The Trump administration is considering a new rule that would require businesses to disclose cyberattacks and other data breaches to the public. Businesses are lobbying against the proposed regulation, which they say could lead to increased costs and decreased efficiency.
Companies are attempting to limit legislation that would compel them to disclose intrusions to the US government, after a spate of breaches that have fueled a nearly decade-long campaign in Congress to pass such legislation.
Emerging ideas in the House and Senate provide opposing views for how companies that operate most essential infrastructure in the United States would send data to the Cybersecurity and Infrastructure Security Agency, which could subsequently share it with the public and private sectors. According to individuals familiar with the situation, many companies and trade organizations have asked for a more precise definition of the types of hacks covered by law, as well as a 72-hour reporting time instead of the 24-hour period proposed by the Senate bill.
“The last thing you want to do is provide incomplete or incorrect information before you have a full understanding of what’s going on,” said John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a trade group that supports a 72-hour reporting window.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
The group, which includes businesses such as Alphabet Inc.’s Google, Amazon.com Inc., and Oracle Corp., also wants liability protections for corporations that disclose events, as well as exemptions from FOIA requests.
Staffers on the House Homeland Security Committee are working on a bill with measures that they want to include in next year’s military budget bill, according to an aide. The measure will be heard on September 1st.
Previously, industry organizations were resistant to such ideas, believing that disclosing information would aid hackers in planning future assaults and would open the door to litigation and regulatory scrutiny. However, last year’s breach of government agencies through SolarWinds Corp. software caused a change of heart among some companies, as it revealed a lack of insight into digital supply chains, giving hackers numerous entry points into specific targets, according to lobbyists and trade organizations.
After cybersecurity company FireEye, Inc. voluntarily disclosed its computer systems had been hacked, US authorities learnt about the incident in December. After hackers affected software providers, hospitals, and the East Coast’s biggest gas pipeline this year, authorities have urged on businesses to disclose more information.
Mr. Miller said, “[SolarWinds] sort of drove home the idea of having to work together.”
Director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly.
Michael Brochstein/Zuma Press/Zuma Press/Zuma Press/Zuma Press/Zuma Press
According to individuals familiar with the situation, a lobbying company representing Microsoft Corp., Booz Allen Hamilton Holding Corp., and Accenture PLC has talked with congressional employees. Microsoft and Booz Allen, both of which have previously expressed support for obligatory reporting, have refused to comment. A request for comment from Accenture was not returned.
According to Grant Geyer, chief product officer of industrial cybersecurity company Claroty Ltd., which has held discussions with House staffers working on a bill, clearly identifying events that need to be reported would be essential for US authorities processing the information. Mr. Geyer believes that rules should apply to attacks that pose a “substantial risk to the confidentiality, integrity, availability, safety, or resilience” of critical infrastructure.
“A clear definition of a cyber event is required so that CISA does not end up chasing a slew of false positives,” he added.
The Cyber Incident Notification Act of 2021, introduced in the Senate last month, would mandate that federal agencies, designated critical infrastructure companies, and cyber incident response firms report hacks “not later than 24 hours after the confirmation of a cybersecurity intrusion or potential cybersecurity intrusion.” Hacks believed to be carried out by nation-state actors or transnational criminal organizations, as well as attacks posing a national security danger, would be included.
The Senate bill would insulate businesses from legal responsibility, safeguard incident reports from FOIA requests, and compel CISA to create personal data privacy measures. The law also allows CISA’s director, Jen Easterly, to penalize companies up to 0.5 percent of their previous year’s sales for each day they violate the regulations. Sen. Mark Warner (D-Va.), who co-sponsored the bipartisan measure with 14 other senators, did not reply to calls for comment.
WSJ PRO CYBERSECURITY ADDITIONAL INFORMATION
House staffers crafting legislation foresee a lengthier reporting window that would allow CISA to set a deadline and define event criteria such as interruptions to business operations and network assaults.
According to sources, the House draft legislation would allow CISA to subpoena businesses for information and send cases to regulators and the attorney general, but it would not contain penalties. It also protects businesses from legal responsibility and Freedom of Information Act inquiries.
CISA would become a regulator depending on voluntary involvement in other security efforts, such as a newly established information-sharing group with cloud providers, telecom companies, and cyber businesses, under either bill, according to House officials. According to the aides, too strict enforcement or unclear regulations may stymie such collaborations.
In a May executive order, President Biden directed CISA to propose wording requiring federal government contractors to disclose cyber incidents. According to congressional staffers and lobbyists, the advice may serve as a model for how the agency interprets a statute that covers critical infrastructure firms.
The suggestions have been made by CISA, according to Eric Goldstein, the agency’s executive assistant director for cybersecurity. He didn’t go into any further detail.
David Uberti can be reached at [email protected]
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2021 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8