundreds of customers, across many industrial verticals in critical infrastructure including energy, water, oil & gas, pipelines, food & beverage, pharmaceuticals, and other areas of critical manufacturing. Claroty's Operational Technology (OT) platform has been selected, tested, and validated by the world's leading industrial automation and cybersecurity vendors, elite system integrators, and Managed Security Service Providers. We are the only OT security provider to be certified by the U.S. Department of Homeland Security's Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act, which was created to encourage the development and deployment of counterterrorism technologies. We appreciate the opportunity to provide our thoughts and insights on your cyber incident reporting legislation. This bill is a very important step toward building a future where the Federal Government obtains more actionable information from the private sector on cyber incidents so that the Internet ecosystem can be made more secure. As Claroty reviewed the draft legislation, there were several attributes which led us to the conclusion that this is a measure we should support:Creation of the Cyber Incident Review Office Under CISA is an Important Step to Provide Comprehensive Situational Awareness of Cyber Incidents.--As part of its creation, the Cybersecurity and Infrastructure Security Agency (CISA) was chartered to provide a wide range of cyber functions and capabilities across Federal Government, agencies, State, local, Tribal, territorial governments agencies, and the private sector. As part of a cyber incident notification bill, we believe that having a single entity responsible for receiving, analyzing, and reporting on all significant cyber incidents would provide a common understanding of cyber situational awareness that could ensure the U.S. National interest are more effectively secured, and accomplished in a more timely and efficient manner. Whether adversaries are sophisticated and targeted, or unsophisticated and opportunistic, having an overarching situational awareness under a single entity of the U.S. Government provides an advantage over fragmented Departmental views of localized hot spots. The attackers play to their strengths of only needing to be right once, while defenders need to right every time. So too does the U.S. Government need to play to our strength by enabling a unified understanding of cyber situational awareness to ensure we can gain insights and provide actionable recommendations. As such, we agree with your legislation's intent that CISA should be provided clear regulatory authority to operate and enforce the cyber incident notification legislation, with full support, cooperation, and coordination with departments and agencies. Additionally, there will clearly need to be an assessment performed regarding resources and funding required to effectively staff the agency and provide capabilities to ensure it can successfully execute on this expanded mission. We stand ready to help you and your colleagues in the Appropriations committee to help in this regard. Conduct cybersecurity reviews in the wake of Significant Cyber Incidents.--One subtlety overlooked about the Oldsmar water treatment facility breach in February 2021 was the willingness of law enforcement and plant officials to share details about the attack vector used to gain access to the network, as well as the potential consequences to public safety had controls not been in place to mitigate the attacker's actions. There is tremendous value in these details for peers across industries. Compounding the urgency of this narrative is the news that a California water treatment facility was breached by remote attackers just weeks earlier in January-- using the same exact attack technique in February during the Oldsmar attack. Had details about the California attack been disclosed in a timely manner, that Oldsmar incident may have been prevented. Your legislation, by requiring a review of significant cybersecurity incidents is an important step toward making permanent this concept, which will help reduce the number of cyber incidents across U.S. critical infrastructure. If we look at the effectiveness of the National Transportation Safety Board an exemplar, its successes in driving apolitical learnings that have resulted in improved confidence and the reduction of accidents demonstrate that should be replicated in cybersecurity. As you look to continue making improvements in your bill, you might consider adding more content to this section of your bill consistent with Section 5 of Executive Order 14028 (the section which established a Cyber Safety Review Board, with the charter of reviewing and assessing serious incidents against Federal Civilian Executive branch and non-Federal systems). The Scope of the Proposed Legislation Appropriately Calls Out Industrial Economy-Specific Requirements.--As industrial OT environments such as water treatment facilities and electrical substation are being connected to the IT network, new risks are introduced in the physical world that were not risks in the digital world. We therefore believe that the drafted legislation appropriately calls out not only risks to confidentiality, integrity, and availability of information systems, but also addresses the risks to the safety and resiliency of operational systems and processes. This broader scope will ensure that industrial enterprises take a more expansive view of physical and safety risk--not only to the digital risk affecting IT systems. The Cyber Incident Notification Period of 72 Hours is in- line with Established Standards.--During the initial hours of a potential cyber incident, a significant amount of fact-finding must occur to validate that the event was truly a malicious cyber incident and determine its potential scope and impact. While large enterprises may be able to accomplish this rapidly, smaller or less well-funded organizations may need to enlist the support of third parties to effectively conduct these activities. Establishing the initial reporting period to 72 hours is the general expectation established from the 2018 European Union's General Data Protection Regulation (GDPR) and would be an effective benchmarking that most organizations are using as a standard. Any shorter of a notification period would run the risk of creating of too many ``false positives'' which would not be an effective use of Federal Government resources. As this bill moves through the legislative process, there is one additional area that you might consider when perfecting the text. Specifically, we encourage you to look at how this bill might create disincentives for failure to notify. While the reporting requirements for covered entities are clear in the proposed legislation, we are concerned that given the increasing frequency and impact of cyber attacks, the onus of reporting should be placed on the covered entities for Significant Cyber Incidents and backed with disincentives for a failure to comply. At present, organizations are open to substantial brand and reputational risk for reporting on a cyber incident. The executive decision is therefore tipped all too frequently in favor of not reporting cyber incidents and working to quietly fix them behind the scenes. While focused on privacy, GDPR has driven substantial adoption of its obligations world-wide due to the very high fines for violating (=20M or 4 percent of global revenue--whichever is higher) the breach notification provision. Of note, until the financial penalties were enacted in the latest version of GDPR, compliance was halfhearted. At present, many organizations view reporting as having a reputational and brand impact, and without penalties will decide not to report incidents. Claroty believes that given the risk to U.S. National security and interest, we must tip the financial calculus in favor of notification, that must be done through penalties and enforcement for organizations that are clearly in violation. We also believe that this new set of risks will drive Boards of Directors to govern and manage cyber risk, which will drive funding and action through the organization more effectively. By creating effective and material economic disincentives for organizations who do not comply with the expected outcomes, we tip the scale in favor of reporting. To the end, we would encourage you to engage those with experience in GDPR compliance to understand how the financial penalties of that measure have been received, and then decide whether that might be a valuable addition to this bill. My Claroty colleagues and I stand ready to assist you in your efforts to advance this legislation and look forward to continuing our strong working relationship with your staff to that end. Sincerely, Grant Geyer, Chief Product Officer, Claroty. ______ Statement of Accenture August 2021 Accenture supports the Cyber Incident Reporting for Critical Infrastructure Act of 2021 and welcomes the opportunity to provide our feedback on the draft legislation. To improve the Nation's cybersecurity posture, the Federal Government needs to have greater awareness of cybersecurity incidents across critical infrastructure, and this draft legislation would achieve that. Accenture commends the bill drafters for working on a bipartisan basis and for sharing the draft with industry to solicit feedback and collaboration prior to introduction. Accenture believes the draft legislation: Strikes the right balance by requiring narrowly-tailored incident information that can help the Federal Government get a more robust picture of the cyber landscape without overburdening companies with unworkable and overly broad reporting mandates. The legislation strikes this balance by directing CISA to focus on the most critical of critical infrastructure owners and operators and narrowly tailor the definition of a covered cybersecurity incident (and excluding potential incidents). We note that CISA's effort to identify the appropriate covered entities could be done in harmony with proposals for it to identify systemically important critical infrastructure. Tailors the incident information required to be provided to CISA, which will help CISA get a broader picture of serious threats to critical infrastructure by focusing on IOCs and TTPs. Information, if available, such as behavioral descriptors, failed/subverted controls or other investigational artifacts can help CISA better protect other critical infrastructure owners and operators by looking for trends and warning others who may be similarly targeted. Directs CISA to work to harmonize existing regulatory requirements on incident reporting with the new requirements in this draft bill, and coordinate with regulators that already receive cyber incident reports to streamline processes. As the bill drafters know, not all critical infrastructure sectors are alike. Some sectors such as financial services are far along in their cybersecurity maturity and have existing regulations and practices. For those advanced sectors, it is crucial that CISA examine existing incident notification expectations that are both in regulation and in practice to ensure that the reporting is aligned with the risk profile to the sector as well as the Nation's security. Other sectors' cybersecurity posture such as water and agriculture systems are quite nascent. For the nascent entities, budgeting for, building the capacity for, and implementing the new requirements and maturing their cybersecurity posture will take some time. Still others, such as pipelines within the transportation system and Federal ICT providers subject to the new cyber Executive Order, have new incident notification requirements to comply with. It is imperative that policy makers and CISA take all of this into account when developing the new requirements to reduce confusion, complexity, and duplication. Focuses on a ``prompt'' reporting standard that cannot be shorter than 72 hours, rather than a 24-hour requirement. Once anomalistic activity is identified, it can take some time for a company to verify the intrusion and identify whether it is a serious enough event to warrant reporting. From Accenture's experience in working with many companies across critical infrastructure to respond to such incidents, 72 hours is a reasonable time frame to be able to determine scope, impact, and initial TTPs and IOCs and possibly share malware samples for further analysis. This information would be important to report the initial understanding of an attack with updates as new information is learned. Timing shorter than 72 hours would likely burden CISA with incomplete, unactionable, unhelpful, and inaccurate information. Accenture commends the bill drafters for appropriately balancing the Government's need for information with the affected companies' ability to perform time-sensitive incident response. It may also be helpful to outline a periodic update cycle even if there is no new information, and then a close-out report indicating the incident is contained and remediated and signaling an end to the requirements. Incorporates use and liability protections consistent with CISA 2015. (There are a few provisions seemingly not carried over from CISA 2015 and we look forward to further discussion on those items.) While we endorse the regulatory requirement for incident notification, the legislation should seek to structure the Government's role as part of a partnership to improve America's cybersecurity stance, rather than a compliance exercise. To improve the private/public collaboration that is so central to this legislation, Accenture recommends 4 points for further consideration: Require CISA to issue a proposed rule, rather than an interim final rule, to allow for more meaningful industry collaboration which ultimately will result in more engagement and buy-in from the private sector. This significant change to critical infrastructure entities' risk management programs and relationship with CISA warrants fulsome consultation and consideration. Companies would like clarification that the information they provided, if shared outside the new office, will be anonymized to protect sensitive information and build companies' confidence that the information sharing will not be used against them. Prior to enforcement of the notification provisions, companies would like to understand what protocols will be in place to ensure the security of the information they provide. This will go a long way toward building companies' confidence that the sensitive information provided will be protected. Include clear requirements for CISA to promptly share with the private sector the (anonymized) IOCs, TTPs, and threat actor profile (aka SITREP) incident information it receives pursuant to the legislation to improve response by the affected industry and improve resilience across critical infrastructure. ______ Letter From Multiple Associations August 27, 2021. The Honorable Gary Peters, Chairman, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Mark Warner, Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable Bennie Thompson, Chairman, Committee on Homeland Security, U.S. House of Representatives. The Honorable Yvette Clarke, Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. The Honorable Rob Portman, Ranking Member, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Marco Rubio, Vice Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable John Katko, Ranking Member, Committee on Homeland Security, U.S. House of Representatives. The Honorable Andrew Garbarino, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. Dear Chairs, Vice Chairman, and Ranking Members: The undersigned associations, representing major sectors of the American economy, including the owners, operators, and those that support and maintain the Nation's critical infrastructure, appreciate Congress's on-going focus on cybersecurity incident reporting legislation. Our industries recognize the value of public-private collaboration facilitated by mutual sharing of actionable information on significant cybersecurity incidents and intrusions with Federal agencies. Incident Reporting legislation pending in Congress, when harmonized with the requirements of Section 2 of President Biden's Executive Order on Improving the Nation's Cybersecurity, have the potential to improve the Nation's cybersecurity posture if appropriately developed and implemented. To ensure an effective incident reporting regime that leverages the limited resources of Federal agencies, enables regulatory compliance, provides liability protections, and advances National cybersecurity interests, we believe that policy makers in Congress should, at a minimum, follow five key principles: Establish feasible reporting time lines of no less than 72 hours.-- Cybersecurity incidents are crisis moments for victim organizations. To ensure that the Cybersecurity and Infrastructure Security Agency (CISA) and its interagency partners receive actionable information on truly significant incidents, it is essential to give incident responders time to evaluate the intrusion to determine its impact. Shorter time lines also greatly increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts. A formal report on a verified, significant incident should not preclude less-fulsome notifications to CISA on a more flexible time line.'' Limit reporting regulations to verified incidents and intrusions.-- Incident reporting should focus on verified incidents rather than potential incidents or ``near misses.'' Reporting verified incidents, that have been well-defined and scoped, will avoid a culture of overreporting that will strain limited incident response capacity and capabilities inside and outside the Government. It also can help ensure that information received is useful and actionable. Limit reporting obligations to the victim organization, rather than third-party vendors or providers.--Any legislation should ensure that the reporting obligation falls only on compromised affected entities. Vendors and third-party service providers should not be required to report cybersecurity incidents to the U.S. Government that have occurred on their customers' networks and vice versa. Such a requirement would pose numerous challenges to normal business operations, including potentially forcing vendors or third parties to disclose business confidential information of that customer or breach their contractual obligations. Requiring third-parties to report incidents could even disincentivize companies from employing outside cybersecurity services to the detriment of those companies' own security and resilience. Harmonize Federal cybersecurity incident reporting requirements.-- It is imperative that Congress streamline and normalize Federal reporting requirements to ensure resources are used to combat malicious cyber threat activity, rather than customizing reports on the same incident to multiple agencies. Numerous Federal agencies currently have disparate incident reporting requirements, many of which are just being implemented. Reported information should be aggregated, anonymized, analyzed, and shared, with Government and industry, in a manner to assist in the mitigation and/or prevention of future cyber incidents. Ensure confidentiality and nondisclosure of incident information provided to the Government.--It is imperative that any legislation have strong and transparent rules about the confidentiality of incident information that is shared with or by Federal agencies. Such rules should govern not only the dissemination of incident information with relevant interagency partners, but should specifically preclude direct or indirect use of such information by the Federal Government. These rules must be crafted to guarantee compliance with existing legal regimes, including contractual, intellectual property, and privacy obligations. Our industries strongly believe that securing the Nation's digital assets is a shared responsibility requiring collaboration between the private sector and Federal partners. We stand ready to assist policy makers as they develop their proposals on this important National security issue. Sincerely, ACT/The App Association Airlines for America (A4A) American Fuel & Petrochemical Manufacturers American Petroleum Institute American Gas Association Business Roundtable BSA/The Software Alliance The Computing Technology Industry Association Consumer Technology Association (CTA) Cyber Coalition Cyber Threat Alliance Edison Electric Institute Electronic Transactions Association Information Technology Industry Council (ITI) Internet Association Software & Information Industry Association TechNet Telecommunications Industry Association (TIA). Ms. Clarke. Additionally, without objection, I include in the record comments from NTCA, APPA, and NRECA. [The information follows:] Letter From NTCA--The Rural Broadband Association August 30, 2021. The Honorable Gary Peters, Chairman, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Mark Warner, Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable Bennie Thompson, Chairman, Committee on Homeland Security, U.S. House of Representatives. The Honorable Yvette Clarke, Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. The Honorable Rob Portman, Ranking Member, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Marco Rubio, Vice Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable John Katko, Ranking Member, Committee on Homeland Security, U.S. House of Representatives. The Honorable Andrew Garbarino, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. Dear Chairs, Vice Chairman, and Ranking Members: Thank you for your leadership to promote the security of our Nation's critical infrastructure. NTCA--The Rural Broadband Association represents over 850 small, rural telecom providers that deliver high-speed broadband and voice service in the most remote areas of the country. These small companies serve areas where it is difficult if not impossible to make the business case for essential broadband network deployment without support from programs such as the Federal universal service fund and financing from the U.S. Department of Agriculture. Despite their small size and razor-thin operating margins, rural carriers work hard to manage the risk presented by constant cyber attacks against their networks, and several dozen have already joined CyberShare: The Small Broadband Provider ISAC, which NTCA initiated to promote the resiliency and continuity of operation of small network operators across the United States. Nonetheless, because NTCA's members operate on thin margins, because there is presently no program that specifically supports costs incurred from cyber risk management efforts, and because there are no specific mechanisms aimed at helping smaller operators and providers in rural areas attract individuals with cyber expertise, many small carriers (which average only 30 employees overall) have limited resources to devote to such efforts. Indeed, in some cases, rural operators may have only 1-2 staff who work on cybersecurity, and even these individuals may have other functions and responsibilities as well within the enterprise. Therefore, it is essential that these staff are free to focus on securing networks rather than being consumed by the need to comply with reporting requirements. With this as background, as you work toward passage of cyber incident reporting legislation, please consider making the reports voluntary for small businesses that own or operate critical infrastructure, or at a minimum provide extended compliance deadlines and/or other flexibility to allow small companies to make the necessary preparations. A small business exemption will also benefit those overseeing such compliance by cutting down on the number of reports to review in favor of focusing on the largest networks that are most likely to experience wide-spread cyber threats. And, in the event DHS determines that information relating to a specific cyber incident is necessary to obtain from smaller providers, the agency can always use its subpoena authority to request information from such providers. Absent a small company exemption, these carriers will benefit at a minimum from more clearly articulated expectations and flexibility for compliance. For example, reports should only be required for verified intrusions that directly and substantially impact operations, providers should have at least five business days to report after confirming an intrusion, and providers should only be required to report intrusions to the network they control as opposed to when they merely serve as a conduit for an attack on a third party. Further, duplicative reporting should be avoided, and providers should be confident that information supplied pursuant to the new requirements will not result in litigation or regulatory action. Thank you for considering how new cyber incident reporting requirements will impact the wide array of critical infrastructure owners and operators. We look forward to working with you on this important matter as the legislation moves forward. Sincerely, Shirley Bloomfield, Chief Executive Officer, NTCA--The Rural Broadband Association. ______ Statement of the American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) August 30, 2021. The Honorable Gary Peters, Chairman, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Mark Warner, Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable Bennie Thompson, Chairman, Committee on Homeland Security, U.S. House of Representatives. The Honorable Yvette Clarke, Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. The Honorable Rob Portman, Ranking Member, Committee on Homeland Security & Government Affairs, U.S. Senate. The Honorable Marco Rubio, Vice Chairman, Select Committee on Intelligence, U.S. Senate. The Honorable John Katko, Ranking Member, Committee on Homeland Security, U.S. House of Representatives. The Honorable Andrew Garbarino, Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, U.S. House of Representatives. Dear Chairs, Vice Chairmen, and Ranking Members: We are writing to you regarding several introduced and draft bills that would mandate critical infrastructure sectors to report ``cyber incidents'' to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (DHS CISA). The American Public Power Association (APPA) and the National Rural Electric Cooperative Association (NRECA) do not support additional cyber incident reporting mandates for the electric sector. We believe that the incident reporting mandates currently under discussion would burden electric utilities--especially smaller public power and cooperative utilities--with increased administrative tasks that will not materially increase their, or the country's, cybersecurity posture, but would likely divert limited resources away from securing and defending systems. That said, if Congress chooses to enact broad mandatory cyber incident reporting legislation for critical infrastructure, we agree with the principles laid out in the August 27 letter lead by the Information Technology Industry Council (ITI) and endorsed by numerous other critical infrastructure sector entities and associations. APPA is the voice of not-for-profit, community-owned utilities that power 2,000 towns and cities nationwide. APPA represents public power before the Federal Government to protect the interests of the more than 49 million people that public power utilities serve, and the 96,000 people they employ. Public power utilities range in size, from very large to very small; approximately 67 percent of public power utilities serve communities of 10,000 people or less. They own, operate, or use generation and transmission infrastructure, as well as distribution infrastructure directly serving homes and businesses. NRECA is the national trade association representing nearly 900 local electric cooperatives and other rural electric utilities. America's electric cooperatives are owned by the people that they serve and comprise a unique sector of the electric industry. From growing regions to remote farming communities, electric cooperatives power one in eight Americans and serve as engines of economic development for 42 million Americans across 56 percent of the nation's landscape. Electric cooperatives operate at cost and without a profit incentive. NRECA's member cooperatives include 62 generation and transmission (G&T) cooperatives and 831 distribution cooperatives. Both distribution and G&T cooperatives share an obligation to serve their members by providing safe, secure, reliable, and affordable electric service. Combined, the members of our two groups serve close to 30 percent of the American population, which is equivalent to more than twice the population of Canada. Having provisioned such electric service for decades, our members know that a reliable energy grid is the lifeblood of the nation's economic and national security, as well as vital to the health and safety of all Americans. Electric utilities take very seriously their responsibility to maintain a secure and reliable electric grid. It is the only critical infrastructure sector that has mandatory and enforceable Federal regulatory standards in place for cyber and physical security (collectively known as grid security). These standards include mandatory reporting of specific cyber incidents to the Department of Energy (DOE) via an Electric Emergency Incident and Disturbance Report (OE-417) and to the North American Electric Reliability Corporation (NERC) and the Federal Energy Regulatory Commission (FERC). Outside of these mandatory reporting standards, all electric utilities, including public power utilities and rural electric cooperatives, participate in robust voluntary information sharing systems such as the Electric Subsector Coordinating Council (ESCC) and the Electricity Information Sharing and Analysis Center (E-ISAC), as well as the Multi-State Information and Sharing Analysis Center (MS- ISAC) for public power. Most recently, electric utilities have worked closely with the National Security Council, DOE, and DHS on the ``100 Day Electric Sector Industrial Control Systems Cybersecurity Sprint'' to encourage and support utilities' visibility and monitoring of their industrial control system and operational technology networks, as well as automated sharing into government. It is not clear how these bills would impact these existing voluntary channels or existing or planned machine-to-machine sharing. Our biggest concerns with the various versions of incident reporting legislation currently under discussion can be grouped into two broad categories. The legislation: (1) Treats all critical infrastructure entities as equally impactful to national security-- there is no accounting for the wildly differing risk profiles of an electric utility serving millions of customers and a small distribution electric utility without an industrial control system [a type of operational technology] serving 250 customers; and (2) puts the onus on the critical infrastructure entity to share information with multiple government agencies, instead of encouraging and facilitating the sharing of information between and among agencies. While those are the two most significant concerns, we are also concerned that some proposals include heavy financial fines for failure to report within a very short time period. All of our members must be able to focus on the matter at hand in the event of a breach and should be given the flexibility to report once the crisis is understood and being managed. There has also been little discussion on how mandatory reporting requirements would impact long existing and robust voluntary information sharing systems nor on what the government's responsibility is in terms of actionable information sharing and support. Given the concerns enumerated above, APPA and NRECA do not support including electric utilities in the mandatory cyber incident reporting legislation currently under discussion. However, if Congress chooses to move ahead with the legislation, we urge a careful and deliberative process that takes into account existing reporting mandates, appropriately tailors the mandate commensurate with the risk to national security, and adheres to the principles laid out in ITI's letter. We appreciate the openness that your staff has shown in discussions with our teams and we look forward to continuing our dialog. Sincerely, Joy Ditto, President & CEO, American Public Power Association. Jim Matheson, CEO, National Rural Electric Cooperative Association. Ms. Clarke. Again, I thank the witnesses for being here today and look forward to hearing their testimony. [The statement of Chairwoman Clarke follows:] Statement of Chairwoman Yvette D. Clarke August 30, 2021 Good afternoon. I would like to thank the witnesses for participating in today's hearing on the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Earlier this year, this committee held a joint hearing with the Committee on Oversight and Reform to examine the SolarWinds supply chain attack. Our oversight revealed a number of gaps in Federal authorities, policies, and capabilities that Congress must address to secure its own networks and better serve its private-sector partners. But what stood out to me was how lucky we were that FireEye disclosed that it had been compromised. Where we would be if they had chosen not to? At the hearing, I asked whether we would benefit from implementing a mandatory cyber incident reporting framework. Microsoft President Brad Smith observed that today ``information is siloed'' and that we need ``one entity is in a position to scan the entire horizon and connect the dots between all of the attacks or hacks that are taking place.'' SolarWinds President Sudhakar Ramakrishna testified: ``[H]aving a single entity to which all of us can report to will serve the fundamental purpose of building speed and agility,'' and argued that private enterprises ``should be instructed with reporting requirements and be made part of this community vision where public and private sectors can work together on addressing this issue.'' At the same hearing, FireEye CEO Kevin Mandia testified about the importance of centralizing intelligence to ``improve the speed at which that picture and vision will come together.'' That hearing convinced me that Congress must act to ensure the Cybersecurity and Infrastructure Security Agency (CISA) receives timely cyber incident information from critical infrastructure owners and operators. Since then, I have worked with Chairman Thompson and Ranking Member Katko to draft legislation to establish a mandatory cyber incident reporting framework at CISA and I would like to thank them both for their support in this effort. The draft legislation we are discussing today is the product of months of dialog with Government officials and private-sector stakeholders. I want to express my gratitude to those who worked with the committee to provide feedback on various drafts of the legislation. We have worked hard to draft the legislation in a manner that will result in the greatest security impact for both the Federal Government and the private sector, and I am proud of the draft we have developed. Our bill would direct CISA, after a 270-day period with mandatory windows for stakeholder consultation and comment, to issue an interim final rule describing: which critical infrastructure owners and operators are subject to the reporting requirement; which cyber incidents need to be reported; the mechanism for submitting reports; and other details necessary for implementation. Importantly, our bill seeks to establish this new mandatory reporting program in a way that sets it apart from CISA's voluntary cyber programs by establishing a new Cyber Incident Review Office and tasking this new office with the discrete mission of receiving, aggregating, analyzing, and securing cyber incident reports. The bill also aims to ensure that covered entities benefit from the new reporting requirement in three ways: First, our bill requires CISA to publish quarterly reports with anonymized findings to provide better situational awareness to its partners; Second, it directs CISA to identify any actionable threat intelligence that should be shared rapidly and confidentially with cyber `first responders' to prevent or respond to other attacks; and Third, it requires CISA to notify private-sector entities that may have been impacted by data breaches or intrusions on Federal networks. I am pleased with the progress we have made on this legislation, but want to be clear that our work is on-going. We remain open to additional questions and feedback because it is important to get this right. In recent days, I have been asked whether we would consider compliance challenges that certain small businesses may have. I want to be clear that we do not expect all critical infrastructure owners and operators to be subject to this reporting requirement--rather we expect it to apply only to a subset. That said, I would certainly be happy to explore whether we need to add language directing CISA to provide additional compliance assistance to small businesses that are determined to be covered entities. I look forward to hearing additional stakeholder perspectives on the legislation today. Before I close, I would ask unanimous consent to insert into the record a letter of support from Claroty, as well as a letter signed by 18 associations, including ITI, the Cyber Threat Alliance, the American Gas Association, Airlines for America, and the Cyber Coalition, among others. Additionally, I ask to enter into the record comments from Accenture, NTCA, APPA, and NRECA. Without objection, so ordered. With that, I thank the witnesses for being here and I yield back the balance of my time. Ms. Clarke. The Chair now recognizes the Ranking Member of the subcommittee, the gentleman from New York, Mr. Garbarino, for an opening statement. Mr. Garbarino. Mr. Garbarino. Thank you very much, Chairwoman. I would like to thank Chairwoman Clarke for calling this important hearing today. We have a large panel before us, so, in the interest of time, I will keep my remarks brief. There should be no question why we are here today. Over the past year, our Nation has been subject to devastating SolarWinds cyber espionage campaign, as well as the Microsoft Exchange and Pulse Secure vulnerabilities, and that is just against the Federal Government. Our Nation's critical infrastructure has also been under attack, and the American people have begun to feel the impact. Everyone here remembers the ransomware attacks on Colonial Pipeline and JBS Meats, both of which had real-world impacts. The fact of the matter is that something here must change. We cannot allow these devastating attacks on our Nation to continue. We must ensure that CISA has the visibility it needs to help defend our Federal networks and to help our critical infrastructure owners and operators protect themselves. I have been pleased to see our majority counterparts engage our Members in productive conversations on this, and I hope we can continue the constructive dialog here today. I am particularly interested in learning from our witnesses about how they viewed some of the key provisions of this bill and what, if any, suggestions they have for edits. Thank you to our witnesses for being here today. Again, thank you, Chairwoman Clarke, for your leadership on this incredibly important topic. I yield back. [The statement of Ranking Member Garbarino follows:] Statement of Ranking Member Andrew Garbarino I would like to thank Chairwoman Clarke for calling this important hearing today. We have a large panel before us, so in the interest of time, I will keep my remarks brief. There should be no question why we are here today: Over the past year, our Nation has been subject to the devastating SolarWinds cyber espionage campaign, as well as the Microsoft Exchange and Pulse Secure vulnerabilities, and that's just against the Federal Government. Our Nation's critical infrastructure has also been under attack and the American people have begun to feel the impact. Everyone here remembers the ransomware attacks on Colonial Pipeline and JBS Meats, both of which had real-world impacts. The fact of the matter is that something here must change, we cannot allow these devastating attacks against our Nation to continue. We must ensure that CISA has the visibility it needs to help defend our Federal networks, and to help our critical infrastructure owners and operators protect themselves. I'm hopeful that this bill will help create a two-way street of information sharing between Government and industry. I've been pleased to see our majority counterparts engage our Members in productive conversations on this topic and I hope we can continue the constructive dialog here today. I'm particularly interested in learning from our witnesses about how they view some of the key provisions in this bill, and what, if any, suggestions they have for edits. Thank you to our witnesses for being here today and again, thank you Chairwoman Clarke for your leadership on this incredibly important topic. Ms. Clarke. I thank our Ranking Member for his brevity in his opening remarks. But certainly anything that you have to add, we are all ears. I want to thank Members--to remind Members that the subcommittee will operate according to the guidelines laid out by the Chairman and Ranking Member in their February 3 colloquy regarding remote procedures. I don't see our Chairman at this moment, but I do see our Ranking Member. So I want to recognize the Ranking Member of the full committee, the gentleman from New York, Mr. Katko, for an opening statement. Mr. Katko. Well, I would like to thank my friend and colleague from New York, Chairwoman Clarke, for convening this important hearing today. This legislative hearing is a fantastic opportunity for our Members to learn directly from industry how they are impacted by specific provisions in the bill as well as any changes they suggest ahead of introduction. Everyone in this hearing should recognize the urgency and precision with which we need to act. Every single day, entities, large and small, are affected by the scourge of ransomware and cyber crime. From street-level criminal gangs to nation-state actors, like Russia and China, nefarious actors target our private-sector businesses, sting local governments and Federal agencies millions of times per day. Unfortunately, many of these attempts are ultimately successful. In order to bolster our Nation's collective defense, we must enhance our visibility across both Federal and private networks. I have been pleased with the response we have seen from industry so far. I want to thank our witnesses, not just for being here today but for their diligent work in thinking through this legislative effort. I hope that everybody here today recognizes that our Nation's cybersecurity cannot simply be a Federal effort or a private effort, but that it is--it is and must be a joint effort. There is no doubt in my mind that cybersecurity is a deep preeminent threat to our country today. Without enhanced collaboration and visibility, we will continue to fall victim to the cowardly actors that target our Nation, our constituents, and all of us on a daily basis. I have been pleased to work with Chairman Thompson, Chairwoman Clarke, and all our critical industry partners on this bill. I look forward to continue prioritizing major cybersecurity reforms through this committee on a bipartisan basis, including my SICI bill, which is coming up in the next few days. That is the Systemically Important Critical Infrastructure. One of the things that drew me to this committee other than just my background in law enforcement over 20 years is the fact that there is a spirit of bipartisanship here, and there is a spirit of teamwork here that is manifesting itself again today. I mean, I commend the Chairwoman for that and Mr. Garbarino as well. But going forward, there is a lot of other things like my Systemically Important Critical Infrastructure bill and many others that are going forward, and I hope we can have the same type of teamwork on that again as well. So thank you, again, Ms. Clarke, for being here today, and thank you for holding this important hearing. Thank you for the witnesses as well, and thank you, Mr. Garbarino. I yield back. [The statement of Ranking Member Katko follows:] Statement of Ranking Member John Katko I would like to thank Chairwoman Clarke for convening this important hearing today. This legislative hearing is a fantastic opportunity for our Members to learn directly from industry how they are impacted by specific provisions in the bill, as well as any changes they suggest ahead of introduction. Everyone in this hearing should recognize the urgency and precision with which we need to act. Every single day, entities large and small are affected by the scourge of ransomware and cyber crime. From street-level criminal gangs to nation-state actors like Russia and China, nefarious actors target our private-sector businesses, State and local governments, and Federal agencies millions of times per day. Unfortunately, many of those attempts are ultimately successful. In order to bolster our Nation's collective defense, we must enhance our visibility across both Federal and private networks. I have been pleased with the response we've seen from industry so far, and I want to thank our witnesses, not just for being here today, but for their diligent work in thinking through this legislative effort. I hope that everyone here today recognizes that our Nation's cybersecurity cannot simply be a Federal effort, or a private effort, but that it must be joint effort. Without enhanced collaboration and visibility, we will continue to fall victim to the cowardly actors that target our Nation--our constituents--on a daily basis. I have been pleased to work with Chairwoman Clarke, Chairman Thompson, and all our critical industry partners on this bill. I look forward to continue prioritizing major cybersecurity reforms through this committee on a bipartisan basis, including my SICI bill in the coming days. Thank you again to our witnesses for being here today, and thank you Chairwoman Clarke for holding this important hearing. Ms. Clarke. I thank our Ranking Member for his comments and opening statement, and I am going to then proceed to our witnesses. Should our Chairman join us, we will take a break to hear his comments. I now welcome our panel of witnesses. First, I would like to welcome Mr. Ronald Bushar, the senior vice president and global government CTO for FireEye Mandiant who works at the intersection of public-private incident response efforts for the types of cyber attacks we are here to discuss today. Second, we will hear from Ms. Heather Hogsett with the Bank Policy Institute, also known as BPI, a nonpartisan research advocacy group representing the Nation's top banks. Ms. Hogsett is the senior vice president of technology and risk strategy for BITS, the technology policy division of BTI. Third, we have Mr. John Miller, the senior vice president of policy and general counsel for the Information Technology Industrial Council, also known as ITI, which represents the world's leading information and communication technology companies. Next, I am pleased to welcome Mr. Robert Mayer back before the subcommittee. Mr. Mayer is the senior vice president for cybersecurity and innovation at the USTelecom and chairs the Communications Sector Coordination Council. Then, finally, we have Ms. Kimberly Denbow, the managing director of security and operations for the American Gas Association, who also co-chairs the Cybersecurity Working Group for the Pipeline Sector Coordinating Council and the oil and natural gas sector. Without objection, the witnesses' full statement will be inserted in the record. I now ask each witness to summarize his or her statement for 5 minutes, beginning with Mr. Bushar. Mr. Bushar, I believe you may be muted. STATEMENT OF RONALD BUSHAR, VICE PRESIDENT AND GOVERNMENT CTO, FIRE EYE MANDIANT Mr. Bushar. Always a good start to a hearing. Apologies, Chairwoman. Thank you, Chairwoman Clarke, Ranking Member Garbarino, and all the Members the subcommittee for the opportunity to talk with you today about this important cyber incident reporting topic. FireEye Mandiant applauds your efforts to tackle this complex issue and appreciates the open dialog we have enjoyed with you and your staff. Public-private partnerships are critical to the success of any cyber incident reporting or disclosure program, both in its development and ultimately in its execution. My comments for today's hearing will focus primarily on the major tenets and benefits of the cyber incident reporting framework. But before I turn to this specific topic, let me share some background on myself and my company to establish context for my narrative and statements today. I started my career in the United States Air Force as an officer in what was at the time termed information warfare. For more than 20 years, I have worked in cyber defense operations, cybersecurity consulting, and incident response services in both the Government and commercial sectors, including time at the U.S. Department of Justice. In my current role at FireEye Mandiant, I lead a global team of cyber experts who deliver our capabilities and security functionality and solutions to protect critical missions, infrastructure, and National security interests world-wide. As I testify today, FireEye Mandiant employees are on the front lines of a cybersecurity battle, really, responding to over 150 active computer intrusions at some of the largest organizations and companies in the world. Over the last 17 years, we have responded to tens of thousands of security incidents. It is unfortunate, but we receive calls almost daily from organizations that have suffered a cybersecurity breach. For each security incident we respond to, it is our objective to determine what happened and what organizations can do to avoid similar incidents in the future. We also maintain over 200 intelligence professionals and analysts located in more than 20 countries, speaking over 30 languages, who pursue attribution, identification, and more detailed information about threat actors, their motivations, and intents. FireEye Mandiant is encouraged by the draft legislation the subcommittee has developed to improve cyber incident reporting. The bill is a positive step forward in achieving important, long-term goals of enabling early detection of malicious cyber attacks. It would also enhance the Federal Government situational awareness to better partner with and assist private-sector entities that become cyber attack victims. This whole-of-community approach is critical to increasing capacity and to prevent future cyber attacks as well as to drive ultimately, we believe, deterrence in this space. Any legislation on this matter should take into consideration the evolving cyber threat landscape; the increasingly sophisticated tactics, techniques, and procedures used by adversaries; and lessons learned from existing voluntary information-sharing models as established by the Cybersecurity Information Sharing Act of 2015. Simply put, any reporting framework must be agile and include opportunities for the Federal Government to pivot or adjust its reporting requirements to keep pace with the threat landscape and actor and adversary actions and activity. The U.S. Government should consider a Federal incident reporting program that goes beyond voluntary sharing of threat indicators as authorized under the 2015 legislation. It should also include mandatory disclosure requirements for cyber incidents. Major tenets of such a program should safeguard the protection and integrity of electronic and other types of data; ensure confidential sharing; encourage entities to adapt, recognize cybersecurity standards and practices with a minimum threshold; provide greater incentives for private-sector entities, including liability protections and statutory privilege to not be disclosed in civil litigation; protect privacy and civil rights; and provide outreach and technical assistance to entities that do not have cybersecurity expertise or capabilities. FireEye Mandiant believes that strong cyber community protection is predicated on several key concepts, and lawmakers should consider the following additional components that we believe would constitute a robust and ultimately successful cyber incident reporting program. No. 1, reporting requirements should account for two key outcomes: Timely and relevant reporting of critical intelligence to relevant Government authorities for assessment, correlation, and decision support; and, No. 2, reasonable latitude for the victim to determine nature, extent, and potential impact of a breach or attack. In the first instance, the timeliness and quality of the data reported to the Government will largely determine how effective the response to and disruption of the attack will ultimately be. In the second instance, cyber attacks are often complex and require sophisticated analysis to fully understand the scope of compromise. Victims require support from external firms to fully analyze a breach and will likely be dealing with other business impacts and crisis management activities during such activities. Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives and redundant or contradictory information and prevent unnecessary data collection on the part of CISA. FireEye Mandiant encourages lawmakers to consider harmonizing reporting requirements with existing Federal acquisition regulations and standards to provide for consistent and streamlined regime that simplifies business processes and ultimately encourages and streamlines compliance as well. Second, FireEye Mandiant strongly believes in the concept of a public-private partner approach to cybersecurity. Unlike most other domains at risk, cyber attacks and cyber crimes are almost always predicated on the use of--use traversal or compromise of privately-owned infrastructure, even when the attacks are focused on Government or National security assets. The private sector, especially critical infrastructure sector businesses, is both a key component over all National cyber resiliency and a key source of intelligence on our adversaries' capability, intent, and activities in cyber space. Over the past decade, many Federal agencies, including CISA, the FBI, the United States Secret Service, and the National Security Agency, have built strong partnerships with key cybersecurity and critical infrastructure organizations through voluntary programs outreach and support. While we recognize that much more needs to be done, without these efforts and support functions, many private-sector cyber attacks would have likely remained undetected for much longer and would have been much more severe. Under a new cyber incident reporting program, these trusted relationships and partnerships must be strengthened and enhanced to advance our common goals in reducing the frequency and severity of cyber attacks. No. 3, a reporting program must encourage cooperation and strengthen trust between public and private-sector entities. A regulatory-based approach or a regime that focuses on punitive actions rather than mutual benefits would be counter to the goal of creating a strong National partnership model to counter the increasing cyber threats we are facing. As previously suggested, although mandatory reporting is necessary, the focus should be on supporting organizations to achieve compliance, not punishment for noncompliance. Fines and other financial or legal punishments do not properly reflect the truth that, barring gross negligence or willful misconduct, organizations that suffer cyber attacks are victims of a crime. Mechanisms to compel collection of critical information, when necessary, such as subpoenas, better align to the general concept of criminal investigation and response. Fourth, information sharing must be bidirectional. An incident reporting framework should allow for a consistent flow of two-way information sharing between public and private sectors to help maximize the ability to resolve and consider attribution. Organizations that invest significant effort into collecting, analyzing, and sharing cyber attack technical information require feedback on the usefulness and value of what they provided. They also benefit from data that can be only provided by the U.S. Government to enhance their own security posture and to help hone their threat detection in response functions. Finally, I would like to highlight several clear benefits of broader security incident reporting and bidirectional information sharing. Timely reporting of incidents within and across sectors allow for early detection of large, sophisticated cyber campaigns that have the potential for significant impacts to critical infrastructure or National security implications. Technical indicators, along with contextual information, provide a more robust data set to conduct faster and more accurate attribution in adversary intent. This type of analysis is critical in formulating the most impactful response to such attacks and to do so in a time frame that has a high probability of successful countermeasures or deterrence. On behalf of FireEye Mandiant, thank you for the opportunity to testify before the subcommittee today. We are committed to working with our public and private-sector partners to safeguard the Nation from cyber attacks by sharing cyber threat information, lessons learned, and best practices, including through the newly-established Joint Cyber Defense Collaborative at CISA. We stand ready to work with you and other interested parties to devise effective solutions to deter malicious behavior in cyber space and to build a better resiliency into our networks and ultimately improve and enhance the security and well-being of all Americans. Thank you, and I look forward to your questions today. [The prepared statement of Mr. Bushar follows:] Prepared Statement of Ronald Bushar September 1, 2021 introduction Thank you Chairwoman Clarke, Ranking Member Garbarino, and all the Members of the subcommittee, for the opportunity to talk with you today about the importance of cyber incident reporting. FireEye Mandiant applauds your efforts to tackle this complex issue and appreciates the open dialog we have enjoyed with you and your staff--public-private partnerships are critical to the success of any cyber incident reporting or disclosure program--both in its development and execution. background My comments for today's hearing will focus primarily on the major tenets and benefits of a cyber incident reporting framework. Before I turn to this specific topic, let me share some background on myself and my company to establish context for my narrative. I started my career in the United States Air Force as an officer in the Information Warfare Aggressor Squadron. For more than 20 years, I have worked in cyber defense operations, cybersecurity consulting, and incident response services in both the Government and commercial sectors, including the Justice Department. In my current role at FireEye Mandiant, I lead a global team of cyber experts who deliver our unique platform of innovative security program capabilities and solutions to protect critical missions, infrastructure, and National security interests world-wide. As I testify today, FireEye Mandiant employees are on the front lines of the cyber battle, currently responding to over 150 active computer intrusions at some of the largest companies and organizations in the world. Over the last 17 years, we have responded to tens of thousands of security incidents. It is unfortunate, but we receive calls almost daily from organizations that have suffered a cybersecurity breach. For each security incident we respond to, it is our objective to determine what happened and what organizations can do to avoid similar incidents in the future. We also maintain over 200 intelligence analysts, located in more than 20 countries, speaking over 30 languages, who pursue attribution and identification of the threat actors via research and sources. incident reporting framework FireEye Mandiant is encouraged by the draft legislation the subcommittee has developed to improve cyber incident reporting. The ``Cyber Incident Reporting for Critical Infrastructure Act of 2021'' is a positive step forward in achieving important long-term goals of enabling early detection of malicious cyber attacks. It would also enhance the Federal Government's situational awareness to better partner with and assist private-sector entities that become cyber attack victims. This ``whole-of-community'' approach is critical to increasing capacity to prevent and deter future cyber attacks. Any legislation on this matter should take into consideration the evolving cyber threat landscape; the increasingly sophisticated tactics, techniques, and procedures used by adversaries; and lessons learned from existing voluntary information-sharing models, as established by the ``Cybersecurity Information Sharing Act of 2015.'' Simply put, any reporting framework must be agile and include opportunities for the Federal Government to pivot or adjust its reporting requirements to keep pace with the threat environment and bad actors. The U.S. Government should consider a Federal incident reporting program that goes beyond voluntary sharing of threat indicators as authorized under the 2015 law--it should also include mandatory disclosure requirements for cyber incidents. Major tenets of such a program should: Safeguard the protection and integrity of electronic and other types of data. Ensure confidential sharing. Encourage entities to adopt recognized cybersecurity standards and practices with a minimum threshold. Provide greater incentives for private-sector entities, including liability protections and statutory privilege to not be disclosed in civil litigation (e.g., confidentiality obligations). Protect privacy and civil rights. Provide outreach and technical assistance to entities that do not have cybersecurity expertise or capabilities. FireEye Mandiant believes that strong cyber community protection is predicated on several key concepts. Lawmakers should consider the following additional components that we believe would constitute a robust and ultimately successful cyber incident reporting program: Establish reasonable and effective time lines for reporting. Reporting requirements should account for two key outcomes: (1) Timely and relevant reporting of critical intelligence to relevant Government authorities for assessment, correlation, and decision support, and (2) reasonable latitude for the victim to determine the nature, extent, and potential impact of a breach. In the first instance, the timeliness and quality of the data reported to the Government will largely determine how effective the response to and disruption of the attack will be. In the second instance, cyber attacks are often complex and require sophisticated analysis to understand the full scope of compromise. Victims require support from external firms to fully analyze a breach and will likely be dealing with other business impacts and crisis management activities. Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives, redundant or contradictory information, and prevent unnecessary data collection. FireEye Mandiant encourages lawmakers to consider harmonizing reporting requirements with existing Federal acquisition regulations and standards to provide for a consistent and streamlined regime that simplifies business processes and compliance. Preserve existing trusted relationships and partnerships. FireEye Mandiant strongly believes in the concept of a public- private partner approach to cybersecurity. Unlike most other domains of risk, cyber attacks and cyber crime are almost always predicated on the use, traversal, or compromise of privately-owned infrastructure, even when the attacks are focused on Government or National security assets. The private sector, especially critical infrastructure sector businesses, is both a key component of overall National cyber resiliency and a key source of intelligence on our adversaries' capabilities, intents, and activities in cyber space. Over the past decade, many Federal agencies, including the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the U.S. Secret Service, and the National Security Agency have built strong partnerships with key cybersecurity and critical infrastructure organizations through voluntary programs, outreach, and support. While we recognize that much more needs to be done, without these efforts and support functions, many private-sector cyber attacks would have likely remained undetected for much longer and would have been much more severe. Under a new cyber incident reporting program, these trusted relationships and partnerships must be strengthened and enhanced to advance our common goals of reducing the frequency and severity of cyber attacks. Ensure compliance is non-punitive. A reporting program must encourage cooperation and strengthen trust between the public and private sector. A regulatory-based approach or a regime that focuses on punitive actions rather than mutual benefits would be counter to the goal of creating a strong National partnership model to counter the increasing cyber threats we are facing. As previously suggested, although mandatory reporting is necessary, the focus should be on supporting organizations to achieve compliance, not punishment for non-compliance. Fines and other financial or legal punishments do not properly reflect the truth that, barring gross negligence or willful misconduct, organizations that suffer a cyber attack are victims of a crime. Mechanisms to compel collection of critical information when necessary, such as subpoenas, better align to the general concept of criminal investigation and response. Require information to flow back into the community. Information sharing must be bi-directional. An incident-reporting framework should allow for a consistent flow of two-way information sharing between the public and private sectors to help maximize the ability to resolve and consider attribution. Organizations that invest significant effort into collecting, analyzing, and sharing cyber attack technical information require feedback on the usefulness and value of what they have provided. They also benefit from data that can only be provided by the Government to enhance their own security posture and help to hone their threat detection and response functions. benefits Finally, I would like to highlight several clear benefits to broader cyber incident reporting and bi-directional information sharing. Timely reporting of incidents, within and across sectors, allows for earlier detection of large, sophisticated cyber campaigns that have the potential for significant impacts to critical infrastructure or National security implications. Technical indicators, along with contextual information related to attacks, provide a more robust dataset to conduct faster and more accurate attribution and adversary intent. This type of analysis is critical in formulating the most impactful response to such attacks and to do so in a time frame that has a higher probability of successful countermeasures or deterrence. Cyber incident information also allows for cross-correlation and collaboration with international partners, thereby enabling a multilateral response to state-sponsored or state-sanctioned cyber criminals that often originate overseas and travel through an allied nation's infrastructure. Last, robust and centralized collection of incident information provides the Government with a much more accurate cyber risk picture and enables more effective and efficient investments and support before, during, and after major cyber attacks. conclusion On behalf of FireEye Mandiant, thank you for the opportunity to testify before the subcommittee. We are committed to working with our public and private-sector partners to safeguard the Nation from cyber attacks by sharing cyber threat information, lessons learned, and best practices, including through the newly-established Joint Cyber Defense Collaborative at the Cybersecurity and Infrastructure Security Agency. We stand ready to work with you and other interested parties to devise effective solutions to deter malicious behavior in cyber space and to build better resiliency into our networks. I look forward to your questions. Ms. Clarke. All right. Thank you, Mr. Bushar, for your expert testimony here today. I would like to acknowledge that we have been joined by the gentleman from Mississippi, the Chairman of our full committee, Mr. Thompson, who will be submitting his opening statement for the record, but I wanted to acknowledge his presence. [The statement of Chairman Thompson follows:] Statement of Chairman Bennie G. Thompson September 1, 2021 Good afternoon. I want to thank Chairwoman Clarke and Ranking Member Garbarino for holding this important legislative hearing to discuss the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Establishing a mandatory cyber incident reporting framework at CISA has been a priority for the Homeland Security Committee since last Congress. I applaud Chairwoman Clarke for engaging with stakeholders and working so hard to get the language right. I look forward to continuing to work with her as she continues to refine the text. I would also like to thank Ranking Member Katko for his support of this important legislation. For a decade and a half, I have served as either Chairman or Ranking Member of this committee. Over the years, there has been an evolution in thinking about how closely the public and private sector need to collaborate to protect our Nation's critical infrastructure. I have seen the Federal Government struggle to find the right way for critical infrastructure owners and operators to share security information with the Government and to zero in on how to turn that information into an actionable security product. The Cybersecurity Information Sharing Act of 2015 was the product of extensive negotiations on the part of both Government and industry. When the legislation was finally enacted into law, we had high expectations that it would spur timely sharing and enhance our Nation's cybersecurity posture. But the 2015 bill did not fully deliver. There was reluctance among many in the private sector to share information with the Department. And, for its part, the Department struggled to turn what data it did get into something the private sector could use to drive down risk. It focused too much on the volume of indicators shared and not enough on the quality of the information. For 6 years, this committee has engaged with the Department and stakeholders to try to correct course, but over time it has become clear that we need a new approach. Last Congress, former Subcommittee Chair Cedric Richmond offered an amendment to the National Defense Authorization Act that would establish a mandatory cyber incident reporting framework at the Cybersecurity and Infrastructure Security Agency. It was included in the House-passed package but was stripped during conference negotiations with the Senate. Since then, a series of high-profile, high-consequences cyber incidents over the past year, have made it clear we need to take urgent action to improve the way the private sector shares information with the Government. As Chairwoman Clarke said in her opening statement, the text we are discussing today is the product of months of stakeholder engagement and bipartisan negotiations to fine tune the bill. And we are here today to further refine the legislation to ensure it serves the purposes of the Federal Government and will result in security benefits to covered entities. I am committed to getting this framework right and across the finish line this Congress. I thank the witnesses for being here today, and I look forward to their testimony. Ms. Clarke. But I now recognize Ms. Hogsett to summarize her statement for 5 minutes. STATEMENT OF HEATHER HOGSETT, SENIOR VICE PRESIDENT, TECHNOLOGY & RISK STRATEGY FOR BITS, BANK POLICY INSTITUTE Ms. Hogsett. Thank you. Chairwoman Clarke, Ranking Member Garbarino, and honorable Members of the subcommittee, thank you for inviting me to testify. I am Heather Hogsett, senior vice president of technology and risk strategy for BITS, the Technology Policy Division at the Bank Policy Institute. BPI is a nonpartisan policy, research, and advocacy organization, representing the Nation's leading banks. Through our technology division, BITS, we work with our member banks as well as other leading financial institutions on cyber risk management and critical infrastructure protection as well as fraud reduction, regulation, and innovation. I also serve as policy committee co-chair for the Financial Services Sector Coordinating Council, which coordinates across the financial sector and with Government partners to enhance security and resiliency. On behalf of BPI's member firms, we greatly appreciate this committee's leadership on cybersecurity and critical infrastructure protection. We also appreciate the work of the committee on the Cyber Incident Reporting for Critical Infrastructure Act of 2021, which is focused on addressing the urgent need for Government and critical infrastructure to share cyber information to improve awareness of cyber threats and better inform our collective ability to mitigate and respond to them. Banks and other financial institutions have had legal and regulatory requirements for cybersecurity and incident reporting for more than 20 years. In addition to required regulatory reporting, financial firms have made significant investments to protect the industry, developing high-trust collaboration centers to improve resilience of individual firms and across the broader financial system, through digital infrastructure, comprehensive use of security tools, exercise programs, and extensive training. Based on past experience, we are encouraged to see that the current draft bill includes five key elements that we believe are vital to achieving our shared goal of protecting the Nation's critical infrastructure. First, the bill appropriately tailors the scope of incidents that should be reported to those that could cause actual harm. This will ensure CISA receives accurate and useful data to help achieve its goal of greater situational awareness. Second, the time line for reporting of no earlier than 72 hours after confirmation an incident has occurred strikes the right balance to allow a firm sufficient time for investigation and implementation of response measures while reporting timely, accurate, and useful information to CISA. The initial stages of an incident response require all hands on deck, and front-line cyber defenders should be focused on investigation response and remediation, rather than completing compliance paperwork. Third is the need to ensure harmonization with existing requirements. For already-regulated critical infrastructure sectors, it is vital to ensure new requirements are harmonized with existing laws and regulations. Financial institutions are regularly examined for their cybersecurity operations and compliance with reporting requirements and may be subject to penalties and other enforcement mechanisms for deficiencies or failures to comply. The bill currently includes helpful provisions to require CISA to coordinate with other agencies and regulatory authorities to streamline reporting requirements. The bill also builds off the Cybersecurity and Information Sharing Act of 2015. We support the committee clearly incorporating the key definitions and protections already created by the CISA Act for private firms sharing information with Government. Any bill that seeks to mandate cyber information sharing should incorporate these protections, and we appreciate that you have clearly defined that in your bill. Finally, the bill addresses the need to help companies understand if their data has been compromised by an attack on a Government system. While the SolarWinds attack targeted several Federal agencies, it also impacted a much broader swath of entities, including critical infrastructure companies. Financial services firms are required to share sensitive and confidential information with regulators and other Government agencies that, if breached, could pose risks to the institution and its customers. To this end, the bill includes language to address this need for greater transparency. In closing, I would note that there is an additional area that we would like to continue working with you on, and that is around the need for improvements to bidirectional information sharing and collaboration. Current information sharing is often one-sided from Government--from industry to Government, and the alerts and warnings industry receives from Government are often delayed, limiting their usefulness. At CISA, along with intelligence from law enforcement agencies, strengthened coordination, and collaboration with the private sector, we urge Congress to ensure Government agencies are improving the speed and quality of information provided back to critical infrastructure. Again, thank you for your leadership on cybersecurity and your thoughtful approach to crafting this legislation. We look forward to continuing to work with this committee, and I am happy to answer any questions you may have. [The prepared statement of Ms. Hogsett follows:] Prepared Statement of Heather Hogsett September 1, 2021 Chairwoman Clarke, Ranking Member Garbarino, and Honorable Members of the subcommittee, thank you for inviting me to testify. I am Heather Hogsett, senior vice president of technology and risk strategy for BITS, the technology policy division of the Bank Policy Institute (BPI). BPI is a nonpartisan policy, research, and advocacy organization representing the Nation's leading banks. BPI members include universal banks, regional banks, and major foreign banks doing business in the United States. BITS, our technology policy division, works with our member banks as well as other leading financial institutions on cyber risk management and critical infrastructure protection, fraud reduction, regulation, and innovation. I also serve as co-chair of the Financial Services Sector Coordinating Council (FSSCC) Policy Committee. The FSSCC coordinates across the financial sector to enhance security and resiliency and to collaborate with Government partners such as the U.S. Treasury and the Cybersecurity and Infrastructure Security Agency (CISA), as well as financial regulatory agencies. executive summary Banks and other financial institutions are increasingly under cyber attack by foreign nations and criminal groups seeking to disrupt the financial system and undermine the functioning of the U.S. economy. The financial sector takes these risks seriously and has a long history of working across industry and with Government partners to address and manage these risks. We were the first sector to form an information sharing and analysis center in 1999 and established a strong sector coordinating council in 2002--both of which have served as leading examples other critical infrastructure sectors have sought to replicate. We are also one of the few critical infrastructure sectors that has had cybersecurity and incident reporting requirements in law and regulation for over 20 years. We greatly appreciate the committee's leadership to address the Nation's cybersecurity challenges and efforts to improve the resilience of critical infrastructure. We share a mutual commitment to cybersecurity and the value in sharing threat and incident information, and support efforts to fortify CISA as a leader in this space. As Congress considers legislation to require critical infrastructure entities to report cyber incidents to the Federal Government, we believe the following elements in the bill--the Cyber Incident Reporting for Critical Infrastructure Act of 2021--which are discussed in greater detail below, are vital to achieving our shared goal of protecting the Nation's critical infrastructure: Scope.--The scope of required reporting focuses on incidents that could cause actual harm, which will ensure CISA receives accurate and useful data to help achieve its goal of greater situational awareness. Approaches which seek to mandate reporting of ``potential'' incidents are too broad and would lead to over-reporting that is insufficiently focused on the actual risks. Time Line.--The time line for reporting of no earlier than 72 hours after confirmation an incident has occurred strikes the right balance to allow sufficient time for investigation and implementation of mitigation and response measures while reporting timely and useful information to CISA. The initial stages of an incident response require ``all-hands-on-deck'' and front-line cyber defenders should be focused on response and remediation rather than completing compliance paperwork. Harmonization.--For already-regulated critical infrastructure sectors, it is vital to ensure new reporting requirements are harmonized with existing laws and regulations. We appreciate the approach taken in the bill and would recommend continued Congressional focus to ensure implementation avoids unnecessary duplication and establishes a streamlined process for all required reporting. Maintain Protections and Definitions in the Cybersecurity and Information Sharing Act of 2015 (CISA Act).--We support the committee clearly incorporating the key definitions and protections already created by the CISA Act for private firms sharing information with Government. This bill builds on that, and the consistency for industry is important. Any bill in Congress that seeks to mandate cyber information sharing should incorporate these protections and we appreciate that is clearly defined in the bill. Helping Companies Understand if Their Data has Been Compromised.--The SolarWinds attack targeted several Federal agencies but also impacted a much broader swath of entities including critical infrastructure companies. Government agencies who are attacked should be required to notify critical infrastructure entities when their sensitive information may be compromised. We appreciate the language in this bill that seeks to address this important issue. Working Together on Other Priorities There is an additional area that we would like to work on with this committee and Congress that we believe is essential to improving our cyber defense capabilities, and that is around the need for greatly improved bi-directional information sharing. The Government should use reported information from critical infrastructure and other Government entities to improve the relevancy and speed of alerts and other analyses that can be provided to critical infrastructure. More timely and actionable information being shared with the private sector would benefit our collective security and resilience capabilities. background on existing financial services sector cybersecurity efforts Legal and Regulatory Requirements The banking/financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. As a result, we have experienced what is most effective and would emphasize that it is important to ensure that any new requirements are harmonized and align with existing requirements for financial firms. For example, financial institutions are regularly examined for compliance with the Gramm-Leach-Bliley Act and its implementing regulations, which require cyber incident reporting when unauthorized access to or misuse of customer data occurs. The New York Department of Financial Services Cybersecurity Regulation expanded on these requirements and requires reporting if a cyber incident is likely to cause harm to the financial institution's operations. In the course of on-going robust oversight from regulatory authorities--such as the Federal Reserve Board, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, among others--banks are regularly examined for their cybersecurity practices including the use of security controls, third-party risk management and senior management and board oversight. A summary of the main banking/financial services requirements is attached as Appendix A. Information-Sharing and Collaboration Efforts In addition to required regulatory reporting, financial firms have made significant investments to protect the industry, developing high- trust collaboration centers to improve resilience at individual firms and across the broader financial system, through digital infrastructure, comprehensive use of security tools, exercise programs and extensive training. They have also created joint initiatives to address systemic challenges such as: The Financial Services Information Sharing and Analysis Center (FS-ISAC),\1\ which shares cyber threat information and best practices for nearly 7,000 members across the globe, including 4,600 U.S. financial institutions. The FS-ISAC was one of the first ISACs created among industry. --------------------------------------------------------------------------- \1\ https://www.fsisac.com/. --------------------------------------------------------------------------- The Financial Services Sector Coordinating Council (FSSCC),\2\ which strengthens the resiliency of the financial sector against cyber attacks and other threats by proactively identifying threats, promoting protection, driving preparedness, collaborating with Government partners and regulatory authorities and coordinating crisis response. --------------------------------------------------------------------------- \2\ https://fsscc.org/. --------------------------------------------------------------------------- The Analysis and Resilience Center,\3\ which works to mitigate systemic risk to the Nation's most critical financial and electric infrastructure, and facilitates operational collaboration between firms, the U.S. Government, and other key partners. --------------------------------------------------------------------------- \3\ https://systemicrisk.org/. --------------------------------------------------------------------------- Sheltered Harbor,\4\ a secure data repository for consumer bank and securities holdings to protect customers, financial institutions, and public confidence in the event a cyber attack causes critical systems to fail; and --------------------------------------------------------------------------- \4\ https://www.shelteredharbor.org/. --------------------------------------------------------------------------- The Cyber Risk Institute's ``Cyber Profile''\5\ which is derived from the National Institute of Standards and Technology's Cybersecurity Framework and incorporates financial services regulatory requirements and industry best practices to address one of the industry's most pressing needs to harmonize regulation globally to improve security and resilience. --------------------------------------------------------------------------- \5\ https://cyberriskinstitute.org/. --------------------------------------------------------------------------- discussion points: effective cyber incident reporting model The recent string of ransomware attacks and supply chain compromises have highlighted the need for more transparency about the nature and depth of cybersecurity attacks affecting the public and private sectors. BPI member banks are committed to improving protections across critical infrastructure sectors and recognize the value in sharing cyber threat and incident information with CISA. As noted above, banks and other financial institutions already adhere to extensive cybersecurity and regulatory reporting requirements. It must be a priority for Congress to harmonize any new requirements for reporting, oversight and enforcement with existing regulatory requirements to minimize confusion on competing requirements and avoid distracting from response efforts. Based on the industry's experience with long-standing regulations and requirements, we are encouraged to see that the current draft bill includes the following elements that will help ensure an effective structure for incident reporting for all critical infrastructure sectors: Scope The current draft of the legislation appropriately tailors the kinds of incidents to be reported to actual incidents, which will ensure CISA receives accurate, timely, and useful information. Other approaches that would collect information on ``potential incidents'' would create near-constant reporting to CISA by financial services firms based on the number of incidents those firms see on a daily basis. It is unclear what a ``potential incident'' is, how it would be reported and what value that provides. As the U.S. Government seeks to increase its analytical capabilities, it is also critical for it to be able to turn around threat information and share it with all sectors quickly. Collecting information on potential incidents would add noise to the signal of material incidents and thus overwhelm, rather than enhance, CISA's analytical efforts. Time Line The bill's reporting requirement of no earlier than 72 hours after confirmation an incident has occurred, strikes an important balance between allowing an affected entity to implement immediate response measures while ensuring CISA receives timely, useful, and accurate information. The initial stages of an incident response require ``all- hands-on-deck'' to focus immediately on understanding the incident and implementing mitigation and response measures. Other approaches that would require reporting within 24 hours would distract from critical work in the early stages of a response and result in reports that were premature and likely erroneous. Harmonization For already regulated critical infrastructure sectors, it is vital to ensure new reporting requirements are harmonized with existing laws and regulations. The bill currently includes helpful provisions to require CISA to coordinate with Sector Risk Management Agencies and regulatory authorities to streamline reporting requirements. As noted above, financial institutions comply with a multitude of reporting requirements which establish key definitions, time lines, and reporting thresholds, as well as oversight and enforcement mechanisms which may include fines and other penalties. There is value in reporting to CISA, but it is important to ensure Government agencies and regulators work together quickly to develop a common reporting form that would be good for all Government entities requiring incident reporting. Otherwise, still more time will be spent by first responders working with firms' legal and compliance teams to ensure that each agency's nuanced requirement is met, rather than reporting uniformly and allowing more time for protecting critical infrastructure. Maintain Protections of the Cybersecurity and Information Sharing Act of 2015 The bill incorporates existing definitions and protections from the CISA Act, which will provide helpful continuity for industry. These measures, which include privacy and liability protections, serve as instrumental building blocks to greater sharing and collaboration between the public and private sectors, and should be continued as Congress expands the information firms are required to submit to CISA. Helping Companies Understand if Their Data has Been Compromised Financial services companies are required to share sensitive and confidential information, including operational and customer data, with regulators and other Government agencies that, if breached, could pose risks to the institution and its customers. The current draft of the bill recognizes the importance of ensuring that Government agencies are also required to provide greater transparency and alert critical infrastructure companies if their sensitive data is affected by a breach at a Federal agency. Such notification would allow the firm to take proactive measures to mitigate risks, helping protect the firm, its customers, and potentially the broader sector. future work together Recent disruptive ransomware attacks on critical infrastructure are a stark reminder of the threats we face and the urgent need to rethink how Government and industry work together to protect against National security threats. Expanding CISA's awareness of cyber incidents affecting critical infrastructure through required reporting will help improve the quality of cyber threat analysis that can be shared more broadly across the public and private sectors. We appreciate the committee's thoughtful approach and efforts to take input from critical infrastructure sectors in crafting this important legislation and look forward to continued collaboration. We also look forward to working with the committee on other opportunities to improve public-private collaboration to address cybersecurity threats. As CISA and other Government agencies increasingly receive incident data and other threat information, they should be required to improve the quality, timeliness, and actionable nature of the information that can be provided to critical infrastructure. Current information sharing is often one-sided from industry to Government and the alerts and warnings industry receives from Government are often delayed, limiting their usefulness. As CISA, along with intelligence and law enforcement agencies, strengthen coordination and collaboration with the private sector, we urge Congress to ensure Government agencies are improving the speed and quality of information provided back to critical infrastructure. I appreciate the opportunity to testify today and look forward to any questions. APPENDIX A The following is a snapshot of the main banking/financial services cybersecurity incident notification and reporting requirements, a myriad of others exist as well. Gramm-Leach-Bliley Act (GLBA).--Under the GLBA and its implementing regulations,\6\ cyber incident reporting is triggered when a financial institution becomes aware of unauthorized access to sensitive customer information that is, or is likely to be, a misuse of the customer's information. Notification to regulators is required as soon as possible after the institution determines that misuse of customer data has occurred or is reasonably possible (e.g. at the start of an investigation to determine the likelihood that the information has been or could be misused). To ensure adherence to these requirements, regulators conduct on-going and rigorous reviews of institutions' operating and governance processes, including data security and data handling processes and third-party risk management measures. Failure to report incidents and adhere to these requirements could result in serious enforcement measures including mandatory corrective action directives, restrictions on activities, and fines. --------------------------------------------------------------------------- \6\ Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. See https:// www.federalregister.gov/documents/2005/03/29/05-5980/interagency- guidance-on-response-programs-for-unauthorized-access-to-customer- information-and. --------------------------------------------------------------------------- Reporting Time Line.--As soon as possible once the institution determines unauthorized access occurred. Definitions.--A cyber incident is defined as unauthorized access to sensitive customer information. Scope of Reporting.--Covers non-public customer information such as personally identifiable financial information, financial transaction information, income, and credit rating data, etc. Reporting Mechanism.--Report provided to regulators; information becomes part of on-going regulatory oversight/ examinations. New York Department of Financial Services (NYDFS) Cybersecurity Regulation. The NYDFS regulations \7\ became effective on March 1, 2017 and add another layer of mandatory cybersecurity reporting requirements for financial services companies. A financial institution must notify NYDFS when a cyber event triggers reporting to any other Government body, regulatory or self-regulatory agency. Notification is also triggered if there is a reasonable likelihood of material harm to the institution's operations. Once a triggering event has occurred, notification must occur as promptly as possible, but not later than 72 hours from the determination that a cybersecurity event has occurred. --------------------------------------------------------------------------- \7\ See New York Codes, Rules and Regulations (23 NYCRR 500). https://govt.westlaw.com/nycrr/Browse/Home/NewYork/ NewYorkCodesRulesandRegulations?guid=I5be30d2007- f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Def ault&context- Data=(sc.Default). --------------------------------------------------------------------------- Reporting Time Line.--72 hours from the determination that a cyber event has occurred. Definitions.--A cyber event is defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system. Scope of Reporting.--Covers non-public customer information and information technology systems.\8\ --------------------------------------------------------------------------- \8\ Defined as ``a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.'' --------------------------------------------------------------------------- Reporting Mechanism.--Report provided to NYDFS; information becomes part of on-going regulatory oversight. European Union General Data Protection Regulation (GDPR).--In the case of a personal data breach, notification is required without undue delay and, where feasible, not later than 72 hours after having become aware of it. GDPR sets specific privacy parameters for use, data security, and handling of consumer data. Reporting Time Line.--72 hours. Definitions.--A ``data breach'' is defined as ``the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.'' Scope of Reporting.--Personal data.\9\ --------------------------------------------------------------------------- \9\ Personal data is under GDPR here: https://gdpr-info.eu/art-4- gdpr/. --------------------------------------------------------------------------- Reporting Mechanism.--Entities report to the agency designated by each member state, which then notifies other member states as needed. European Union NIS Directive 1.0.--In 2016, the European Union mandated cyber incident reporting for all sectors defined under the term Essential Services which is like the U.S. term of Critical Infrastructure. However, the European Union has both mandatory security mandates on Digital Service Providers and stricter reporting requirements on DSPs.\10\ The European Union is in the midst of updating the NIS Directive 2.0 where notification must occur with any event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the related services offered by, or accessible via, network and information systems. --------------------------------------------------------------------------- \10\ Essential Services are defined by the European Union in the NIS Directive and was implemented in 2016. See: https://eur- lex.europa.eu/eli/dir/2016/1148/oj. --------------------------------------------------------------------------- Reporting Time Line.--24 hours from when an entity is aware of an incident, and then a report 30 days later. Definitions.--An incident means any event having an actual adverse effect on the security of network and information systems.\11\ --------------------------------------------------------------------------- \11\ For definition of ``incident,'' see https://eur-lex.europa.eu/ eli/dir/2016/1148/oj. --------------------------------------------------------------------------- Scope of Reporting.--The directive does not define the threshold of what is a significant incident requiring notification to the relevant E.U. member state National authority and defines 3 parameters for reporting: Number of users affected; duration of incident; geographic spread. DSPs have 5 requirements that are broader. Reporting Mechanism.--Entities report to the agency designated by each member state. Notice of Proposed Rulemaking (NPR) from OCC/Federal Reserve/ FDIC.--On Jan. 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a proposed rule on ``Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.'' Under the proposal, incident notification would be triggered after the determination by a banking organization that a computer-security incident has occurred that the bank believes in good faith could cause significant disruption to the institution's operations and ability to deliver products and services to a significant portion of its customers or could pose a risk to the financial stability of the United States. Upon determining that an event has reached the notification incident threshold, a banking organization would be required to notify as soon as possible but no later than 36 hours. Reporting Time Line.--36 hours after a ``good faith'' determination of an incident. Definitions.--A computer security incident is defined as an occurrence that jeopardizes confidentiality, integrity or availability of an information system or the information a system processes, stores, or transmits;\12\ a notification incident is defined as a significant computer security incident that could jeopardize the viability of the operations of a financial institution, prevent customers from accessing their deposit and other accounts, or impact the stability of the financial sector. --------------------------------------------------------------------------- \12\ This definition is taken from NIST which states a computer security incident is ``an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See NIST, Computer Security Resource Center, Glossary https://csrc.nist.gov/glossary/term/Computer_Security_Incident. --------------------------------------------------------------------------- Scope of Reporting.--Covers non-public customer information and information technology systems.\13\ --------------------------------------------------------------------------- \13\ The NPR does not define information technology systems. --------------------------------------------------------------------------- Reporting Mechanism.--Notification to be provided to primary Federal regulator; intended to provide early awareness of emerging threats to individual institutions and potentially the broader financial system. Mr. Mayer. Chairwoman, I believe you may be muted. Ms. Clarke. I think I was on mute. Did everyone hear me? Mr. Mayer. No. Ms. Clarke. I am sorry about that. They always catch you, don't they? Let me thank Ms. Hogsett for her expert testimony here today. I now recognize Mr. Miller to summarize your statement for 5 minutes. STATEMENT OF JOHN S. MILLER, SENIOR VICE PRESIDENT OF POLICY, AND GENERAL COUNSEL, INFORMATION TECHNOLOGY INDUSTRY COUNCIL Mr. Miller. Thank you. Chairs Clarke and Thompson, Ranking Members Garbarino and Katko, distinguished Members of the subcommittee, on behalf of the Information Technology Industry Council, or ITI, thank you for the opportunity to testify today on the Cyber Incident Reporting for Critical Infrastructure Act of 2021. ITI is a global policy and advocacy organization representing 80 of the world's leading ICT companies. I lead ITI's trust data and technology policy team, including our work on cybersecurity globally. As the current vice chair of the Information Technology Sector Coordinating Council and co-chair of the ICT Supply Chain Risk Management Task Force, I have significant experience partnering with CISA on efforts to improve cyber supply chain and critical infrastructure security and welcome your interest on this important topic. I would also like to thank you and your staffs for the thoughtful and collaborative approach you have taken with stakeholders while drafting this legislation. If narrowly scoped and carefully crafted, we believe that an incident reporting regime can help improve the Nation's cyber resilience and security by increasing situational awareness across Government and critical infrastructure and driving more effective operational collaboration in response to significant incidents. We commend the subcommittee for its leadership on this issue and commitment to developing an effective and efficient cyber incident reporting regime, and we appreciate the Act leads many of the details to be worked out through a rule- making process prioritizing CISA engagement with stakeholders. Developing an effective and efficient incident reporting regime while at the same time preserving the partnership and collaborative model that is central to CISA's mission are both important goals. Just last month, ITI published policy principles for cyber incident reporting which are attached to my written testimony and I encourage the subcommittee to consider in full. ITI also led a multi-association letter to Congress sent last Friday stressing several issues that any incident reporting legislation should address. I will focus the balance of my time on five key recommendations included in both our policy principles and the letter. First, we recommend any legislation allow for feasible reporting time lines commensurate with incident severity levels but of no less than 72 hours. Ensuring time lines are feasible is important for several reasons, including allowing entities sufficient time to determine what has occurred and ensuring an incident is properly contextualized, upholding cybersecurity while an entity investigates an incident and to align with global best practices. We appreciate the Act makes clear CISA may not require reporting earlier than 72 hours after an entity confirms an incident has occurred. Second, we recommend any legislation maintain appropriate confidentiality, nondisclosure, and liability protections. We welcome the act's intent to extend liability protections and FOIA exemptions from the CISA 2015 information sharing legislation to reports provided pursuant to the Act but note the language of CISA 2015 may need to be updated to align with the specific categories of incident reporting information that are ultimately required by the pending rule. Further, the Act should define clear confidentiality and privacy requirements regarding the use of shared information, including to require that any information disseminated to interagency partners is scrubbed of the providing entity's identifying information. Third, we urge Congress to harmonize existing regulatory reporting requirements to ensure companies are able to efficiently report incidents and not subject to contradictory or duplicative reporting requirements that may hamper notification. We appreciate the Act directs CISA to consider existing regulatory requirements and work with relevant regulatory authorities and recommend adding language clarifying that CISA should leverage existing channels to collect incident information whenever possible, including active interfaces with the FBI, SEC, and financial sector regulators to truly lessen the regulatory burden. Fourth, we recommend any legislation establish appropriate reporting thresholds and limit reporting to verified incidents. The act's inclusion of minimum thresholds for reporting a covered incident built on a risk-based analytical model and its focus on verified incidents, as opposed to near misses hit the mark. However, there is ambiguity in the minimum threshold language that could be resolved through the concept of an incident categorization matrix which could more accurately determine the severity of actual harm posed by incidents, enabling finer prioritization and more precise reporting. Finally, we maintain that reporting obligations in any legislation should fall only on impacted entities, not on vendors or third-party service providers. An incident reporting requirement with a broader scope could disrupt normal business operations, including potentially forcing vendors or third parties to disclose business confidential information of impacted customers or breach their contractual obligations and result in flooding CISA with multiple, duplicative reports diverting limited resources away from cyber incident response. Thank you again for the opportunity to testify today. I look forward to your questions. [The prepared statement of Mr. Miller follows:] Prepared Statement of John S. Miller September 1, 2021 Chairwoman Clarke, Ranking Member Garbarino, and distinguished Members of the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation of the House Committee on Homeland Security, thank you for the opportunity to testify today. My name is John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council (ITI).\1\ I lead ITI's Trust, Data, and Technology team, including our work on cybersecurity policy globally, and I have deep experience working on public-private security initiatives in the United States, including currently serving as co- chair of the Cybersecurity and Infrastructure Security Agency (CISA)- sponsored Information and Communications Technology Supply Chain Risk Management Task Force (ICT SCRM Task Force), and as vice chair of the Information Technology Sector Coordinating Council (ITSCC), the principal IT sector partner to CISA on critical infrastructure protection and cybersecurity policy. I am honored to provide ITI's perspective on the important topic of cyber incident reporting and the legislation the subcommittee is considering today. --------------------------------------------------------------------------- \1\ See ITI membership list at: https://www.itic.org/about/ membership/iti-members. --------------------------------------------------------------------------- ITI represents the world's leading information and communications and technology (ICT) companies. We promote innovation world-wide, serving as the ICT industry's premier advocate and thought leader in the United States and around the globe. ITI's membership comprises leading innovative companies from all corners of the technology sector, including hardware, software, digital services, semiconductor, network equipment, cybersecurity, and other internet and technology-enabled companies that rely on ICT to evolve their businesses. Cybersecurity is rightly a priority issue for governments and our industry, and we share the common goals of improving cybersecurity, protecting the privacy of individuals' data, and maintaining strong intellectual property protections. Further, our members service customers across all levels of government and the full range of global industry sectors, such as financial services, health care, and energy. We thus acutely understand the importance of cybersecurity as not only a global business imperative for companies and customers alike, but as critical to our collective security. As a result, our industry has devoted significant resources, including expertise, initiative, and investment in cybersecurity efforts to create a more secure and resilient internet ecosystem. The SolarWinds compromise and the latest wave of damaging ransomware attacks, along with other recent cyber attacks, serve as an important reminder that the cyber threat landscape is constantly evolving and that we need innovative new policy ideas to help confront the emergence of new threats. We have seen policy makers increasingly consider incident reporting as a potentially appropriate tool to improve Government's ability to leverage its resources toward not only helping victim organizations recover from incidents, but ideally to help protect others from similar threats or vulnerabilities. If narrowly scoped and carefully crafted, we believe that an incident reporting regime can help improve the Nation's digital resilience and security. We commend the subcommittee for its leadership on this issue and its commitment to developing an effective and efficient cybersecurity incident reporting regime. As a general matter, we appreciate that the Cyber Incident Reporting for Critical Infrastructure Act of 2021 (hereafter ``the Act'') leaves many of the details to be worked out through a rule-making process in which CISA solicits feedback from stakeholders, as opposed to laying out stringent requirements in statute. Just last month ITI published our Policy Principles for Cyber Incident Reporting in the United States (hereafter ``Policy Principles'') to help inform on-going efforts domestically, which is attached as an Appendix to my testimony (see Appendix A). We make ten recommendations to policy makers in the Policy Principles, all of which we encourage the subcommittee to take into account as it considers incident reporting legislation and works on further refinements to the Act. We also led a recent multi-association letter to Congress stressing several key areas aligned with our principles that should be included in any incident reporting legislation.\2\ --------------------------------------------------------------------------- \2\ Letter available here: https://www.itic.org/documents/ cybersecurity/MultiassnLetter-SecurityIncidentReporting- 08.27.2021FINALFINAL.pdf. --------------------------------------------------------------------------- After briefly providing important context to help inform the current security incident reporting debate, I will focus the bulk of my written testimony on five recommendations that were included in our Policy Principles, as well as the above-referenced multi-association letter, including: (1) Establishing feasible reporting time lines of no less than 72 hours; (2) ensuring appropriate confidentiality, nondisclosure, and liability protections; (3) limiting reporting to the impacted organization, rather than third-party vendors or providers; (4) harmonizing Federal cybersecurity incident reporting requirements; and (5) limiting reporting to verified intrusions and incidents. My testimony concludes by stressing the importance of seizing the opportunity to develop a workable security incident notification regime while preserving CISA's collaborative role with private-sector partners. i. security incident reporting in context Devising a successful cybersecurity incident reporting regime requires an understanding of adjacent and overlapping cybersecurity information sharing and data breach notification measures, as well as the evolving global policy debates regarding this issue. a. Clarifying and Understanding Terms Can Help Efficiently Harmonize Requirements In thinking about security incident reporting, it is essential that policy makers and other stakeholders recognize that it is distinct from other concepts with which it is often confused: Primarily, data breach notification and cybersecurity threat information sharing. Security incident notification such as that contemplated by the Act requires organizations to report on the details of a cybersecurity incident that has already occurred to help increase visibility into such events; data breach notification requirements are also triggered post-incident but relate specifically to reporting details regarding the unauthorized access to or disclosure of personally identifiable information or other sensitive data for privacy purposes. Importantly, policy makers should consider that in some instances a single incident could trigger both types of notification and reporting requirements and should consider how to reduce potential inefficiencies in reporting. Both of the preceding two concepts are distinct from cyber threat information sharing, which refers to the proactive sharing of threat information to help all entities better understand cybersecurity threats and take steps to prevent future cyber attacks. Given the subcommittee's intent to leverage the Cybersecurity Information Sharing Act of 2015 (CISA 2015) in the security incident reporting context, including to extend CISA 2015's liability protections, it is critical to understand both the differences and similarities between the two concepts. We further elaborate on all three of these concepts in our Policy Principles (see Appendix A). b. The Global Policy Debate Can Help Inform U.S. Policy ITI is an active participant in policy conversations on cybersecurity incident reporting globally. Indeed, it is not only the United States that is considering implementing a mandatory incident reporting regime. Europe, in the proposal for a revised Network and Information Systems Directive (NIS 2 Directive), as well as Australia, in their Security Legislation Amendment (Critical Infrastructure) Bill of 2020, which revises the Security of Critical Infrastructure Bill of 2018, are contemplating mandatory incident reporting as a way to increase Government visibility into cybersecurity events.\3\ We have similarly encouraged both the European Commission and the Australian Government to adopt the principles discussed in my testimony and referenced in ITI's Policy Principles.\4\ These global efforts are relevant and important to consider as Congress seeks to develop legislation that establishes a mandatory incident reporting regime, as the subcommittee acknowledges in the Act by requiring the CISA director to align the reporting requirements CISA develops with international standards. --------------------------------------------------------------------------- \3\ Security Legislation Amendment (Critical Infrastructure) Bill of 2020, first reading text, available here: https:// parlinfo.aph.gov.au/parlinfo/download/legislation/bills/r6657_first- reps/toc_pdf/20182b01.pdf;fileType=application%2Fpdf; proposal for NIS 2 Directive text, available here: https://digital- strategy.ec.europa.eu/en/library/proposal-directive-measures-high- common-level-cybersecurity-across-union. \4\ ITI Comments on NIS 2 Directive, available here: https:// ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/ 12475-Cybersecurity-review-of-EU-rules-on-the-security-of-network-and- information-systems/F2004660_en; ITI Comments on Security Legislation Amendment Bill of 2020, available here: https://www.aph.gov.au/ DocumentStore.ashx?id=04c36c84-3067-4ffb-bec2- 53c780079a02&subId=701444. --------------------------------------------------------------------------- ii. recommendations for a successful security incident notification approach ITI's Policy Principles set forth ten recommendations that policy makers should incorporate to develop and implement a successful cybersecurity incident notification regime. While all of these recommendations are important, my testimony focuses on five key recommendations below. Please refer to the Policy Principles at annex for the full set of recommendations. a. Establish Feasible Reporting Time Lines In our Policy Principles, we recommend that any legislation allow for reasonable reporting time lines commensurate with incident severity levels, but of no less than 72 hours. Ensuring that time lines are feasible is important for a number of reasons, including: Allowing companies sufficient time to determine what has occurred.--Requiring an entity to report an incident on a shorter time line may be insufficient for companies to determine the nature of the issue--is it a cyber attack or is it merely a network outage? In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan. Indeed, the primary initial focus for companies should be on identifying and responding to malicious activities, rectifying the problem, and ensuring (or restoring) business continuity. Upholding cybersecurity while a company investigates the issues.--A shorter time line for reporting may also serve to undermine cybersecurity, in that such a requirement can expose information about an incident before a patch is applied or operations are restored, making operators and their customers vulnerable to additional attacks by hackers. Ensuring resources are leveraged appropriately and ensuring the incident is properly contextualized.--Requiring reporting on a shorter time line may also divert limited Government resources away from addressing incidents that are actually having a significant impact. If entities are required to report incidents before they have the opportunity to verify what has occurred, an agency such as CISA runs the risk of being inundated with reports that do not offer meaningful information or otherwise lack the appropriate context. It is incredibly difficult to narrow the scope on the back end when an agency is sifting through reports trying to retroactively determine what is important. Instead, the focus should be on only requiring incident reporting of severe and significant attacks that cause actual disruption or loss and that include specific parameters. Aligning with global best practices.--A 72-hour time line also aligns with global best practices, which we believe is of great importance to facilitating interoperability of approaches. For example, the German IT Security Act and various state-level notification requirements in the United States allow for a reporting window of 72 hours.\5\ Article 33 of the EU's General Data Protection Regulation (GDPR) also states that in the case of a personal data breach, impacted companies shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority. --------------------------------------------------------------------------- \5\ German IT Security Act 2.0 available here: https:// www.bundesrat.de/SharedDocs/beratungsvorgaenge/2021/0301-0400/0324- 21.html; Regarding state-level time lines, see, e.g., New York Department of Financial Services reporting requirements: https:// www.crowell.com/NewsEvents/AlertsNewsletters/all/Newly-Proposed-Cyber- Reporting-Rules-for-Banking-Organizations. --------------------------------------------------------------------------- We appreciate that as currently drafted, Subsection (d)(5) of the Act makes clear that the CISA director may not require reporting any earlier than 72 hours after an entity has confirmed that an incident has occurred. We also stress that requiring a formal report on a verified, significant incident should not preclude an impacted organization from voluntarily providing less-fulsome notifications to CISA on a more flexible time line. Indeed, should an entity want to notify CISA of an event before a formal report is finalized and submitted, it should have the ability to do so. Section (f) of the Act seems to contemplate such a layered approach, which would allow for an initial voluntary, preliminary notification to CISA, with more substantial reporting coming once the impacted organization has confirmed that an incident reached the severity metrics established in the IFR called for by the Act. b. Maintain Appropriate Confidentiality, Nondisclosure, and Liability Protections In ITI's Policy Principles we also stress the importance of ensuring the confidentiality of information provided in incident reports. It is imperative to have strong and transparent rules about the confidentiality of incident information that is shared with or by Federal agencies in order to cultivate trust in the process and between the private and public sectors. Such rules should govern not only the dissemination of incident information with relevant interagency partners but should specifically preclude direct or indirect regulatory use of such information. Such rules should additionally govern how unclassified information on a specific incident is further shared with the U.S. Government, other governments, and with nongovernmental entities. These rules must be crafted to guarantee compliance with existing legal regimes, including contractual and privacy obligations. This is an area that we believe could be strengthened in the Act. Indeed, it is our view that the language surrounding how the information provided in an incident report can be used based on the Act's Subsection (e): (1) Does not provide a sufficient level of confidentiality for industry partners. The language lays out broad circumstances where information can be shared (i.e., for a ``cybersecurity purpose''), but it does not provide details as to how that information will be protected from disclosure. We believe that the Act should define clear confidentiality and privacy requirements regarding the use of such information and that it should require that any information that is further disseminated is scrubbed of all identifying information of the entity that provided it. We also make the point in our Policy Principles that it is important that policy makers ensure that there are appropriate liability protections maintained in incident reporting legislation, so that information provided in a report cannot later be used against an entity. Of course, if there are instances in which entities have engaged in unlawful misconduct, such liability protections would not apply. We also believe that security incident reporting legislation should make clear that cybersecurity incident reports shared with the U.S. Government should be exempt from FOIA requests. Given this recommendation, we welcome the Act's provisions in Section (f) which offer protection to entities that report or provide information under Section 106 of CISA 2015. At the same time--and this is an issue which extends beyond the specific legislation that is being considered at present--we believe that the language in CISA 2015, which is primarily limited to ``cyber threat indicators,'' may well need to be updated to include the categories of incident reporting information that are ultimately required to be included in the reports submitted to CISA under the Act. Adding such definitional clarity to CISA 2015 itself will help to ensure that entities receive liability protection for all relevant information that is shared, whether through voluntary cyber threat indicator sharing, or mandatory or voluntary incident reports provided to CISA under the Act. c. Limit Reporting to the Impacted Entity Another question that arises not only in the domestic conversation on incident reporting but in the global conversation as well is who is responsible for reporting an incident to the competent authority (CISA, in the case of the Act). We believe that the reporting obligation should fall only on the impacted entity, and that vendors or third- party service providers should not be required to report cybersecurity incidents to the U.S. Government that have occurred on their customers' networks. An incident reporting requirement with a broader scope would pose numerous challenges to many organizations' normal business operations, including potentially forcing vendors or third parties to disclose business confidential information of impacted customers or breach their contractual obligations. Such a requirement, if scoped broadly to incorporate third parties and vendors, may also result in duplicative incident reports which, as mentioned previously, could inundate CISA with multiple duplicative reports that they then must sift through, diverting limited resources away from meaningfully addressing significant cybersecurity incidents. d. Streamline Incident Reporting Requirements There are currently several different measures that govern Federal cybersecurity incident reporting, making for a complex and often confusing landscape. Numerous Federal agencies currently have disparate incident reporting requirements, many of which are just starting to be implemented. For example, the banking sector is subject to multiple specific notification requirements (see, e.g., 12 CFR part 30, appendix B, supp. A (OCC); 12 CFR part 208, appendix D-2, supp. A, 12 CFR 211.5(l), 12 CFR part 225, appendix F, supp. A (Board); 12 CFR part 364, appendix B, supp. A (FDIC) (italics omitted); NPRM on Computer Security Incident Reporting Requirements for Banking Organizations and their Bank Service Providers) as is the defense industrial base (see 32 CFR 236.4--Mandatory cyber incident reporting procedures). There are also reporting requirements captured in FISMA (see 44 U.S.C. 3553-54 & associated Binding Operational Directive 16-03); FedRAMP Incident Communications Procedures; NERC Incident Reporting and Response Planning as required by FERC; and the US-CERT Federal Incident Notification Guidelines. Additionally, Section 2 of the President's Executive Order on Improving the Nation's Cybersecurity includes a number of provisions aimed at improving incident reporting on the part of Federal contractors. There may also be interactions with existing privacy reporting requirements or with law enforcement processes. And additionally, as alluded to above, various State laws impose data breach reporting requirements, often stemming from the same incidents. To alleviate the confusion that is brought about by this complex incident reporting landscape, we urge Congress in our Policy Principles to harmonize existing regulatory reporting requirements to ensure that companies are more efficiently able to report incidents and are not subject to contradictory, duplicative, or otherwise confusing reporting requirements that may serve to hamper the notification process. We also recommend that reported information be aggregated, anonymized, analyzed, and shared in a manner that facilitates the mitigation and/or prevention of future cyber incidents. All that being said, we appreciate that the Act recognizes in Subsections (d)(7)(A) and (B) that covered entities may be subject to existing regulatory requirements, and that it directs the CISA director to consider those existing regulatory requirements in establishing reporting requirements for covered entities, including working with other regulatory authorities to see whether and how streamlining is feasible. While we appreciate the inclusion of this provision, the Act currently does little to actually lessen the regulatory burden. We recommend adding language that clarifies that CISA should leverage existing channels to collect incident information whenever possible, including having existing interfaces such as the FBI, SEC, and financial sector regulators provide updates based on engagement with the private sector. This could be accomplished by directing the Office of Management and Budget to issue guidance to Federal regulators and law enforcement requiring agencies to share information related to covered incidents against covered agencies with the Cyber Incident Review Office. e. Establish Appropriate Reporting Thresholds and Limit Reporting to Verified Incidents We appreciate that the Act attempts to establish minimum thresholds for reporting a ``covered incident'' based on a risk-based, analytical model. We consistently encourage policy makers to take a risk-based approach to cybersecurity, and incident reporting is no exception. It is important that the threshold for requiring an incident report is sufficiently narrow and clearly delineated. Reporting requirements should include specific parameters and be mapped to objective criteria, and incident severity levels should be related to identifiable harms, such as to public health and safety, or operational disruption.\6\ However, the considerations outlined in the Act's Subsection (4)(A) introduce ambiguity that is not resolved in the minimum threshold language outlined in Subsection (4)(B). Relatedly, providing additional rigor around what constitutes a ``significant cyber incident'' would be helpful. --------------------------------------------------------------------------- \6\ Currently, the United States approach to categorizing cyber incidents in the National Cyber Incident Response Plan defines a ``Significant Cyber Incident'' as a cyber incident that is (or group of related cyber incidents that together are) likely to result in demonstrable harm to the National security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. --------------------------------------------------------------------------- In our Policy Principles, we recommend that policy makers explore the idea of an incident categorization matrix, which can represent the severity of an incident more accurately, therefore allowing for prioritization of incidents. We believe that a similar concept would be useful to introduce here and encourage the subcommittee to include language that directs CISA, in conjunction with interagency partners, to develop such an incident categorization matrix. A categorization matrix can be used to help determine the severity of, and potential for, actual harm posed by an incident more accurately, helping to prioritize incidents and ultimately enabling more precise reporting. Focused reporting that is limited to severe incidents that may result in actual harm reduces the burden on information security teams and frees up resources for the essential tasks of examining and remediating incidents and securing an organization's systems. Similar approaches have been proposed by CISA and have already been adopted by the United Kingdom (UK) and Australia. The United Kingdom's National Cyber Security Center developed a Cyber Attack categorization system, with incidents broken down into six categories, ranging from a category 1 national cyber emergency to a category 6 localized incident. Along with breaking out incidents into categories, the United Kingdom's matrix includes a definition of the type of incident, information about who responds to that incident, and what activities responders should undertake.\7\ This approach helps lend additional clarity to determining the severity of an incident and allows for resources to be deployed more efficiently. Australia has developed a similar Cyber Incident Categorization Matrix, which lays out similar categories ranging from 1-6 and provides illustrative examples of the types of incidents and impacted entities that fall in a given category. This matrixed approach allows the Australian Cybersecurity Centre to triage incident reports and respond appropriately based on level of impact.\8\ --------------------------------------------------------------------------- \7\ Overview of NCSC cyber categorization matrix available here: https://www.ncsc.gov.uk/news/new-cyber-attack-categorisation-system- improve-uk-response-incidents. \8\ Matrix available at https://www.transparency.gov.au/annual- reports/australian-signals-directorate/reporting-year/2019-20-6. --------------------------------------------------------------------------- We applaud the committee's focus on incidents that produce actual harms as established by the minimum thresholds for a ``covered cybersecurity incident'' as set forth in Subsection (4)(b). This emphasis on incidents that cause disruption of business operations, compromises of the integrity or confidentially of data, and loss of services ensures CISA's limited resources can be effectively and efficiently leveraged. We were pleased to see that the Act focuses on such confirmed incidents, as we have observed a somewhat troubling trend in proposed incident reporting policies globally which require entities to report ``potential'' incidents or ``near misses.'' In our view, requiring the reporting of ``potential'' incidents does little to improve cybersecurity and could inadvertently create an information overload, preventing the competent authority from prioritizing actual, confirmed incidents, and undertaking appropriate action to respond, particularly when it is not clear what would constitute a ``potential'' incident. As we noted in the multi-association letter and in our Policy Principles, reporting verified or confirmed incidents that have been well-defined and scoped will help to avoid a culture of overreporting that will strain limited incident response capacity and capabilities inside and outside the Government. It will also help ensure that information received is useful and actionable. iii. prioritizing partnership and collaboration puts cisa in the best position for success in cyber incident reporting ITI has long advocated that public-private partnerships are essential to improving cybersecurity, and CISA and its predecessor entities at the Department of Homeland Security have been established as key partners to industry on issues such as cybersecurity threat information sharing and supply chain risk management. These partnerships are essential to: (1) Identify potential threats; (2) understand how and to what extent risks can be managed; and (3) determine what actions should be taken to address risks without yielding unintended consequences. The Act we are discussing today acknowledges that Government and industry often have access to unique information sets; this is certainly the case in the context of a security incident, which is why sharing or reporting certain categories of information can help all relevant stakeholders see the complete picture, increasing situational awareness, and driving more effective operational collaboration in response to significant incidents. The private sector ICT community has not only been foundational in developing the infrastructure of cyber space but, for well over a decade, in providing leadership, innovation, and stewardship in all aspects of cybersecurity, including helping to develop and participating in numerous public-private partnership structures and efforts. For example, global ICT companies have long participated in sector coordinating councils (SCC), self-organized, self-governed councils that allow owners and operators of critical infrastructure to engage on a range of cybersecurity strategies, policies, and activities with CISA and other U.S. Government counterparts, and also participate in the ICT SCRM Task Force launched in 2018. I am pleased to serve as the vice chair of the ITSCC and to work closely with my counterparts in the Communications SCC, as well as CISA and other U.S. Government partners as co-chair of the ICT SCRM Task Force. We believe that if an incident reporting regime is crafted carefully, it can be a helpful tool to improve Federal agencies' situational awareness into cybersecurity incidents as well as to drive improvements in operational collaboration between CISA and industry. In order to realize such an effort, CISA's role as a trusted and collaborative partner to industry must be preserved, if not strengthened, as it must be able to continue to engage with relevant stakeholders, including critical infrastructure owners and operators, on not just the cybersecurity incident notification and reporting requirements contemplated here but on the array of other important and on-going cybersecurity and supply chain risk management partnership activities referenced above. This is an important moment in the history of CISA, still a relatively new agency that has had to adapt itself to meet what seems like a new set of threats and challenges every year. The legislation under consideration by this subcommittee holds the promise of not only developing an effective and efficient cybersecurity incident reporting regime, but in doing so in a way that preserves the partnership and collaborative model that this subcommittee set out when it created CISA 3 years ago. We urge the subcommittee to ultimately adopt legislation that achieves both of these goals. conclusion Members of the subcommittee, ITI and our member companies once again commend you for your leadership on this issue. We appreciate your approach to engaging with stakeholders to ensure the partnership model that CISA was founded on will be protected and continue to evolve as it tackles these new threats. We encourage you to keep both the partnership model and goal of improving operational collaboration in mind as you consider how to best refine the Act in order to lend additional clarity to questions around issues including minimum thresholds for incident reporting, confidentiality and liability protections, and conflicting or duplicative reporting requirements. ITI stands ready to provide the subcommittee with any additional input and assistance as it seeks to develop an approach to cybersecurity incident reporting for critical infrastructure owners and operators. And we reiterate our request that the subcommittee consider our full set of Policy Principles, which, when taken together, will help policy makers to structure a clear, straightforward incident reporting regime that provides actionable, appropriately contextualized information. I would like to again thank the Chair, Ranking Member, and Members of the subcommittee for inviting me to testify today and for your interest in and examination of this important issue. I look forward to your questions. Thank you. Appendix A.--ITI Policy Principles for Security Incident Reporting in the U.S. july 2021 The SolarWinds compromise has demonstrated how the cyber threat landscape is constantly evolving, resulting in the emergence of new threats. In search of a suitable policy response, policy makers have increasingly turned to incident reporting policy regimes as a potentially appropriate tool. The proposals introduced to date often conflate multiple issues and misunderstand the goals and the applicability of security incident reporting. ITI recognizes the importance of cybersecurity incident reporting to inform actions to respond to incidents and to contain or prevent further impacts. ITI views the concepts related to security incident reporting as distinct from those of cyber threat information sharing or a data breach notification (see box for details). If a report provides sufficient technical details about the suffered incident, Federal agencies can understand the nature of the attack and take steps to mitigate the associated risk. Likewise, actionable reporting may help Government officials to prioritize incident response assistance to affected organizations, particularly while dealing with an active campaign targeting multiple organizations. This assumes that affected organizations required support and that the principles articulated below have been fully adopted. As such, if carefully crafted, incident reporting has the potential to be a helpful policy lever. It is through this lens that we offer our recommendations on several key areas that policy makers should consider in developing an effective, efficient security incident reporting regime. Security incident reporting is distinct from other concepts with which it is often confused: Data breach notification and cyber threat information sharing. While some incidents may blur the line between these concepts, it is important to understand the difference between these terms and what each process is meant to achieve. Security Incident Reporting focuses on the past because it reports on the details of a cybersecurity incident that has already occurred. This could include the vector of compromise, the systems and information compromised or targeted by the attacker, and any attributes of the attacker's behavior. Reports may focus on the actual or the potential harm caused by an incident. Information conveyed in the reporting highly depends on the reporting time line, reporting purpose (and use) and segment needs. Data Breach Notification relates specifically to the unauthorized access to or disclosure of personally identifiable information or other sensitive privacy data. In the United States, there are more than 50 State and local laws focused on data breach notification. Cyberthreat Information Sharing focuses on the future and refers to the proactive sharing of threat information to help all entities understand threats and take steps to prevent successful cyber attacks. Threat information sharing should be voluntary and may include indicators such as anomalous network activity or methods of circumventing security controls. develop and adopt an incident categorization matrix Policy makers should ensure that the threshold for reporting requirements is mapped to specific objective criteria and specific incident severity levels related to identifiable harms, such as to public health and safety, or operational disruption.\1\ Reporting requirements should only focus on severe and significant attacks that cause actual disruption or loss and should include specific parameters. An incident categorization matrix \2\ can represent the severity of an incident more accurately which helps with the prioritization of incidents and ultimately supports more precise reporting. Focused reporting that is limited to severe incidents reduces the burden on information security teams and frees resources for the essential tasks of examining and remediating incidents and securing the organization's systems. Moreover, it reduces the likelihood of an informational overload for applicable authorities that would undermine their ability to prioritize responses and divert limited agency resources from critical risk mitigation activities. These considerations are also key in the context of defining the scope and object of reporting (e.g., avoiding the confusion of ``incident'' with other concepts or expanding to ``potential'' incident reporting). We recommend policy makers advance the joint understanding of the matrix and severity concept, by facilitating a consensus-driven processes. --------------------------------------------------------------------------- \1\ Currently, the U.S. approach to categorizing cyber incidents in the National Cyber Incident Response Plan defines a ``Significant Cyber Incident'' as a cyber incident that is (or group of related cyber incidents that together are likely to result in demonstrable harm to the National security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. \2\ Similar approaches have been proposed by CISA and are already adopted by the United Kingdom and Australia. --------------------------------------------------------------------------- establish feasible reporting time lines commensurate with incident severity level Any incident reporting legislation should ensure that time lines are aligned with global best practices. The required time lines should be commensurate with incident severity levels but allow for at least a 72-hour reporting window after an entity has verified the incident. Anything shorter is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident. Shorter time lines also greatly increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts. limit responsibility for reporting only to the compromised entity Any legislation should ensure that the reporting obligation falls only on compromised entities. Vendors and third-party service providers should not be required to report cybersecurity incidents to the U.S. Government that have occurred on their customers' networks. Such a requirement would pose numerous challenges to normal business operations, including potentially forcing vendors or third parties to disclose business confidential information of that customer or breach their contractual obligations. ensure confidentiality and appropriate protections around sensitive information shared with federal agencies, including against regulatory use It is imperative to have strong and transparent rules about the confidentiality of incident information that is shared with or by Federal agencies. Such rules should govern not only the dissemination of incident information with relevant interagency partners but should specifically preclude direct or indirect regulatory use of such information. Such rules should additionally govern how unclassified information on a specific incident is further shared with the U.S. Government, other governments, and with nongovernmental entities. These rules must be crafted to guarantee compliance with existing legal regimes, including contractual and privacy obligations. A designated centralized reporting agency should provide a secure method of communication. This could be as simple as publishing a PGP encryption key or using the Traffic Light Protocol (TLP). Trust is essential. establish targeted liability protections and appropriate exemptions from the freedom of information act (foia) Entities providing incident reports should receive liability protections for providing such information to Federal agencies, including engaging in activities related to monitoring or network awareness of their information systems, other than in instances where entities engage in willful misconduct. Additionally, cybersecurity incident reports shared with the U.S. Government should be exempt from FOIA requests. harmonize federal cybersecurity incident reporting requirements There are currently several different measures that govern Federal cybersecurity incident reporting, making for a complex and oftentimes confusing landscape.\3\ To alleviate such confusion, Congress should consider harmonizing existing regulatory reporting requirements to ensure the efficient sharing of covered cybersecurity incidents. --------------------------------------------------------------------------- \3\ See, for example, banking sector notification requirements: 12 CFR part 30, appendix B, supp. A (OCC); 12 CFR part 208, appendix D-2, supp. A, 12 CFR 211.5(l), 12 CFR part 225, appendix F, supp. A (Board); 12 CFR part 364, appendix B, supp. A (FDIC) (italics omitted); NPRM on Computer Security Incident Reporting Requirements for Banking Organizations and their Bank Service Providers; defense industrial base mandatory reporting requirements: 32 CFR 236.4--Mandatory cyber incident reporting procedures; FISMA reporting requirements: 44 U.S.C. 3553-54 & associated Binding Operational Directive 16-03; FedRAMP Incident Communications Procedures; NERC Incident Reporting and Response Planning as required by FERC; and US-CERT Federal Incident Notification Guidelines. --------------------------------------------------------------------------- designate a single point of contact for companies to report security incidents to within the government Incident response and recovery resources are in short supply. To effectuate the efficient use of limited resources, the Federal Government should designate, and adequately fund, a single point of contact for all companies that need to report an incident. If existing reporting requirements have not been harmonized and sector-specific reporting requirements remain in place, impacted organizations should not be required to report an incident twice. All future legislative proposals should designate CISA as the single point of contact where no sector-specific regulator exists, and appropriate resources should be allocated for that purpose. define an appropriate and flexible reporting template All incident reports should follow a standardized template to ensure consistent reporting across agencies and industries. Consensus- driven processes are needed to refine the elements of such a template to ensure consistency with existing frameworks, like MITRE ATT&CK or VERIS, and international industry best practices, as well as to ensure that the template fits the needs and existing practices of a particular sector. Reporting entities can use such a template to report the most relevant information where available. By way of example, the template may include appropriate and reasonably obtained information on: (1) The attack vector or vectors that led to the compromise; (2) the indicators of compromise; information on the affected systems, devices, or networks; (3) information relevant to the identification of the threat actor or actors involved; (4) a point of contact from the affected entity; and (5) impact, earliest known time, and duration of compromise.\4\ Entities should have the option to report additional types of information on cybersecurity incidents to help to identify emerging trends or otherwise preempt attacks. Entities should also not be penalized for or precluded from reporting an incident if all information, including the information proposed in this list, is not available. --------------------------------------------------------------------------- \4\ This initial list is based on the following CISA documents: https://www.cisa.gov/sites/default/files/publications/ Law%20Enforcement%20Cyber%20Incident%20Reporting.pdf https:// www.cisa.gov/sites/default/files/publications/Non- Federal%20Entity%20Sharing%20Guid- ance%20under%20the%20Cybersecurity%20Information%20Sharing%20Act%20of%- 202015_1.pdf; other resources are available: https://us-cert.cisa.gov/ sites/default/files/publications/Federal_Incident_Notification_Guide- lines.pdf. --------------------------------------------------------------------------- align reporting processes and mechanisms to ensure consistency with industry best practices and allow for bi-directional information sharing The protocols and mechanisms of reporting an incident should be consistent with existing frameworks, recognized sectoral, international, and industry best practices. To ensure incident information is shared quickly and continuously, sections 2.f and 2.g of Executive Order 14028 direct improvements to the inter-agency sharing of incident information. In addition to these provisions, Federal agencies also need to streamline legal agreements involving industry partners to allow for bi-directional sharing of incident information. build agency capability to act on security incident reports Security incident reporting will be of limited utility if the designated recipient agency does not have the capacity to ingest and act on the information it receives. A manual-intensive approach will quickly max out resources and elevate the risk that important alerts are inadvertently missed. Before a security incident reporting scheme is established, the designated recipient agency should have the capability to automate data collection so that internal data can be cross-referenced with externally available data. This will inform and improve the orchestration of incident response actions. Ms. Clarke. We thank you for your expert testimony here today, Mr. Miller. I now recognize Mr. Mayer to summarize his statement for 5 minutes. STATEMENT OF ROBERT MAYER, SENIOR VICE PRESIDENT, CYBERSECURITY, US TELECOM Mr. Mayer. Good afternoon, Ranking Member Garbarino, Chairwoman Thompson, and Ranking Member Katko, and other distinguished Members of the committee, thank you for the opportunity to testify at today's hearing to express our industry support for the provisions included in the Cyber Incident Reporting for Critical Infrastructure Act of 2021. My name is Robert Mayer, and I am the senior vice president for Cybersecurity and Innovation at USTelecom, the broadband association representing broadband providers, suppliers, and innovators connecting our families, communities, and enterprises. My diverse membership ranges from large publicly- traded global communications providers, manufacturers, and technology enterprises to local companies and cooperatives, all providing advanced communication services to markets, urban and rural, and everything in between. I also serve as the chair of the Communications Sector Coordinating Council, which represents five communication segments: Broadcast, cable, satellite, wireless, and wire line and as co-chair of the Department of Homeland Security Information and Communications Technology Supply Chain Risk Management Task Force. In all of these roles, I have seen first-hand how the cybersecurity threats we face are real and growing. On an almost daily basis, we learn of attacks by nation- state adversaries and global criminal enterprises that disrupt or exploit access to functions that support our daily lives. We in industry recognize the core interest of Government in enhancing the Nation's cybersecurity and the key role of Government-industry partnership in doing so, including through more robust and coordinated information sharing and incident reporting and response. We also recognize the unique resources the Government has available to aid private-sector organizations when responding to a major cybersecurity crisis. For these reasons, I am here today to express our industry support for legislation that would establish cyber incident- reporting capabilities within CISA. We believe that the following elements are critical success factors in any incident reporting regime, and we are encouraged to see that they are included in the current proposal. First, when a cybersecurity incident occurs, impacted organizations need time to investigate the incident, determine whether reporting criteria have been met, and comply with applicable best practices. The proposed legislation provides for a reporting window that is flexible and large enough for industry to triage the incident. Second, defining reporting thresholds is a highly technical exercise that requires extensive subject-matter expertise. The thresholds need to be specific enough to avoid ambiguity so that industry knows exactly how to comply. The legislation under consideration directs Federal agency experts to define thresholds in consultation with industry. Moreover, to avoid undermining the system with overreporting, only confirmed cybersecurity incidents that will be reported, not potential or unverified incidents. This grounds the thresholds and criteria that are verifiable, attributable, and actionable. Third, the legislation strives to protect the Government's industry partners when they are victims of cyber attacks. By building upon liability protections afforded in the Cybersecurity Information Sharing Act of 2015, the stage is set for strong, legal, and conceptual foundation for such protections. Fourth, when the Government collects sensitive information from industry partners, it has a responsibility to protect that information. To that end, the legislation includes provisions to ensure data from incident reports is not shared inappropriately or leaked once it is provided to CISA. Fifth, any policy requiring ISPs to report customers' incidents would be cause for concern on a number of grounds, including public policy and privacy concerns, disruptions to business relationships, and operations and possible legal issues associated with those kinds of disclosures. The reporting obligations in the proposed legislation reside with the victims of cyber attacks and not intermediaries or third parties. In addition to the above critical success factors that are included in the bill, we are further encouraged by the following aspects of the proposed legislation. Cyber incident reporting is best enforced with subpoenas rather than fines. The legislation under consideration today wisely relies on subpoenas rather than fines as an enforcement mechanism for cybersecurity reporting. CISA should serve as a central hub for information sharing and incident reporting. This legislation appropriately directs CISA to shape and maintain this reporting and information- sharing program. CISA is uniquely well-suited to serve as a central hub for cybersecurity information sharing and incident reporting. While CISA has a central role to play, a new reporting concert should take into account that other Federal agencies will consider to be engaged with the private sector. Recognizing that cybersecurity is a shared responsibility across the ecosystem, we appreciate that the legislation requires the U.S. Government to take its obligations to report and share cybersecurity information seriously, just as industry takes its own obligations seriously. USTelecom and the communications sector stand ready to work with the committee to advance this legislation and will continue to collaborate in partnership with CISA to continuously advance our Nation's cybersecurity, risk management, management, and response capabilities. Thank you for your leadership and for prioritizing this critical issue. I look forward to your questions. [The prepared statement of Mr. Mayer follows:] Prepared Statement of Robert Mayer Wednesday, September 1, 2021 Chairwoman Clarke, Ranking Member Garbarino, Chairman Thompson, and Ranking Member Katko and other distinguished Members of the committee, thank you for the opportunity to testify at today's hearing to express our industry's support for the provisions currently included in the Cyber Incident Reporting for Critical Infrastructure Act of 2021. My name is Robert Mayer, and I am the senior vice president for cybersecurity & innovation at USTelecom--The Broadband Association, representing broadband providers, suppliers, and innovators connecting our families, communities, and enterprises. Our diverse membership ranges from publicly-traded global communications providers, manufacturers, and technology enterprises, to local Main Street companies and heartland cooperatives--all providing advanced communications services to markets, both urban and rural, and everything in between.\1\ --------------------------------------------------------------------------- \1\ USTelecom The Broadband Association, www.ustelecom.org. --------------------------------------------------------------------------- I also serve as the chair of the Communications Sector Coordinating Council and as co-chair of the Department of Homeland Security (DHS) Information and Communications Technology (ICT) Supply Chain Risk Management Task Force.\2\ --------------------------------------------------------------------------- \2\ Communications Sector Coordinating Council, www.comms-scc.org; ICT Supply Chain Risk Management Task Force, https://www.cisa.gov/ict- scrm-task-force. --------------------------------------------------------------------------- In all of these roles, I've seen first-hand how the cybersecurity threats we face are real and growing. On an almost daily basis, we learn of attacks by nation-state adversaries and global criminal enterprises to disrupt or exploit access to functions that support our daily lives. Some of these attacks--such as those mounted against SolarWinds and its Government and private-sector customers, and the attack against Colonial Pipeline that had the effect of gas price spikes and gas shortages down the East Coast--target critical functions that enable the basic activities of commerce and consumers' lives. We now have actual experience with a significant disruption to critical infrastructure, highlighting the importance of securing all 16 critical infrastructure sectors including water, transportation, energy, finance, information technology, and communications. We in industry recognize the core interest of the Government in enhancing the Nation's cybersecurity, and the key role of Government- industry partnership in doing so--including through more robust and coordinated information sharing and incident reporting and response. We also recognize the unique resources the Government has available to aid private-sector organizations when responding to a major cyber crisis. The Council to Secure the Digital Economy (CSDE), founded by USTelecom and other key industry partners, described the necessary foundations for this coordination in its 2019 Cyber Crisis Report, noting that in the midst of a cybersecurity crisis, Government and industry must be prepared to mobilize together rapidly and collaborate with relevant responders.\3\ This means building close working relationships with the companies whose diverse leadership, assets, and operational experience within the digital ecosystem provide unique value in the global fight against cyber threats. --------------------------------------------------------------------------- \3\ Council to Secure the Digital Economy, Cyber Crisis: Foundations of Multi-Stakeholder Coordination (2019), https:// securingdigitaleconomy.org/wp-content/uploads/2019/09/CSDE_CyberCrisis- Report_2019-FINAL.pdf. --------------------------------------------------------------------------- We've seen this partnership work, perhaps most significantly in recent years in the context of the COVID-19 pandemic's unprecedented demands on IT and communications systems to keep us connected, learning, and working, just as threat actors used our increased reliance on connected technology to find new avenues to exploit. Throughout the pandemic, the Communications Sector has worked hand-in- hand with DHS's Cybersecurity and Infrastructure Security Agency (CISA), the National Telecommunications and Information Administration (NTIA), the Federal Communications Commission (FCC), and other Government agencies to allocate and deliver resources, establish access for critical workers, maintain services, and address threats. This collaboration was not a response to top-down regulatory directives, but rather an operationalization of trusted partnerships cultivated over decades between Government and industry and across diverse members of the ICT sector. It worked--together, we kept the Nation connected through the pandemic, and this successful experience in communications security and reliability is a model to follow in the years ahead. We have also seen the benefit of this engagement in the DHS ICT Supply Chain Risk Management Task Force over the past 2 years. When I last had an opportunity to testify before this committee, the Chair and Ranking Member expressed interest in addressing the essential segment of small and medium-sized businesses (SMBs). The IT and Communications Sectors have similarly recognized the unique set of challenges SMBs face and that these challenges constitute a National security imperative as U.S. critical infrastructure relies on the defensive posture of these individual, yet highly-connected organizations. This year, USTelecom produced a survey examining these challenges and found that critical infrastructure SMBs are distinctly vulnerable to breaches that can take longer to detect and from which to recover.\4\ As we enter the Task Force's third year, we plan to continue focus on the critical element of SMBs and how we can further leverage cross-sector and Government-industry partnership to provide greater support. --------------------------------------------------------------------------- \4\ USTelecom, USTelecom 2021 Cybersecurity Survey: Critical Infrastructure Small & Medium-Sized Businesses, at 6, www.ustelecom.org/cybersurvey. --------------------------------------------------------------------------- For these reasons, I am here today to express our industry's support for the committee's efforts to facilitate establishing cyber incident reporting and analysis capabilities within CISA rooted in the foundational information-sharing framework of the 2015 Cybersecurity Information Sharing Act. In the context of this hearing, we see the Cyber Incident Reporting for Critical Infrastructure Act of 2021 as another foundational building block in the growing whole-of-Nation collaboration across industry and Government. To support our collective interest in leveraging trusted partnerships to enhance cybersecurity, information sharing and incident reporting must be done effectively and efficiently. With this in mind, we believe that the following elements are critical success factors in any incident reporting regime, and we are encouraged that many of these are included in the current legislation proposed by Chairwoman Clarke and Ranking Member Katko: 1. The reporting window should be large enough for industry to triage the incident.--When a cyber incident occurs, impacted organizations need time to investigate the incident, determine whether reporting criteria have been met, and comply with applicable best practices. The committee should consider giving CISA discretion to establish reporting windows within reasonable parameters and with appropriate flexibility afforded to meet the unique needs of a given situation. If the mandatory reporting window is too short, CISA will likely receive an overwhelming quantity of ``false alarm'' reports that do not merit reporting, which could strain Government resources and undermine the value of the reporting program. 2. Thresholds for incidents that merit reporting should be clearly defined by subject-matter experts, and only confirmed incidents should be reported.--Defining reporting thresholds is a highly technical exercise that requires extensive subject-matter expertise. The thresholds need to be specific enough to avoid ambiguity, so that industry knows exactly how to comply. Given these complexities, the committee should consider directing Federal agency experts to define thresholds in consultation with industry, rather than attempting to include thresholds in legislation itself. Moreover, to avoid undermining the system with over-reporting, only confirmed cyber incidents should be reported--not potential or unverified incidents. The thresholds must be grounded in criteria that are verifiable, attributable, and actionable. 3. Legislation should protect the Government's industry partners when they are victims of cyber attacks.--There are numerous operational benefits to affording protection to entities that report cyber incidents. The Cybersecurity Information Sharing Act of 2015 provides a strong legal and conceptual foundation for such protections, but the committee should also consider ways it and CISA can leverage consultation with stakeholders to refine these protections in the incident reporting context. Different organizations may provide unique insights into how incident reporting affects them legally and operationally. 4. The Government must safeguard the sensitive information it collects.--When the Government collects sensitive information from industry partners, it has a responsibility to protect that information. To that end, the committee should consider provisions to ensure data from incident reports is not shared inappropriately or leaked once it is provided to CISA. We must ensure that the victim names reported to CISA are not shared outside the agency. This is essential to ensuring the information is safeguarded appropriately and not misused. 5. Reporting obligations should reside with the victims of cyber attacks and not intermediaries or third parties.--Any policy requiring Internet Service Providers (ISPs) to report customers' incidents would be cause for concern on a number of grounds, including public policy and privacy concerns, disruptions to business relationships and operations, and possible legal issues associated with those kinds of disclosures. In addition to the above critical success factors that are included in the bill, we are further encouraged by the following aspects of the proposed legislation: Cyber incident reporting is best enforced with subpoenas rather than fines. The legislation under consideration today wisely relies on subpoenas rather than fines as an enforcement mechanism for cybersecurity reporting. Where fines are inherently punitive--and may in some cases actually punish entities that aim to report cyber incidents in good faith-- subpoenas enable the Government access to the information it seeks and also inform industry more specifically about the Government's interests and priorities. This will enable the overall information-sharing regime to improve with the benefit of experience over time. CISA should serve as a hub for information sharing and incident reporting, but must work with its partner agencies. This legislation also directs CISA to shape and maintain this reporting and information-sharing program. Since the agency's statutory establishment in 2018, CISA is well-suited to serve as a hub for cybersecurity information sharing and incident reporting. CISA's expertise and on-going relationships will enable it to build an effective information-sharing framework that will be nimble enough to keep pace with cybersecurity innovation over time. However, any new mandatory reporting requirements should not overlook the extensive collaboration that industry currently has with the broader Federal Government. While CISA has a critical role to play and can serve as a central location for reporting, other Federal agencies will continue to be engaged with the private sector. Indeed, consistent with the Federal Government's recommendation, many companies will contact law enforcement if they have a cyber incident. If a company has a significant intrusion, its first reaction may be to reach out to the FBI, for example, who could take any appropriate criminal action (e.g., seize back some of the ransom payment). Policy makers should ensure that a new reporting construct takes into consideration this dynamic and does not inadvertently punish a private entity for heeding the Government's advice and/or put the entity in the middle of two competing Government agencies in the wake of an attack. Information-sharing obligations should be reciprocal between Government and industry partners. We also appreciate that the proposed legislation places expectations on Government stakeholders to report cyber incidents and share cybersecurity risk information. Recognizing that cybersecurity is a shared responsibility across the ecosystem, we appreciate that the legislation would require the U.S. Government to take its obligations to report and share cybersecurity information seriously, just as industry takes its own obligations seriously. USTelecom--The Broadband Association and the Communications Sector stand ready to work with the committee to advance this legislation and will continue to collaborate in partnership with CISA to continuously advance our Nation's cybersecurity risk management and response capabilities. Thank you for your leadership and for prioritizing this critical issue. I look forward to your questions. Ms. Clarke. We thank you for your expert testimony here today, Mr. Mayer. I now recognize Ms. Denbow to summarize her statement for 5 minutes. STATEMENT OF KIMBERLY DENBOW, MANAGING DIRECTOR, SECURITY AND OPERATIONS, AMERICAN GAS ASSOCIATION Ms. Denbow. Thank you. Thank you, Chairwoman Clarke, Ranking Member Garbarino, and Members of the subcommittee. I am Kimberly Denbow, managing director of security and operation of the American Gas Association, AGA. I have led AGA's Security Policy and Technical Program for nearly two decades. I am a former member--voting member--former voting member of the TSA Surface Transportation Security Advisory Committee and co- chaired the Cybersecurity Subcommittee. I presently co-chair the Cybersecurity Working Group for both the Oil and Natural Gas Sector Coordinating Council and the Pipeline Sector Coordinating Council. Thank you for inviting me to share my perspective on the Cybersecurity Incident Reporting for Critical Infrastructure Act of 2021 and sharing AGA's general approach to cybersecurity. AGA represents more than 200 local energy companies that deliver clean and affordable natural gas to 95 percent of natural gas customers in the United States. AGA supports the provisions necessary for a workable incident reporting framework, as laid out in the Cyber Incident Reporting for Critical Infrastructure Act of 2021. These provisions include report timing of 72 hours after confirmation of the incident, clarity provided around supplemental reporting, harmonization of new reporting rules with preexisting reporting requirements, leveraging the information sharing and analysis centers, and operator liability, information, and regulatory protections. Properly framed cybersecurity incident reporting can help counter adversaries and minimize impact. With slight alterations, particularly regarding private-sector involvement, this bill can be even stronger. Suggested improvements include specified outreach to sector coordinating councils in development of the interim final role; ensure flexibility and regular updates to the list of covered entities; ensure CISA has the staffing and sector-specific expertise necessary to coordinate and communicate with operators; and limit CISA director discretion to ensure any disclosure of reported information is nonattributional. Cybersecurity management is an endless evolution. For nearly two decades, AGA operators worked within a structured oversight model, conceived by TSA, our pipeline security authority. This unconventional and nonregulatory model achieved something the traditional stick-and-carrot approach could not. Constructive information exchange at a level of confidence and cooperation not typically available to regulators. TSA Surface Transportation has always done more with less and on a shoestring budget. For instance, to develop the TSA pipeline security guideline, the mechanism that underpins pipeline security and has advanced pipeline security by orders of magnitude, TSA collaborated with pipeline operators, CISA, and other entities. The quality output from TSA has been the result of the dedication of TSA staff in partnership with pipeline operators toward a shared common goal: Pipeline security. That said, when done right, regulations can be beneficial. For example, through the collaboration of nearly 70 organizations, including TSA, CISA, trade associations, and pipeline operators, the consensus-based standard API 1164 Version 3 Pipeline Control Systems Cybersecurity was developed as a tool to help operators manage cyber risks and control system environments and at critical connection points along the supply chain. As TSA transitions from the structured oversight model to more traditional regulation, API 1146 Version 3 will be the most efficient way to put effective pipeline cyber regulations in place. In a similar manner, this cyber incident reporting legislation has the potential to advance constructive reporting requirements. The key to meeting this potential lies with CISA and its commitment to the partnership. The AGA board of directors supports an industry-wide cybersecurity commitment and recently agreed to support reasonable cybersecurity regulations. While there is no single cybersecurity solution for absolute system protection, vigilance, technological capability, and leadership commitment will continue to keep America's natural gas delivery system safe, secure, and reliable. Thank you for the opportunity to testify. I look forward to the exchange of ideas. [The prepared statement of Ms. Denbow follows:] Prepared Statement of Kimberly Denbow September 1, 2021 Chairwoman Clarke, Ranking Member Garbarino, and Members of the subcommittee, I am Kimberly Denbow, managing director of security & operations, of the American Gas Association (AGA). I have led AGA's security policy and technical program for nearly 2 decades. Also relevant to this hearing, I am a former voting member of the Transportation Security Administration (TSA) Surface Transportation Security Advisory Committee for which I helped stand up and co-chaired the Cybersecurity Subcommittee. I also helped stand up and presently co-chair the Cybersecurity Working Group for both the Oil & Natural Gas Sector Coordinating Council and the Pipeline Sector Coordinating Council. Thank you for inviting me to share my perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021 and AGA's general approach to cybersecurity. Founded in 1918, AGA represents more than 200 local energy companies that deliver clean and affordable natural gas throughout the United States. There are more than 76 million residential, commercial, and industrial natural gas customers in the United States, of which 95 percent--more than 72 million customers--receive their gas from AGA member utilities. Natural gas is a necessary fuel for a clean and secure energy future, providing benefits for the economy, our environment, and our energy security. Alongside the economic and environmental benefits and opportunities natural gas offers our country comes the great responsibility to protect our distribution pipeline system network from cyber compromise. Technological advances over the last 30 years have made natural gas utilities more cost-effective, safer, and better able to serve our customers via web-based programs and tools. Unfortunately, the opportunity cost of a more connected and more efficient industry is that we have grown to be an attractive target for increasingly sophisticated cyber criminals and terrorists. The cyber threat landscape is evolving at an alarming rate comparable to biological virus mutations. This said, America's investor-owned natural gas utilities are meeting the threat daily via skilled personnel, robust cybersecurity system protections, an industry commitment to security, and a successful on-going cybersecurity partnership with the Federal Government. Safety and security are core values for America's natural gas utilities. AGA and its member companies are committed to investing in leading security technologies, utilizing best practices and training, and promoting an industry-wide vigilant security culture to help fortify our security defenses. cyber incident reporting for critical infrastructure act of 2021 Effective cybersecurity incident reporting is essential to dampening wide-spread cybersecurity compromise. AGA supports the Cyber Incident Reporting for Critical Infrastructure Act of 2021, which establishes the criteria AGA members argue is necessary for a workable incident reporting framework. A few provisions of particular interest and which have industry's support include report timing, supplemental reporting clarity, recognition of existing reporting requirements, Information Sharing & Analysis Centers (ISACs), and liability protections. Additional details are outlined below: Incident Report Timing.--Providing covered entities 72 hours after confirmation to report on cybersecurity incidents appropriately recognizes that owners/operators need a reasonable amount of time to not just identify but also to verify the validity of a cybersecurity incident before reporting. This minimizes the reporting of non-credible incidents, which can be excessive and resource-intensive with negligible value-add. Supplemental Reporting.--The latest draft of this legislation helpfully clarifies what qualifies as supplemental reporting and offers the Department of Homeland Security (DHS) Cybersecurity & Infrastructure Security Agency (CISA) director (and covered entities) the useful option of a flexible reporting time line so as not to specifically ``prioritize incident response efforts over compliance.'' This synchronizes the efforts of CISA with the operator, ensures incident investigation is prioritized, and eliminates unnecessary supplemental information submission. Information Sharing and Analysis Organizations.--We appreciate the latest draft bill's increased reliance on industry Information Sharing & Analysis Centers (ISACs) for Government-private-sector outreach as well as incident reporting. Permitting owners/operators to leverage existing mechanisms through third parties, such as AGA's Downstream Natural Gas ISAC, strengthens the function of these entities to the benefit of all stakeholders, since such organizations have sector-specific threat analysts who can provide additional perspectives to CISA. Harmonizing Reporting Requirements.--AGA's member natural gas utilities are among the most regulated in the country at the State, Federal, and local level. Complicating matters, well over 50 percent of AGA members are combination natural gas- electric utilities with separate electric sector requirements. As such, we appreciate efforts to reduce potential conflicting mandates by harmonizing the cyber incident reporting requirements with preexisting cyber reporting requirements. Industry Legal Protections.--We appreciate the inclusion of reasonable information disclosure rules, liability protections for reporting entities (familiar to industry as they mirror those in the Cybersecurity Act of 2015), and regulatory protections in the legislation. Without these provisions, it would be hard to imagine the sort-of streamlined and trusted public-private incident reporting partnership this legislation contemplates. While the draft legislation sets a strong foundation for moving forward, there are a few policy areas where we recommend some expansion and/or clarification. Not surprisingly, most of our suggestions surround additional private-sector involvement in the overall process, per below: Rulemaking Detail [SEC .2220A(d)(1) In General].--This section outlines the incident reporting rule making process. While we appreciate that ``appropriate stakeholders'' will be able to comment on the interim final rule, we strongly recommend greater specific outreach to critical infrastructure organizations (Sector Coordinating Councils, ISACs, individual covered entities, industry organizations, etc.) in developing the rule. Private-sector engagement from the beginning will ensure the rule will be reasonable, credible, and based on vital critical infrastructure experience and operational capabilities. Who are the Covered Entities? [SEC .2220A(d)(2) Covered Entities].--The list of covered entities should be flexible and updated regularly (or as necessary) as companies change operations. DHS should be able to accommodate such changes. To help determine covered entities, we recommend: (1) Consulting with the private sector, (2) utilizing preexisting Government lists that identify critical facilities, (3) a periodic review and update of covered entities, and (4) a process that allows critical infrastructure entities to appeal their inclusion on the list. Ensuring CISA has the Tools it Needs. [SEC .2220A(d)(6) Responsibilities of Covered Entities].--This subsection focuses on industry's coordination with CISA personnel. This coordination will only be effective and efficient if CISA has the staffing and sector-specific cybersecurity expertise necessary to communicate with private companies in vastly different business sectors. As such, we recommend adding language to ensure that ``CISA will coordinate with SRMAs'' (or similar). Director Authority [SEC .2220A(e)(1) Authorized Activities].--This subsection lists the exceptions under which the director may disclose information provided to the Office. The discretion allotted the director in the first two exceptions (A and B) are overly broad, which could lead to literally ANY ``cybersecurity purpose'' as a reason to disclose sensitive company information. AGA recommends adding clarifying language to each exception (A) and (B) specifying ``to circumvent national security or national economic harm.'' Cybersecurity incident reporting, framed properly, can be the difference between pivoting against our adversaries in an effective manner and minimizing impact, or fumbling to our adversaries' advantage. Cyber Incident Reporting for Critical Infrastructure Act of 2021 provides the structure while also delivering agility. With slight alterations, it can be even stronger. natural gas utility cybersecurity management: an endless evolution America's natural gas delivery system is the safest, most reliable energy delivery system in the world. This said, industry operators recognize there are inherent cyber vulnerabilities with employing web- based applications for industrial control and business operating systems. Gas utilities employ multiple mechanisms to support a robust cybersecurity program, including participating in an array of Government and industry cybersecurity initiatives. The most important resource is the existing cybersecurity partnership between the Federal Government and industry operators. This partnership fosters the exchange of vital cybersecurity information which helps stakeholders adapt quickly to dynamic cybersecurity risks. That partnership should continue to be supported by Congress. the immeasurable value of authentic partnership For nearly two decades, AGA favored effective partnership above cybersecurity regulations, which we felt served as a ceiling that stifled robust cybersecurity management. We valued the structured oversight model conceived by TSA, our Federal regulator for pipeline security. Though the model was unconventional by Federal Government standards, it achieved something the traditional ``stick-and-carrot'' approach could not--constructive information exchange and at a level of confidence and cooperation not typically available to regulators. The TSA ``Pipeline Security Guidelines''\1\ (Guidelines) coupled with the trust fostered between industry and Government advanced pipeline security by orders of magnitude over the years. Whereas regulations serve as a ceiling to which operators rise but are not incentivized to exceed, Guidelines serve as the floor upon which an operator's program may be built and continuously improved based on the operator's system- specific risks and applicable counter measures. --------------------------------------------------------------------------- \1\ https://www.tsa.gov/sites/default/files/ pipeline_security_guidelines.pdf. --------------------------------------------------------------------------- a shared common goal Some have suggested cyber compromise in the pipeline industry is a direct consequence of the structured oversight model. TSA has been criticized for not doing more prior to the recent issuance of the pipeline security directives. For the record, TSA Surface Transportation did more with less and on a shoestring budget. The TSA Pipeline Group has been the epitome of innovation--leveraging the infrastructure subject-matter expertise of pipeline operators, partnering with CISA and Idaho National Labs for in-house industrial control system cybersecurity knowledge, and collaborating with the Department of Transportation's Pipeline and Hazardous Materials Safety Administration (PHMSA) on cybersecurity reviews of control centers. AGA helped champion the CISA/TSA Pipeline Cybersecurity Initiative \2\ and promoted effortlessly the Pipeline Validated Architectural Design Reviews.\3\ The quality output has been the result of the dedication of TSA and CISA staff, in partnership with pipeline operators, toward a shared common goal--pipeline security. --------------------------------------------------------------------------- \2\ https://www.cisa.gov/pipeline-cybersecurity-initiative. \3\ https://us-cert.cisa.gov/resources/ ncats#Validated%20Architecture%20Design%20Review- %20(VADR). --------------------------------------------------------------------------- driving change Over the past few years, more than 70 organizations, including TSA, CISA, PHMSA, the Department of Energy (DOE), Federal Energy Regulatory Commission, National Institute of Standards & Technology (NIST), trade associations, and numerous pipeline operators, worked on revising a standard managed by the American Petroleum Institute (API) for control system cybersecurity. The revision was designed to align with existing cybersecurity guidelines, the NIST Cyber Security Framework,\4\ and prominent industry cyber standards. This recently-updated consensus- based standard, API 1164 version 3, ``Pipeline Control Systems Cybersecurity''\5\ (API 1164 version 3), helps the operator manage cyber risks associated with control system cybersecurity environments by providing requirements and guidance for proper isolation of control system environments from non-control system environments. It also addresses enhanced protections at critical connection points along the supply chain. --------------------------------------------------------------------------- \4\ https://www.nist.gov/cyberframework. \5\ API Standard 1164, 3d edition. --------------------------------------------------------------------------- Walking the Talk The AGA Board of Directors continues to be forward-leaning on multiple fronts--with security at the forefront. Actions and activities include: Creation of the Downstream Natural Gas ISAC, which facilitates the sharing of threat information within the natural gas industry and across sectors by providing analysis, coordination, and summarization of threat indicators and other relevant information to its members--a community of nearly 100 percent of our Nation's natural gas utilities and transmission companies; Membership-wide adoption of the AGA Commitment to Cyber and Physical Security \6\ to demonstrate dedication to ensuring the natural gas pipeline infrastructure remains resilient to the growing and dynamic cyber and physical security threats; and --------------------------------------------------------------------------- \6\ https://www.aga.org/sites/default/files/sites/default/files/ media/commitment_to_cy- ber_and_physical_security_sep2016.pdf. --------------------------------------------------------------------------- Development of a three-point Cybersecurity Action Plan which encompasses enhancing cyber standards for gas utility operations, collaborating with CISA for the enhancement of a cybersecurity verification tool, and developing an operator accountability mechanism. The roadmap includes the progression from guidelines to regulations. Recently, the AGA Board passed a resolution in support of reasonable cybersecurity regulations. Such regulations would be characterized by four critical components: 1. a risk-based methodology, 2. a framework organized by the functions Identify, Protect, Detect, Respond, and Recover, 3. operator flexibility to pivot to a constantly-evolving cyber threat landscape, and 4. alignment with natural gas industry cybersecurity guidelines and standards for operational technology. These four critical components are satisfied by API 1164 version 3. An Effective & Timely Transition As TSA, in collaboration with CISA, transitions from issuing pipeline security directives to issuing cybersecurity regulations, the Federal Government is encouraged to leverage API 1164 version 3 which reflects practical, attainable, sustainable, and measurable state-of- the-art cybersecurity protections tailored specifically to pipeline operations. Given the imminent threat that prompted issuance of the pipeline security directives, incorporating this standard by reference will be the Federal Government's most efficient way to put effective pipeline cyber regulations in place. A Commitment to America--A Commitment to the Communities We Serve America's natural gas utilities are cognizant of enduring cyber threats and the continued need for vigilance through cybersecurity protection, detection, and mitigation mechanisms. There is no single solution for absolute system protection. Through a combination of cybersecurity processes and timely and credible information sharing amongst the Government intelligence community and industry operators, America's natural gas delivery system remains protected, safe, and reliable, and will remain so well into the future. Ms. Clarke. Ms. Denbow, I want to thank you for your expert testimony here today. I thank all of our witnesses for testifying. I will remind the subcommittee that we will each have 5 minutes to question the panel. I will now recognize myself for questions. This first question is to all of our witnesses today. For the past several months, I have worked with stakeholders to craft legislation that, No. 1, gives CISA the visibility it needs to be a more effective partner to the private sector; and, No. 2, informs our understanding of cyber threats in a way that supports long-term systemic improvement to the cybersecurity ecosystem. Many of the questions about how to do this effectively are questions of scope, defining what information CISA needs to be bringing in and setting clear expectations about what CISA needs to be putting out. What specific information does CISA need about a cyber incident in order to detect cyber campaigns early and help other owners and operators defend themselves? Is this the same information CISA needs in order to understand threats over time and help owners and operators buy down the risks? Mr. Bushar. So I can start, Chairwoman, answering that question. Ms. Clarke. Thank you. Mr. Bushar. So I believe, you know, generally speaking, that CISA will require what we often term technical indicators of compromise, or IOCs, as part of any analysis function and collection effort on their behalf. So what we often recommend is the ability for the victims and the covered entities to be able to provide technical indicators of compromise, which can include things such as IP addresses, domain names, tools, pieces of malware software that are being used in the attack, along with techniques, not necessarily software, but behavioral-based techniques that the victims are observing the attackers taking, such as phishing, lures, or email, and things of that nature. That sort of information, when correlated across sectors or across industries or even within several organizations, can often increase the rapidity and accuracy of attribution of threat actors. The additional context that CISA may require related to strategic analysis would have to do with things such as targeting. What I mean by that, that would be information more related to what sort of data or information systems appear to be targeted by the threat actor, what data was confirmed to be taken out of the environment, if that is known, what sort of people or personas attempted to be compromised during the attack, whether that is, you know, positioned--executive positions in the organization, other sorts of key leadership inside the organization. Those can all be useful information-- points of information for analysis of threat actor intent and where they would likely see similar sorts of attacks and behavior emerging again across sectors or within sectors. So those two broad categories of information we feel are valuable to CISA to collect and understand, again, in a nonattributional way, wherever possible, or at least in a anonymized way for each victim. Ms. Clarke. So, if the other panelists agree with Mr. Bushar, let me ask what information and intelligence do your industries need from CISA in order to defend against threats today and in the future? What makes information actionable for your purposes? Mr. Bushar. Yes, that is great question, Chairwoman. It is very similar to the answer in the direction of CISA, and frankly. So, when the Government has access to that sort of indicator information, again, in a nonvictim attribution model, we in the private sector can often make use of that information in similar ways by correlating information, by comparing that information to what we are seeing across our customer set, and to deconflict or to understand where these threat actors may be operating that we don't have perfect visibility. It is really completing, you know, that fuller picture for everyone in the community to understand where threat actors are acting and how they are behaving and how to catch them as well. So that data is extremely valuable to commercial companies to put into detection tools, to software, to drive more rapid again detection and, ideally, prevention, right? So the ultimate goal in feeding information back from the Government to the private sector would be to inoculate. To use kind-of a comparison, it would be an inoculation. So we saw the first victim. We understand what happened there. Now, I can take that vaccine of information and apply it to all my other clients. Now if that same threat actor tries to use that exact same capability against other victims, it won't work; they are protected. Ms. Clarke. Thank you, Mr. Bushar. My time has elapsed. I now recognize the Ranking Member of the subcommittee, the gentleman from New York, Mr. Garbarino, for his questions at this time. Mr. Garbarino. Thank you, Chairwoman. Actually, I want to follow up--I wasn't aware I was going to start, but I wanted to follow up on what you were just talking about with what should be reported. My question to witnesses is, on a covered incident--and we have different groups on here, telecom and banks and energy--it shouldn't be a one-size-fits-all approach, right? How do we determine--is this something we set out legislatively in the actual text, or are we going to have to do this in rule making? Or how do we make sure it is done right in the rule making? Ms. Denbow, I will start with you. I saw you raise your hand real quick. Ms. Denbow. Thank you. This is something that is very near and dear to my heart. I believe that the quickest way to get to an effective solution is, again, to consult with the Sector Management Risk Agencies and the Sector Coordinating Councils. That is where you are able to bring together the communities that have the subject-matter expertise in the various critical infrastructure sectors already there. So you already have that learning curve taken care of, and you are diving right into the middle of the pool, so to speak. Mr. Garbarino. Mr. Mayer, you wanted to add onto that? Mr. Mayer. Yes, I do. Thank you. So I think definitely it is not about putting legislative language in that becomes very prescriptive in terms of how to characterize an incident because incidents are evolving, and we need the flexibility to take in the information, relevant information associated with different attacks. One of the things that, I think, speaks relative to legislation is you have already identified some considerations that would be considered. So, for example, how sophisticated is the attack? Is this a novel attack, something, though, we haven't seen before? Who is going to be affected by the attack? What is the potential impacts of cascading effects? Does it impact industrial control systems, skaters, different systems? How does that work? I think that we can work within those parameters. As I fully anticipate, we will have an opportunity to engage CISA in the interim rules and then the final rules, is to bring subject-matter experts--sector-specific subject- matter experts, because what works, involves our networks and our systems is different than what Kimberly's systems look like or what the banking systems look like. We really need--and this is something where I think industry makes a very significant contribution, is we bring subject-matter experts to the discussion to the partnership with CISA. These are front-line workers, so there are some limitations in terms of how much we can demand from them, but we really can't go forward in making these kind of decisions around how to define a covered incident without that kind of industry-specific input. Mr. Garbarino. I actually appreciate that both of your answers because I think it is great idea, Ms. Denbow, that we deal specifically with the 16 different critical infrastructure subgroups there are now. I think DHS should--maybe there is something we can put in that maybe they set up different requirements for different ones, but they deal specifically with those agencies. I think that is a great idea. Another question I have is about the quarterly reporting. Mr. Mayer, you just talked about how these things happen very quickly. Is CISA releasing a report every quarter? Is that good enough? I mean, and the reason why is 3 months later it might not mean anything anymore? I mean, things move very quickly. Mr. Mayer. Yes, so I tell you, I credit CISA--they are not going to wait 3 months. The 3 months, as I understand it, in the context of the legislation is designed to encapsulate what they learned, aggregate the information, and anonymize it, and push it out. CISA has been incredibly responsive and timely in pushing out information about threats. We send them information on all types of malware, on ransomware. In some instances, they have affiliated with NSA in pushing out information, affiliated with the FBI. They are not sitting on the information. Then we engage with CISA I would say pretty much on a daily basis when it comes to receiving alerts and what--you know, sharing what we have discovered in our systems, what they are observing either on the Federal agency. So the dialog is already taking place. I think the benefit of this is there is going to be a virtual cycle because, as these incidents evolve, there are going to be new PTPs, new tactics and techniques and procedures that are going to require different ways of responding to them. CISA is going to have the benefit of more data and information, and they are going take those lessons learned, I believe, and deliver them in an un-Classified way to the critical infrastructure sector. So I think it is a balance, and I think it is accretive in terms of its value. Mr. Garbarino. Right, Ms. Denbow, did you just want to add something real quick? I saw you raise your hand. Ms. Denbow. I actually--thank you. I actually do. With respect to working with CISA and our various sector risk- management agencies and their intel groups, it is very important that the intelligence community comes together with the operators to be able to determine what is worse, downgrading from this Top Secret level to that next level so that they are not spending time trying to reclassify something that really is of no use to the operator. For example, we are still waiting on a threat briefing in response to the issuance of the secured--pipeline security directive. The challenge there--and it is not on the staff at TSA or CISA because they are doing the best that they can--is trying to downgrade that information to a level that is valuable to the operators. What would be great if we could get subject-matter experts from the field sitting in with CISA and TSA to say, ``You know what, that is what needs to be downgraded; not that. That wastes your time. That wastes our time. Just give us this.'' Mr. Garbarino. I appreciate that. I am out of time, but I appreciate those answers. Thank you. I yield back, Madam Chairwoman. Ms. Clarke. Thank you, Ranking Member. I now recognize the Chairman of the full committee, the gentleman from Mississippi, Mr. Thompson, for his questions at this time. Mr. Thompson. Thank you very much, Madam Chair. I apologize for being a little late. I was on a call with the FEMA administrator. We are managing Hurricane Ida down in my State right now. As you have indicated, I have a statement for the record. I am glad to hear from the witnesses their interest in your legislation. One of the things we are trying to do is to get it right. Stakeholder engagement is absolutely important. As you know, this might be our 2.0 initiative, because we tried a similar effort in our Cyber Act of 2015 to incentivize volunteer public, private information sharing and, unfortunately, no one has gotten out of what they bargained for. So what I would like to get from our witnesses, starting with Mr. Bushar, is, how do you--how can we make sure this cyber incident reporting legislation is crafted in a way that brings real security value so we aren't having the same conversation 6 years from now? Mr. Bushar. Yes, sir. Thank you for that question. I think it goes to what I--what I stated in my opening statement, as well as some of the other witnesses here today, there has to be some flexibility in the rule-making process. I think what we have learned in the interceding 6 years between the legislation being drafted in 2015 and today is, you know, there is certainly some limitations to voluntary regimes. Let's be honest, right? I think you are only going to get so much, you know, cooperation there. I think it has been tremendous, but maybe there are certain groups or certain, you know, commercial entities that just aren't incentivized to share that data today. The other factor I believe that comes into play, is really important in terms of getting this legislation correct, is the flexibility in the process because, as we stated, the threats change and rapidly evolve, and that is not only on the capabilities of the adversaries we are dealing with; it is also the technology and the underlying capabilities of the companies using IT infrastructure and the way that that becomes more critical to their operations and business over time. So we have to be able to adjust what is important from an information collection and sharing regime over time. There has to be an ability for, you know, regulated but also cohesiveness in the way that information is collected and used. As I stated in my testimony, I think that two-ways communication information sharing has to be effective, timely, and relevant to the sector partners participating as well. Whether it is mandatory or voluntary, I think the more collaboration that occurs over time will strengthen that information sharing and collaboration environment in such a way that you will be much better positioned to defend our critical infrastructure over time. Mr. Thompson. All right. Ms. Hogsett. Mr. Chairman---- Mr. Thompson. Thank you. Ms. Hogsett [continuing]. May I--may I add to that? Mr. Thompson. Yes, please. Ms. Hogsett. Thank you. That is a really important question that you asked, and so I want to just focus on two things. I think, first, this is why the scope, as you have put it in the bill, is so important to get right. If you are seeking to sort-of boil the ocean and get information on a lot of things out there, you are going to wind up with a situation where CISA is deluged with information that is not helpful to them, it is not useful, and they also get bogged down with information that isn't really the actual threat and the highest risks that we want them and everyone else to focus on. So I think through the rule-making process, that will allow the opportunity for engagement with sector-specific--excuse me--sector risk management agencies, our Sector Coordinating Councils, to talk about those risks that we all believe from our vantage point are important. So beyond the scope, I think also, then again, you know, setting up a process where there is a regular feedback loop so CISA is also regularly getting feedback from owners and operators of critical infrastructure about what they are finding valuable. I think if we can--that has often been missing. So if we can kind-of close that so that CISA then also has real-time, you know, valuable information for them to help improve their operations, those would be, I think, a couple of key pieces. It is set up, the way the bill is drafted, to allow for that. But I think your role, of course, helping oversee that as it is implemented would also be a critical thing that we would highlight. Mr. Thompson. Thank you. Would any other witness like to comment? Mr. Mayer. Real quickly, if I may, you know, there is a concept that Tony Sager, who led a big team at NSA, talks about, which is the fog of more. When you are in a situation like this and where you are in triage mode, what you don't want to do is you don't want to put so much information out there to CISA that you are putting information that is extraneous, that is noise, that is not focused. So you want some time, and that is why we think the 72 hours from a confirmed event is an important period of time to put in place, and the flexibility to engage in conversations after that. I think what you are setting up, Chairman, is what I consider to be a virtuous cycle, where--you talk about 6 years down the road. We know that the attacks are going to be probably very different than they are right now. We are going to have different types of networks, more software. We are going to be certainly in AI--in a world of AI, where systems are working with very complex algorithms. What we need to do is we need to build information up so that we can look at the attacks; they actually become an opportunity for us to understand what our adversaries are doing to see where we are failing, to see what is working, and build that into--going forward--into the kinds of expectations we will have for refining the reporting, refining the information that comes back, and, most importantly, I think, for collaborating with CISA, collaborating with the intelligence community, collaborating with, you know, organizations that are looking at criminal activities. What--the beauty of this legislation in my mind is you are building the opportunities for a broader and more effective partnership in the context of a mandatory requirement. I think, you know, credit to the committee for recognizing the value of maintaining the partnership--the best parts of the partnership, but also on insisting on accountability and incenting companies to participate in this process. I think that is the big story. Mr. Thompson. Thank you. Madam Chair, I yield back. Again, thank you for this very thoughtful legislation, and I look forward to its approval. I yield back. Ms. Clarke. I thank you, Mr. Chairman. The Chair will now recognize the other Members of the subcommittee for questions they may wish to ask the witnesses. In accordance with the guidelines laid out by the Chairman and Ranking Member in their February 3 colloquy, I will recognize Members in order of seniority, alternating between the Majority and Minority. Members are also reminded to unmute themselves and turn on their cameras when recognized for questioning. The Chair recognizes for 5 minutes the gentleman from Georgia, Mr. Clyde, at this time. Mr. Clyde. OK. I am going to go forward, then, and have the Chair recognize for 5 minutes the gentleman from Rhode Island, Mr. Langevin, for his questions at this time. Mr. Langevin. Thank you, Madam Chair. I want to thank our witnesses for their testimony today. Mr. Mayer, if I could start with you. In your testimony, you recommended that only confirmed incidents should be covered by this bill, not potential or universal incidents. I want to explore that idea. The SolarWinds breach has brought new attention to the issue of incident reporting, and for good reason. It took FireEye stepping forward and confirming that they had been compromised for the revelations of the largest SolarWinds campaign to come to light. So let's say that, in the future, a nation-state is conducting a similar espionage campaign against a U.S. critical infrastructure sector. So if critical infrastructure operators in this sector are not obligated to report suspicious network activity to CISA and they are only obligated to report once they have discovered a breach of confidentiality, integrity, or ability, how would we be meaningfully better positioned to proactively identify and mitigate this hypothetical espionage campaign than we are right now? Mr. Mayer. So I think, sir, that is--that is an important question. So when I--when we say ``confirmed,'' does that mean you are going to have every aspect confirmed, that you are going to have attribution confirmed, that you are going to know every system that is impacted? No. That is going to take some time. In fact, if you look at SolarWinds, I believe it took months--8 months or so to even detect it. I think, in my mind, if you have a significant cyber incident that has the kind of impact on confidentiality, integrity, and availability, you are going to know it--you are going to know it when you see it. It is going to be a very obvious impact on a pretty significant system, on a pretty significant function. U.S. Government, then CISA more likely than not is going to be aware of these types of events. They are going to affect Federal systems. They are going to be observable in some cases. So I think, you know, in the spirit of this legislation here, once a company realizes that it has been hit in a very significant way and has some visibility into that attack at some level and is maybe beyond the initial hours and days of triage, I would have every expectation, certainly in my sector, that there would be a conversation with CISA. Of course, there are provisions here that, if companies are not responsive, there are mechanisms in place to apply a stick that I think would be very painful and incent companies to come forward. Mr. Bushar. If I may, sir, can I add to that testimony briefly? Mr. Langevin. Sure. Mr. Bushar. So, actually speaking directly to, you know, the experience that we had during SolarWinds, I think the way to think about your question is this way. So in the early days of our analysis of what was happening inside of our own organization, we had some information that looked suspicious, but, you know, early, early on, we weren't quite sure if that was misbehavior potentially by an employee or just anomalous or something, you know, unusual happening with our technology inside the organization. Once we had confirmation that there was, in fact, a significant compromise, we actually--that is when we came forward and made the voluntary notifications to Government agencies. I think the point here is that, not that you would never disclose or you would wait until you had all the information available, but simply that, you know, in many cases in our experience, you could have situations where initial indicators aren't indicative of an actual true compromise, and you want to allow organizations time to fully analyze what is happening in their environment and determine that there is, in fact, a real impact, and then have the qualifying event to report to CISA. That speaks to the relative value and taking the noise out of the data that we talked about earlier. Mr. Langevin. Yes. You know, I think, first of all, you know, we should ask FireEye when they think they would have reported under this bill. You know, Mandia has testified that he put hundreds of people on it for weeks before the disclosure, not 72 hours. It was weeks. You know, and those were weeks where Russia was stealing data. Any comment on that? Mr. Bushar. Yes, sir. I mean, again, that is a great point. It is--I think it is a reason why we are actually endorsing, you know, a named time line. It is, you know--we are--at the time and still to this day, organizations, when it is the--the breach is not affecting covered data, privacy data, HIPAA data, et cetera, it is really under your own recognizance to determine the appropriate time line and agencies and authorities to report to. I think, by providing guidelines and actual criteria, you are providing us, you know, a very clear structure for organizations to report within. I think it is--there is something to keep in mind here, and I think it is captured inside the bill already, which is 72 hours gets that initial window, and it gives some reasonable balance between analysis time and getting first indicators and warnings, you know, of the hurricane, let's call it, coming, to CISA. But I--you know, I can say with assurance to you that that information is likely to change, adapt, and evolve beyond the 72 hours. So I think, in the bill, the way it is captured in terms of updating that information is also critically important. It can't just be that first reporting. There has to be information updates as more is learned throughout the investigation and analysis. I think---- Mr. Langevin. Yes. Mr. Bushar [continuing]. That speaks to your question regarding Mr. Mandia's testimony. Mr. Langevin. So, just so I am clarifying, so you don't think that FireEye testified--you don't think that FireEye reported early enough? Just to be clear, that is your testimony? Mr. Bushar. No. Not--I wouldn't say it that way, sir. I think we did the best we could under--and under, you know, voluntary analysis and trying to understand what was the appropriate, again, timeliness and reporting authorities under a stressful situation. I do--we believe strongly that a reasonable period of time, you know, within that 72-hour window, does make sense for most entities, at least for an initial reporting requirement. Mr. Langevin. Well, OK. I know that my time is--you know, is close to end. Let me just say that, Madam Chair, you know, as I am highlighting here, I am a bit concerned about the gap I see between the amount of information CISA needs to meaningfully improve the cybersecurity of our critical infrastructure sectors and the amount of information that CISA would receive would--only to be notified of--for confirmed cyber incidents. You know, further illustrate this concern with the second example. Let's say that there is a threat actor who is deploying destructive ransomware across critical infrastructure providers, but it has not yet activated--activated it yet. This is not unusual behavior. Once a confirmed cyber incident occurs, threat actors know that news will spread quickly and they will have a limited opportunity to act before cyber defenders close off the vulnerability and root out their malware. This means threat actors are likely to start encrypting the files of all of the targets they have compromised as fast as possible. By the time that CISA learns of this first ransomware attack, it could be too late for it to take any meaningful action and mitigate the threat to other entities in the sector, or, importantly, in other sectors which are vulnerable to the same malware. So, you know, Madam Chair, as we continue to consider this bill, I hope that we are going to continue to explore what definition of cyber incident will best ensure that CISA is able to do a job proactively when--job and proactively warn critical infrastructure providers of threats. I know my time has expired, so I will yield back, Madam Chair. Ms. Clarke. Thank you very much, Mr. Langevin. Point well taken. Wanted to just make sure that everyone is aware we will probably do a second round of questioning after we hear the questions posed by the gentleman from Georgia, Mr. Clyde, for 5 minutes at this time. Mr. Clyde. Thank you, Chairwoman Clarke, for holding this very important hearing with Ranking Member Garbarino. As previously stated by my colleagues, cyber attacks are one of the biggest national security challenges that our nations face. I am dedicated to working with all of you in finding solutions that mitigate these threats. I think one of the biggest challenges in addressing and understanding cyber attacks is encouraging entities to come out of the shadows and report these incidents to CISA. There seems to be a fear that these stakeholders, that they could be unfairly blamed for these attacks. As a society, I think we do not blame the store clerk when a business is robbed by a gunman. We blame the perpetrator, and we work to bring them to justice. So I think our society must take the same approach when organizations report cyber instances and stop blaming victims for taking the correct actions to address these attacks. So I have got some questions. I want to follow up on something that Mr. Bushar said, and--but I will get to that. The Federal Information Security Modernization Act of 2014 requires the OMB to define a major incident, and directs agencies to report major incidents to Congress within 7 days of identification. The legislation we are discussing today would require the director to determine the time frames, but no earlier than 72 hours. I think there is a disconnect between the way the Federal Government and the private sector report. So what I would like to know is whether this 72 hours or this 7 days is the appropriate period, and if--or is it something else in between? I think, Mr. Bushar, you said that 72 hours was probably sufficient. But, Mr. Miller, if I could get your input on that. I would also actually like to hear from each of the witnesses what their thoughts are on that time frame. What should the appropriate time frame be? Thank you. If I could go in with Mr. Miller first, and then alphabetically, Ms. Hogsett, Mr. Mayer, and Ms. Denbow. Mr. Miller. Thanks very much for the question, Representative Clyde. Yes. Well, as we say in our written testimony and as our policy principals indicated and as I think we have heard from several other witnesses today already, it does seem like 72 hours does hit the--kind-of the sweet spot, if you will, for a variety of different reasons. You know, I don't want to be duplicative of some of the other points that were made here, but, you know, just to put a fine point on something, you know, whether we are talking about the Cybersecurity Information Sharing Act of 2015 and the information sharing under that act, or if we are talking about incident reporting requirements here, you know, the--the goal of these--hopefully of these bills and laws is not to share the information or just, you know, provide an avalanche of information or as much as possible. Really do need to report information in a way that is going to be usable, not only by CISA, but by critical infrastructure, by other companies, such as FireEye, that are working, you know, on the front lines of these incidents. So 72 hours seems to be the amount of time that many cybersecurity professionals say is sufficient to determine what has occurred and to provide some of that additional contextual information that is needed, you know, to conduct the investigations, to actually make sure that, you know, cybersecurity--that you are actually also paying attention to trying to shore up your systems and avoid further damage. Also, it does seem to be in line with kind-of a global standard, if you will, in the 72 hours time frame---- Mr. Clyde. Well, thank you. Ms. Hogsett, do you concur with that? Ms. Hogsett. Sure. I think what we are all trying to do is we recognize the benefit and the value of providing more information into a central place in the Government--in this case, CISA--to help everybody else sort-of avoid attacks if it hasn't already hit them instant. So what you note around FISMA and the 7-day, I would have to go back and look specifically at when that time line kicks in, because we have often found in industry, when the clock starts ticking can be very different. We believe, as structured in this legislation, it does allow, as John noted, a reasonable time period for a firm to do initial investigation without interfering with that important work that needs to happen, while still providing then useful information that could benefit others. I think the larger point that you highlight, though, is that we do have already in place varying different standards, and there is a need to ensure that there is harmonization. Industry certainly faces this. We have it with our existing regulations. Government agencies are likely also now, as you highlight, you know, to have to face that. So this is something that we would encourage and would love to continue working with you and Congress on to help ensure that there is more of a standardized baseline and that everyone has a clear time line and a clear set of expectations around reporting. Mr. Clyde. OK. Thank you very much. Mr. Mayer. Mr. Mayer. Yes. So I will be quick here just to add. I think--I am looking for the language. I can't find it right now. But two things. One is the legislation recognizes that there is a balance between the agency's desire to get situational awareness and to get information out that could be useful, and the desire of a company to have--feel that they have some sense of what happened. Again---- Mr. Clyde. Right. Mr. Mayer [continuing]. Going back to what constitutes confirmation, you are going to know it. You have got a serious cascading impact on critical infrastructure. You may not know attribution, you may not know all the elements, all the systems that have been impacted. You will know you are dealing with a significant incident. So I think you accomplish that balance. The other thing I would add--and, again, I am looking for it here, in the Executive Order 14028 that the White House issued on improving the Nation's cybersecurity with respect to what Federal agencies are required to do and their contractors, they established, subject to check, I believe 3 days as the time line for providing information. So I am sure a lot of thought went into that, discussion with other agencies. As it was pointed out, I think there are general standards around that time. So it is a reasonable amount of time. I think if you tried to make it 7 days, I think a good case could be made that things would be, you know, at that point, too far down the road in terms of potential damage. So---- Mr. Clyde. OK. Mr. Mayer [continuing]. We wouldn't--I don't think anybody on the industry is going to--you are going to find anybody arguing for that--that amount of time---- Mr. Clyde. Well, all right. Thank you. Maybe we should tighten up the Federal Government's requirement then. Last, Ms. Denbow, do you concur with that? I saw you shaking your head yes. Ms. Denbow. Thank you very much, Congressman. There is not really a good answer to exactly what the right number should be. Should it be 72? Should it be 70? Should it be 68? It is more of--the key is that they are allowed to confirm first that they have an incident rather than just speculating that they have an incident. By giving it the 72 hours, now you are allowing the operator more time to gather valuable, useful information rather than just spitting information to CISA, where CISA is going to come back and ask more questions anyway. So it just allows that little comfort zone and space to be able to do the investigation that is needed to be able to provide preliminary information. Mr. Clyde. Well, thank you very much. Madam Chair, I see my time has expired, but I appreciate the witnesses' information here. You know, it is my intent that we have good industry input in the rule-making process to establish this bill, because I think that is very, very important. So thank you, and I yield back. Ms. Clarke. Thank you, Mr. Clyde. The Chair now recognizes for 5 minutes the gentlewoman from Texas, Ms. Jackson Lee. Ms. Lee, are you muted? I think you may need to unmute. Ms. Jackson Lee. Can you hear me? Ms. Clarke. We can hear you now. Ms. Jackson Lee. Thank you so very much. Thank you very much, Madam Chair, for your leadership on this very crucial issue. I just have two questions that I would like to pose for those who would answer it and give their insight. We know that a key consideration on the value of reporting is sharing information on the cyber attack, how a system was breached or compromised so that effective defenses can be developed. I would like to raise the point of whether or not is it important for Pfizer--CISA to share this type of data with critical infrastructure owners and operators knowing that, even to date, there are at least 85 percent or more of the critical infrastructures in the private sector? The second question would be how this legislation would have impacted Colonial Pipeline and the trajectory that they utilized, which was not open, which was not--they did not come forward quickly, and they did not provide information quickly. So I pose those two questions, and I do those to the particular witnesses who choose to answer them. Or either I will call on each of you. Mr. Bushar. Yes, ma'am. I will take a shot at the first question. It is absolutely important and critical, and as we testified today, that the bidirectional information sharing is absolutely important for any information-sharing regimen to be considered. So those indicators, those technical pieces of information around the specific vulnerabilities that were exploited and the way in which they were exploited are exactly the sorts of data points that CISA should be collecting and then, you know, turning around to covered entities or to specific sectors as appropriate. As we know, in much of our infrastructure today, it is fairly common technology sets, so that, in many cases, those sorts of information and indicators will apply broadly. But there may be very, very specific vulnerabilities that only apply to certain pieces of technology that are only relevant in certain industries, and, therefore, CISA will be--you know, they will have to tailor that information sharing in a way that is, again, relevant to the defense--defensibility of those particular pieces of technology in those sectors. Ms. Jackson Lee. Can you hear me? Mr. Bushar. Yes, ma'am. Ms. Jackson Lee. Good. Can I have other witnesses answer the question, please? Ms. Denbow. I will gladly answer. This is Kimberly with the American Gas Association. Ms. Jackson Lee. Thank you. Ms. Denbow. Yes, ma'am. So, repeating what Ron said, yes, the bidirectional is extremely important. Going on to the Colonial Pipeline matter. I will say that for nearly a dozen years, if not more so, the oil and natural gas sector, as well as the pipeline sector coordinating councils, have been asking Government for a more streamlined reporting approach. Regardless of whether it was mandated or voluntary, we said: Is there a one-stop shop where we can report a cyber incident? And there is constant, well, yes; well, no, not really. So until that can be worked out, I believe the industry operators are reporting to whom they feel they need to report to, one, under certain given requirements, but then, also, I know that, at least with AGA-member utilities, we tell them to connect with the FBI. So, given the absence of that further information, that is kind-of what we are working under, as well as to report to the TSOC, the Transportation Security Operations Center. Ms. Jackson Lee. So legislation--thank you. Legislation that would give a framework for this would be helpful, and also the sharing of information would be helpful as well? Ms. Denbow. That bilateral part is so important. We feel like--we feel like when we share with the Government, it becomes a landfill of information with nothing valuable coming back out to us in a timely fashion. That is not to criticize the individuals that are working with the process on the Government side. Much like having a valuable by-product out of landfills, such as renewable natural gas, it would be valuable if we could have a valuable by-product out of this data landfill being bidirectional information sharing in a timely fashion of actionable information. Ms. Jackson Lee. Thank you. Any other witnesses---- Mr. Miller. Congresswoman Jackson Lee, could I also jump in on this briefly? Ms. Jackson Lee. I would be very pleased if you would, Mr. Miller. Thank you. Mr. Miller. Thank you very much. You know, just to add on to this--the bidirectional point. It is absolutely critical, and, you know, again, as I was suggesting earlier, you know, it is not only bidirectional information sharing. I mean, what is really key is what is the--what is the goal, and what is the--and what is this bill, for instance, trying to do with--this incident notification bill? I think that the bill does a good job of articulating some of the different operational, you know, goals that the bill has for CISA. You know, greater situational awareness is certainly part of it. We can all agree that that would be useful, not only for the Government, but for the critical infrastructure community. But then, also, at least based on our conversations with, you know, the relatively new team at CISA, you know, I think they are really interested in driving deeper operational collaboration between CISA, other Government partners, critical infrastructure owners and operators. I mean, that is really key, right, to--you know, we always hear cybersecurity is a team sport. Maybe it is a cliche because it is true, right? I mean, CISA--we shouldn't think of it as, you know, does CISA have the information it needs to protect the world from cyber threats, because that is--they are never going to have enough resources to do that. So they have to work with the private sector, and that is why private sector also needs this information. Ms. Jackson Lee. This is a new world. We even expect ransomware from now on, and I think we do need this cooperative, collegiate, and important dialog and discourse every moment, if we can, in order to fight against those who intend to really break our infrastructure. Madam Chair, I am sorry, I am not seeing the time, but do I have any more time? Ms. Clarke. Ms. Jackson Lee, your time has expired. We are entering into a second round of questioning. If your time permits and you have further questions, please keep your camera on and we will acknowledge you. Having said that, I want to acknowledge---- Ms. Jackson Lee. That is it. Thank you so very much. I appreciate your patience. Ms. Clarke. Absolutely. Absolutely. I am going to acknowledge myself for 5 more minutes. There are a few more questions that I have for our panelists, and I know that our Ranking Member will be joining me in questioning. Mr. Bushar, how can CISA use data on cyber incidents to empower security researchers outside of CISA to improve security systemically across sectors? Can CISA do this in a way that protects confidentiality and anonymity of covered entities? Mr. Bushar. Thank you for that question, Madam. Yes, absolutely. There is valuable use cases for information that CISA can share with either universities, public sector, other public-sector entities or private-sector research firms to do deeper-dive analysis, more complex, you know, analytics on information. Things that were mentioned earlier by, I believe, one of the other Members related to more complex sorts of calculations related to machine learning algorithms or other sorts of artificial intelligence-based capabilities that are-- today reside largely either in the private sector and academia. I think there is a huge amount of value in that collaboration and information sharing to allow a broader research community to fully understand and analyze not only individual attacks, but, again, the totality of what we are seeing in cyber space, and hone in on what are some key areas of either resiliency or defensibility, you know, to better protect our sectors or our infrastructure overall. To your other question related to how that information can be shared or can it be shared anonymously or in a protected way for covered entities, absolutely. We do this all the time as part of our cooperation, not only with Government entities but with research partners, et cetera, where we are able to take collective data in a way that removes any sort of attribution to the source of that information or to the identity of the victim. It is how we produce a number of our own strategic reports, you know, in--for our customers and for the wider community, and we believe that there is concrete ways for that to be done in a way that protects the identity and confidentiality of the sources of that information but benefits all parties from a research and development effort perspective. Ms. Clarke. From your perspective, having worked with CISA and critical infrastructure clients to respond to incidents, what role do you see incident response firms like Mandiant playing in this new reporting regime? Are you concerned that forcing security vendors to report on their customers will undermine trust and discourage owners and operators from working with the companies that have expertise and tools to make them more secure? Mr. Bushar. Thank you for that question, Madam. Yes. On the point of the role that private security firms play in protection and response to cyber threats, it is certainly a capacity issue, as was stated earlier. We believe that there is roles specifically for the Government to assist directly with victims as well as private-sector partners like us and other firms. In order to do that in either model, frankly, there has to be a trust relationship. These are often some of the worst days that organizations are facing. There is very, very sensitive information that is being analyzed within the--during the breach and within the organization. You are in a situation of high trust with your clients, whether you are Government support, whether you are FBI, whether you are Mandiant responding to a breach. The challenge with a mandated model where you are asking a trusted partner of a victim to then report independently of that victim's authorization to the Government of the fact of a breach puts us in a real challenging position--any individual-- any organization in a challenging position of betraying one trust in order to provide information to another partner. We don't believe that that encourages a real cooperation or collaboration or effective way of sharing information. It also can potentially create challenges with contracts and language around legal requirements that we put in place whenever we are working with clients in a trusted manner. So I do think that the model that has been put forth in this bill, where it is the covered entity themselves, it is the organization that is the victim that is required to and responsible for ultimately reporting is the right model. I think organizations like ourselves are in a good place to advise and support that compliance for the victim, but that organization's security vendor should not be compelled to do that independently of the client that they are working on behalf of. Ms. Clarke. Very well. One of the goals in drafting this legislation was to provide CISA with enough information to analyze and understand threats, but do--but to do so without inundating CISA with false positives or inaccurate helpful-- unhelpful reports. I think that was raised in the conversation with Mr. Clyde. Toward that end, we have directed CISA to consider a number of factors when defining covered cyber incidents. This is to the panel. What are the risks of improperly scoping the definition of covered cyber incidents, and how would that frustrate the goals of cyber incident reporting? Yes. Mr. Mayer. So I might start here. So what you want to look for is the Goldilocks solution here. It can be too narrow or it could be too broad, and you really have to find that right balance in terms of, you know, laser on that kind of consideration. So the fact that there is a process of engagement, that there is going to be a continuous dialog, I believe, there will be opportunities to say, we didn't do enough, we did too much, or it was too narrow, too broad, and to refine that. But I think there are risks on both sides of that equation. Ms. Clarke. Thank you, Mr. Mayer. Ms. Hogsett, I think I saw your hand. Ms. Hogsett. Yes, ma'am. Thank you. I agree with Robert. I think the thing--the point that we would caution here is, for a number of our financial institutions, they will potentially see thousands of pings against their systems. So if you leave the definition and the scope too broad, you would literally have, from a single firm, potentially hundreds if not thousands of reports going in, which just is a massive amount, and it is not really the things that are going to, I think, cause the level of concern that you are looking to focus on. So, again, we do believe that, you know, the opportunity for public comment and dialog with sectors through the rule- making process will help us get to a good place, but we also do need to be respectful that this is going to be a new--new work capability for CISA to build, and we don't want to send too much information to them, because that would be too much noise in the system and you would miss potentially really big things. Also, for a firm who is then having to report, what that means is you are taking your front-line cyber defenders away from focusing on defending the firm and continuing to keep up with this dynamic threat environment that we have, and instead they are focusing on making sure that they are submitting Government reports so that they are not, you know, missing that perspective. So I think that is a really critical component to get right, and we appreciate at least that the structure you have put in place would allow for that dialog to get to the Goldilocks moment that Robert mentioned. Ms. Clarke. Thank you. My time has expired. I thank my Ranking Member for his indulgence, and I now yield to him for any additional questions that he may have. Mr. Garbarino. Of course, Madam Chairman. That is actually an important question to get out, so I appreciated and enjoyed the witnesses'--their answers. I want to do a little follow-up. Ms. Hogsett, maybe you could--since most of your Members already deal with reporting requirements, both nationally and for a lot of States, what can we do--is there anything we can do in this legislation to help, you know, harmonize, you know, what you--what your Members have to--have to do so that they are not sending--they are not reporting on several different hacks, you know, one for one agency, one for another, you know, based on different standards? You know, how--what can we do so it is easier for your Members to comply with this law? I will extend that to some of the other witnesses as well after she answers, because I am sure you all have great opinions. Ms. Hogsett. Well, thank you for the question. That is a really critical thing for us. Attached to my testimony, we did include sort-of a compendium or a summary of the variety of requirements that we already have. This is why there is a provision in the bill currently that requires CISA to coordinate and harmonize requirements for those sectors that already have them in place. So, for us, this would mean, you know, we would really strongly encourage CISA to work not only with our sector risk management agency, which is Treasury in our case, but also Federal Reserve Board, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation. I mean, we have a multitude. Hopefully, we have done a lot of that work to help funnel that to a good place where we can help align for them with what we already do, but that is really such a critical point for us, that this gives us an opportunity, hopefully, to have a streamlined requirement with a common set so firms can provide information to one place, and then CISA should be in a position to help work across the Government, including independent regulatory agencies, to share that information out. Based on the conversations we have been having with our regulators, we do think that everyone is really trying to align and do the right thing to help everybody, you know, protect their institutions, their organizations, and also the broader sector and our Nation. So this is a unique opportunity to do that, and your help and support by ensuring in the implementation that that coordination--that required coordination occurs would be really helpful for us. Mr. Garbarino. Great. Thank you. Anybody else want to add on to that? Ms.--Mr. Miller? Mr. Miller. Sure. Thank you, Ranking Member Garbarino. Yes. You know, as I mentioned in my--I mentioned it briefly in my oral testimony, and it is certainly in my written testimony as well. I mean, this is really a major issue, and, frankly, even extends beyond the cyber incident reporting context, right? I mean, we have often talked about the need for regulatory streamlining, because we not only--we have a lot of different sector-specific regulators. You know, I don't need to say anything more about that since Heather just took care of that. But, you know, the reality is there are a number of different security incident notification requirements out there already, right, on companies, you know, not only in the regulated sectors, but, you know, Federal contractors. We have the new Executive Order provision that was mentioned earlier. One of the things that we recommend is really, you know, leveraging these--the various existing channels that are already set up and having CISA do that to really make sure that, you know, that, frankly, the information is also being shared amongst the regulators, the Federal agency, right? We are talking about bidirectional information sharing but, in this context, it is almost tridirectional. We also need CISA talking to FBI and the financial regulators and anyone else who really has information or is receiving these reports. One of our recommendations is that perhaps, you know, the Office of Management and Budget could issue guidance to Federal regulators and law enforcement requiring this sort-of sharing of information to make sure that we are actually having a--you know, an impact on the regulatory overload, you know. I appreciate the bill for taking the first step in acknowledging the need, so thank you. Mr. Garbarino. Yes. Ms. Denbow, I know you are--I think one of the next things we have to do is maybe do a little Federal preemption, all these different State rules that you all have to deal with. We won't get into it now, but I know--I am sure I could guess how you all feel, but---- Mr. Miller. Right. It is beyond your scope perhaps, but there are also international rules that we need to deal with, so---- Mr. Garbarino. Oh, yes. One thing at a time. Ms. Denbow. So I believe that the biggest challenge really is--and I speak from experience at the American Gas Association. We worked effortlessly to try to pull together a harmonization of all the different cyber assessments out there, from all the different agencies: Department of Energy, Department of Homeland Security, TSA. We were able to do something like that. But then when you take it back to those different offices, they believe that their system is the one system that works best. So I believe that is where--the challenge is actually going to be on Congress to convince the different agencies that there is one system as opposed to all the different systems, or how the--all the different systems that are out there are not going to be overly burdensome to the operator. Mr. Garbarino. I appreciate those answers. Thank you so much. We will definitely take that into consideration. Madam Chairwoman, I yield back, but thank you again for having this great hearing today. Ms. Clarke. I thank you very much, Mr. Ranking Member. I want to thank our witnesses for their valuable testimony, and the Members of the subcommittee for their questions. The Members of the subcommittee may have additional questions for our witnesses, and we ask that you respond expeditiously in writing to those questions. The Chair reminds Members that the subcommittee will-- record will remain open for 10 days--10 business days. Without objection, the subcommittee now stands adjourned. Thank you for joining us today. [Whereupon, at 1:47 p.m., the subcommittee was adjourned.] [all]