Leaders of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection said on Wednesday that they are focused on harmonizing cybersecurity incident reporting regulations, especially when it comes to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
At today’s Workday Federal Forum in Washington, subcommittee Chairman Andrew Garbarino, R-N.Y., and Ranking Member Eric Swalwell, D-Calif., said properly implementing the CIRCIA rule is one of their subcommittee’s biggest goals as they look towards the remainder of the current Congress, which will conclude in January 2025.
“I don’t want it just to be another reporting rule. I want it to be the rule, and I think industry wants that too,” Rep. Garbarino said at Wednesday’s event. “So, making sure this rule is properly put into place is very important.”
Their subcommittee held a hearing on the CIRCIA rule earlier this month, and Chair Garbarino said “our joint efforts convinced” Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to extend the proposed rule’s comment period by an extra 30 days – until June 3.
The chairman also noted that the subcommittee is looking to “draft our own comment to be submitted to CISA for the rulemaking.”
CIRCIA – signed into law by President Biden in March 2022 – requires CISA to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the government.
Under the law, critical infrastructure owners and operators are obligated to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
Ranking Member Swalwell said that the subcommittee’s key focus on this rule is the same as Workday’s focus, “which is the customers.”
“What I think about is your customers, the small and medium-sized businesses who, left of boom, don’t necessarily have the hygiene and the training and the awareness of how to protect their systems,” Rep. Swalwell said. “Andrew and I have really tried to focus on the small and medium businesses.”
“And then when it comes to reporting, obviously we want to know when folks are hit … but how do you not overreport and how do you make sure it’s really just critical infrastructure, and that like a dental office isn’t getting jammed up on having to spend time reporting,” Rep. Swalwell said, adding, “So, that’s a big focus of ours right now is really addressing the small and medium-sized needs.”
Another cyber incident reporting rule that the two lawmakers are focused on – and both expressed opposition to – is the Securities and Exchange Commission (SEC) cybersecurity incident disclosure rule, which Rep. Swalwell believes is “a deterrent” for people to enter the cybersecurity workforce.
The SEC rule went into effect on Dec. 18, 2023, requiring organizations to publicly report a cybersecurity incident “before you even have a fix,” Rep. Garbarino explained.
“So, you could have a glitch in an upgrade and you don’t know what it is yet, and now you’re publicly reporting it. You’re going to tank the stock … and then [realize], ‘Oh, it was just a system upgrade, and we had to report it.’ You spend too much time on the reporting requirement, instead of figuring out what the hell it is,” added Rep. Swalwell.
“The problem is, is this is the first one real rule that came out since we passed CIRCIA, which Congress said we should be harmonizing cyber incident reporting rules and then [SEC Chairman Gary Gensler] said, ‘Well, I’m just gonna do my own thing anyway,’” Rep. Garbarino said. “That is definitely stopping people from moving up.”
Nevertheless, Chandler Morse, vice president of public policy at Workday, closed the conversation by noting that the United States is a “leader” in cybersecurity, adding, “We need to keep that position, and I think the great work you’re doing at the subcommittee will help keep us there.”
