House Committee emphasizes importance of CIRCIA implementation for cyber preparedness
Members of the U.S. House Committee on Homeland Security identified in a Wednesday hearing that implementing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) by the Cybersecurity and Infrastructure Security Agency (CISA) is more important than ever for the nation’s cyber preparedness. The final CIRCIA rule, expected late next year, will mark a pivotal turning point for America’s ability to mitigate cyber risks and protect its national security, economy, and way of life.
The CISA introduced in late March a proposed rule under the CIRCIA that aims to enhance the cybersecurity posture of critical infrastructure owners and operators against increasing threats and attacks. It involves regulations mandating the reporting of cyber incidents and ransomware payments to CISA, enabling the agency to provide swift assistance, analyze trends, and share information with network defenders. The Notice of Proposed Rulemaking (NPRM) is open for public comments until June 3, following its publication in the Federal Register.
Witnesses at the hearing included Heather Hogsett, senior vice president for technology and risk strategy for BITS, Bank Policy Institute; Scott Aaronson, senior vice president for security and preparedness at Edison Electric Institute (EEI); Robert Mayer, senior vice president for cybersecurity and innovation at USTelecom, The Broadband Association; and Amit Elazari, CEO and co-founder of OpenPolicy Group.
“When we passed [CIRCIA], our goal was to ensure shared visibility of substantial cyber incidents impacting our homeland’s critical infrastructure,” Mark Green, a Republican from Texas and chairman of the House Committee on Homeland Security said in his opening statement. “With nation-state actors such as China and Russia continuing to target us, we knew that we needed to better understand and defend against increasingly fraught cyber threats.
However, Green highlighted “We knew we needed to do this without imposing undue regulatory burden on our companies that are already stretched very thin. Duplicative efforts tend to wind up costing businesses money that they could actually use on real cybersecurity, and so getting to the bottom of those is one of our priorities.”
Green added that It is imperative that “we strike this balance and ensure the rule is harmonized with regulations.”
Andrew Garbarino, a Republican from New York and chairman of the Subcommittee on Cybersecurity and Infrastructure Protection, identified that “in an age of increasingly sophisticated cyberattacks on our critical infrastructure, our fragmented approach to incident reporting has proven anything but nimble and useful. It is cumbersome and oftentimes redundant, creating a compliance burden on private sector partners who could be spending their resources on security rather than fulfilling multiple reporting requirements. A confusing and reactive, rather than proactive, reporting regime increases the risks to the security of our homeland.”
He added that after significant national attacks on Colonial Pipeline and SolarWinds, “Congress recognized an urgent need for better and more coordinated cyber incident reporting for our critical infrastructure. This included a need to develop a process for reporting ransom payments, which didn’t exist despite the rise and impact ransomware attacks.”
“It is imperative that we get the CIRCIA rule right. CIRCIA should serve as the standard, not another regulation standing in the way of effective cyber defense. Because it is so important we get this right, I’m encouraged to hear that CISA is granting a 30-day extension for submitting comments,” Garbarino pointed out. “Members of this subcommittee have eagerly awaited the draft rule that we are going to discuss in-depth, especially considering conflicting rules, such as the SEC’s public cyber disclosure rule. Therefore, we are devoting this hearing to CIRCIA because we know this is an opportunity: one to ensure regulatory effectiveness and harmonization.”
“Critical infrastructure security is a shared responsibility and a national imperative. While most critical infrastructure is owned by the private sector, government at all levels can and must play a role in protecting it, especially when it comes to defending against nation-state actors,” Aaronson of Edison Electric Institute, wrote in his testimony. “Cyber incident reporting may support government efforts to protect U.S. critical infrastructure by creating visibility into cross-sector cyber risk, but reporting also should be supplemented with federal support to mitigate risk and harden the critical infrastructure assets that are vital to national security.”
He pointed out that through various standards and voluntary regimes, the U.S. energy grid benefits from a baseline level of security. “While these standards are important, regulations alone are insufficient given the dynamic threat environment, and they must be supplemented by industry-government partnerships and coordinated response and recovery efforts.”
Aaronson added that the electric power industry appreciated the chance to contribute to the drafting of the proposed rule through sector-specific listening sessions and through comments to CISA’s request for information. “The industry aims to continue this collaborative partnership to harmonize reporting requirements and to reduce the burden on covered entities in the energy sector.”
EEI is currently collaborating with its member companies and has identified a couple of opportunities for improvement. These include the scope of substantial cyber incident definition; volume of information requested; workforce burden; data preservation requirements; and information protection.
“The financial services sector has long supported the early and confidential sharing of cyber threat and incident information. Early awareness of threats helps firms respond and calibrate additional security measures that can prevent malicious activity or minimize its impact,” pointed out Hogsett, BITS’ senior vice president of technology and risk strategy. “CIRCIA represents an important step towards expanding this type of awareness and information sharing across all critical infrastructure sectors. If its requirements are appropriately balanced, CIRCIA will help reduce attacks and the disruption they cause to individuals, businesses, our economy, and our way of life.
She added “It is imperative that we work together to ensure the final reporting requirements of CIRCIA balance CISA’s needs for early incident information while not disrupting critical incident response and remediation activities. As currently drafted, CIRCIA would add significant requirements to an already challenging and complex set of government reporting requirements.”
“It is imperative for our government partners to recognize the substantial cyber resources that will be allocated to assess whether an event meets the reporting criteria. The industry requires more precise definitions and clear reporting thresholds,” said Mayer of USTelecom. “Without these, there is a real risk that, in an effort to comply with the law, the industry will report numerous events that could easily overwhelm CISA’s capacity to act on the information. Such overreporting could unnecessarily burden government resources and undermine the effectiveness of CIRCIA.
He added the estimated cost to the industry of these new requirements is US$1.4 billion over eleven years, and it is estimated the federal government will incur costs of $1.2 billion over the same timeframe. “Collectively, our nation needs a return on this investment and for the law to achieve its aims. We will work with CISA to ensure that meaningful incident reports lead to broader situational awareness and to increased operational preparedness and response capabilities.”
“The Congressional intent for CIRCIA is ‘preserv[ing] national security, economic security, and public health and safety,’ and assisting the federal government with increasing situational awareness and visibility to cyber threats in support of a broader mission to achieve systemic risk reduction for the United States and its underlying critical infrastructure,” Elazari of OpenPolicy detailed in his testimony. “This ultimate value, of increasing cyber resilience merits additional proportionality between the cost, and value of and processes CISA and the federal government will exercise to ‘give back’ to impacted communities who bear the implementation cost.”
He added that this balance may require more resources and additional infrastructure to ‘rapidly deploy resources’ and better diverse, state-of-the-art solutions to stay ahead of malicious actors and deploy alerting systems.
“It will further require those who need to alert the government -to have solutions, and ‘alert systems,’ to spot issues and to intake alerts and process them into action,” according to Elazari. “To achieve cyber resilience we must approach CIRCIA implementation in the context of the broader common fabric of cybersecurity policy efforts, implemented in the U.S. and globally.”
Elazari also pointed out that creating the architecture, technically, procedurally, and programmatically, and the culture, that truly achieves the underlying risk reduction goal of CIRCIA will require action from CISA, and other agencies, that may extend beyond the Rule, but proper implementation of CIRCIA can result in considerable progress. “Much progress has been made – we will continue to rely on Congress’s relentless attention to this matter, as we move forward with CIRCIA’s implementation.”
Earlier this week, the U.S. White House announced that President Joe Biden has signed a National Security Memorandum (NSM) to secure and enhance the resilience of the nation’s critical infrastructure sector. The move will replace a decade-old presidential policy document from former President Barack Obama on critical infrastructure protection and launch a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future.
Related
