[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                STAKEHOLDER PERSPECTIVES ON THE CYBER 
                 INCIDENT REPORTING FOR CRITICAL INFRA-
                 STRUCTURE ACT OF 2021

=======================================================================

                                HEARING

                               BEFORE THE

                            SUBCOMMITTEE ON
                     CYBERSECURITY, INFRASTRUCTURE
                       PROTECTION, AND INNOVATION

                                 OF THE

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 1, 2021

                               __________

                           Serial No. 117-28

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT] 
                                     

        Available via the World Wide Web: http://www.govinfo.gov

                               __________
                               
                    U.S. GOVERNMENT PUBLISHING OFFICE                    
46-175 PDF                 WASHINGTON : 2021                     
          
-----------------------------------------------------------------------------------   

                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman
Sheila Jackson Lee, Texas            John Katko, New York
James R. Langevin, Rhode Island      Michael T. McCaul, Texas
Donald M. Payne, Jr., New Jersey     Clay Higgins, Louisiana
J. Luis Correa, California           Michael Guest, Mississippi
Elissa Slotkin, Michigan             Dan Bishop, North Carolina
Emanuel Cleaver, Missouri            Jefferson Van Drew, New Jersey
Al Green, Texas                      Ralph Norman, South Carolina
Yvette D. Clarke, New York           Mariannette Miller-Meeks, Iowa
Eric Swalwell, California            Diana Harshbarger, Tennessee
Dina Titus, Nevada                   Andrew S. Clyde, Georgia
Bonnie Watson Coleman, New Jersey    Carlos A. Gimenez, Florida
Kathleen M. Rice, New York           Jake LaTurner, Kansas
Val Butler Demings, Florida          Peter Meijer, Michigan
Nanette Diaz Barragan, California    Kat Cammack, Florida
Josh Gottheimer, New Jersey          August Pfluger, Texas
Elaine G. Luria, Virginia            Andrew R. Garbarino, New York
Tom Malinowski, New Jersey
Ritchie Torres, New York
                       Hope Goins, Staff Director
                 Daniel Kroese, Minority Staff Director
                          Natalie Nixon, Clerk
                          
                                 ------                                

     SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND 
                               INNOVATION

                 Yvette D. Clarke, New York, Chairwoman
Sheila Jackson Lee, Texas            Andrew R. Garbarino, New York, 
James R. Langevin, Rhode Island          Ranking Member
Elissa Slotkin, Michigan             Ralph Norman, South Carolina
Kathleen M. Rice, New York           Diana Harshbarger, Tennessee
Ritchie Torres, New York             Andrew Clyde, Georgia
Bennie G. Thompson, Mississippi (ex  Jake LaTurner, Kansas
    officio)                         John Katko, New York (ex officio)
               Moira Bergin, Subcommittee Staff Director
          Austin Agrella, Minority Subcommittee Staff Director
                   Mariah Harding, Subcommittee Clerk
                           
                           C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................     1
  Prepared Statement.............................................    10
The Honorable Andrew R. Garbarino, a Representative in Congress 
  From the State of New York, and Ranking Member, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Oral Statement.................................................    12
  Prepared Statement.............................................    12
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Chairman, Committee on 
  Homeland Security:
  Prepared Statement.............................................    21
The Honorable John Katko, a Representative in Congress From the 
  State of New York, and Ranking Member, Committee on Homeland 
  Security:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14

                               Witnesses

Mr. Ronald Bushar, Vice President and Government CTO, FireEye 
  Mandiant:
  Oral Statement.................................................    15
  Prepared Statement.............................................    18
Ms. Heather Hogsett, Senior Vice President, Technology & Risk 
  Strategy for BITS, Bank Policy Institute:
  Oral Statement.................................................    21
  Prepared Statement.............................................    23
Mr. John S. Miller, Senior Vice President of Policy, and General 
  Counsel, Information Technology Industry Council:
  Oral Statement.................................................    29
  Prepared Statement.............................................    30
Mr. Robert Mayer, Senior Vice President, Cybersecurity, 
  USTelecom:
  Oral Statement.................................................    40
  Prepared Statement.............................................    42
Ms. Kimberly Denbow, Managing Director, Security and Operations, 
  American Gas Association:
  Oral Statement.................................................    44
  Prepared Statement.............................................    46

                             For the Record

The Honorable Yvette D. Clarke, a Representative in Congress From 
  the State of New York, and Chairwoman, Subcommittee on 
  Cybersecurity, Infrastructure Protection, and Innovation:
  Letter From Claroty............................................     3
  Statement of Accenture.........................................     5
  Letter From Multiple Associations..............................     6
  Letter From NTCA--The Rural Broadband Association..............     8
  Statement of the American Public Power Association (APPA) and 
    the National Rural Electric Cooperative Association (NRECA)..     9

 
 STAKEHOLDER PERSPECTIVES ON THE CYBER INCIDENT REPORTING FOR CRITICAL 
                       INFRASTRUCTURE ACT OF 2021

                              ----------                              


                      Wednesday, September 1, 2021

             U.S. House of Representatives,
                    Committee on Homeland Security,
                            Subcommittee on Cybersecurity, 
                                 Infrastructure Protection,
                                            and Innovation,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 12 p.m., via 
Webex, Hon. Yvette D. Clarke [Chairwoman of the subcommittee] 
presiding.
    Present: Representatives Clarke, Jackson Lee, Langevin, 
Thompson (ex officio), Garbarino, Clyde, and Katko (ex 
officio).
    Ms. Clarke. The Committee on Cybersecurity, Infrastructure 
Protection, and Innovation will come to order. The subcommittee 
is meeting today to receive testimony on ``Stakeholder 
Perspectives on the Cyber Incident Reporting for Critical 
Infrastructure Act of 2021.''
    Without objection, the Chair is authorized to declare the 
committee in recess at any point.
    So good afternoon, everyone. I would like to thank the 
witnesses for participating in today's hearing on the Cyber 
Incident Reporting for Critical Infrastructure Act of 2021.
    Earlier this year, this committee held a joint hearing with 
the Committee on Oversight and Reform to examine the SolarWinds 
supply chain attack. Our oversight revealed a number of gaps in 
Federal authorities, policies, and capabilities that Congress 
must address to secure its own networks and better serve its 
private-sector partners. But what stood out to me was how lucky 
we were that FireEye disclosed that it had been compromised. 
Where would we be if they had chosen not to?
    At this hearing--at the hearing, excuse me, I asked whether 
we would benefit from implementing a mandatory cyber incident 
reporting framework. Microsoft President Brad Smith observed 
that today information is siloed and that we need one entity in 
a position to scan the entire horizon and connect the dots 
between all of the attacks or hacks that are taking place.
    SolarWinds President Sudhakar Ramakrishna testified having 
a single entity to which all of us can report will serve the 
fundamental purpose of building speed and agility and argued 
that private enterprises, ``should be instructed with reporting 
requirements and be made part of this community vision where 
public and private sectors can work together on addressing this 
issue.''
    At the same hearing, FireEye CEO Kevin Mandia testified 
about the importance of centralizing intelligence to improve 
the speed at which the picture and vision will come together, 
end quote. That hearing convinced me that Congress must act to 
ensure the cybersecurity and infrastructure security agency 
known as CISA receives timely cyber incident information from 
critical infrastructure owners and operators. Since then, I 
have worked with Chairman Thompson, Ranking Member Katko to 
draft legislation to establish a mandatory cyber incident 
reporting framework at CISA. I would like to thank them both 
for their support in this effort.
    The draft legislation we are discussing today is the 
product of months of dialog with Government officials and 
private-sector stakeholders. I want to express my gratitude to 
those who worked with the committee to provide feedback on 
various drafts of the legislation. We have worked hard to draft 
the legislation in a manner that will result in the greatest 
security impact for both the Federal Government and the private 
sector, and I am proud of the draft we have developed.
    Our bill would direct CISA, after a 270-day period with 
mandatory windows of stakeholder consultation and comment, to 
issue an interim final rule describing, No. 1, which critical 
infrastructure owners and operators are subject to the 
reporting requirement; No. 2, which cyber incidents need to be 
reported; No. 3, the mechanism for submitting reports; and, No. 
4, other details necessary for implementation.
    Importantly, our bill seeks to establish this new mandatory 
reporting program in a way that sets it apart from CISA's 
voluntary cyber programs by establishing a new cyber incident 
review office and tasking this new office with a discrete 
mission of receiving, aggregating, analyzing, and securing 
cyber incident reports. The bill also aims to ensure that 
covered entities benefit from the new reporting requirement in 
three ways: First, our bill requires CISA to publish quarterly 
reports with analyzed findings to provide better situational 
awareness to its partners. Second, it directs CISA to identify 
any actionable threat intelligence that should be shared 
rapidly and confidentially with cyber, ``first responders,'' to 
prevent or respond to other attacks. Third, it requires CISA to 
notify private-sector entities that may have been impacted by 
data breaches or intrusions on Federal networks.
    I am pleased with the progress we have made on this 
legislation but want to be clear that our work is on-going. We 
remain open to additional questions and feedback because it is 
important to get this right.
    In recent days, I have been asked whether we would ask 
compliance challenges that certain small businesses may have. I 
want to be clear that we do not expect all critical 
infrastructure owners and operators to be subject to this 
reporting requirement. Rather, we expect it to apply only to a 
subset.
    That said, I would be certainly--I would certainly be happy 
to explore whether we need to add language directing CISA to 
provide additional compliance assistance to small businesses 
that are determined to be covered entities.
    I look forward to hearing additional stakeholder 
perspectives on the legislation today.
    Before I close and without objection, I would like to 
include in the record letters of support from Claroty and 
Accenture, as well as a letter signed by 18 associations, 
including ITI, the Cyber Threat Alliance, the American Gas 
Association, Airlines for America, and the Cyber Coalition, 
among others.
    [The information follows:]
                          Letter From Claroty
                                 September 1, 2021.
Rep. Yvette Clarke,
Chairwoman, Cybersecurity, Infrastructure Protection & Innovation 
        Subcommittee, House Committee on Homeland Security, Washington, 
        DC 20515.
Rep. John Katko,
Ranking Member, House Committee on Homeland Security, Washington, DC 
        20515.
    Dear Reps. Clarke and Katko: On behalf of Claroty, a leading 
worldwide provider of industrial cyber security solutions with the 
mission to drive visibility, continuity, and resiliency in the 
industrial economy, it is my pleasure to send this letter in support of 
your ``Cyber Incident Reporting for Critical Infrastructure Act of 
2021''. By way of background, Claroty's solutions are deployed in 
thousands of industrial locations and facilities, in over 50 countries 
across all seven continents. We serve hundreds of customers, across 
many industrial verticals in critical infrastructure including energy, 
water, oil & gas, pipelines, food & beverage, pharmaceuticals, and 
other areas of critical manufacturing. Claroty's Operational Technology 
(OT) platform has been selected, tested, and validated by the world's 
leading industrial automation and cybersecurity vendors, elite system 
integrators, and Managed Security Service Providers. We are the only OT 
security provider to be certified by the U.S. Department of Homeland 
Security's Support Anti-Terrorism by Fostering Effective Technologies 
(SAFETY) Act, which was created to encourage the development and 
deployment of counterterrorism technologies.
    We appreciate the opportunity to provide our thoughts and insights 
on your cyber incident reporting legislation. This bill is a very 
important step toward building a future where the Federal Government 
obtains more actionable information from the private sector on cyber 
incidents so that the Internet ecosystem can be made more secure.
    As Claroty reviewed the draft legislation, there were several 
attributes which led us to the conclusion that this is a measure we 
should support:
   Creation of the Cyber Incident Review Office Under CISA is 
        an Important Step to Provide Comprehensive Situational 
        Awareness of Cyber Incidents.--As part of its creation, the 
        Cybersecurity and Infrastructure Security Agency (CISA) was 
        chartered to provide a wide range of cyber functions and 
        capabilities across Federal Government, agencies, State, local, 
        Tribal, territorial governments agencies, and the private 
        sector. As part of a cyber incident notification bill, we 
        believe that having a single entity responsible for receiving, 
        analyzing, and reporting on all significant cyber incidents 
        would provide a common understanding of cyber situational 
        awareness that could ensure the U.S. National interest are more 
        effectively secured, and accomplished in a more timely and 
        efficient manner. Whether adversaries are sophisticated and 
        targeted, or unsophisticated and opportunistic, having an 
        overarching situational awareness under a single entity of the 
        U.S. Government provides an advantage over fragmented 
        Departmental views of localized hot spots. The attackers play 
        to their strengths of only needing to be right once, while 
        defenders need to right every time. So too does the U.S. 
        Government need to play to our strength by enabling a unified 
        understanding of cyber situational awareness to ensure we can 
        gain insights and provide actionable recommendations. As such, 
        we agree with your legislation's intent that CISA should be 
        provided clear regulatory authority to operate and enforce the 
        cyber incident notification legislation, with full support, 
        cooperation, and coordination with departments and agencies. 
        Additionally, there will clearly need to be an assessment 
        performed regarding resources and funding required to 
        effectively staff the agency and provide capabilities to ensure 
        it can successfully execute on this expanded mission. We stand 
        ready to help you and your colleagues in the Appropriations 
        committee to help in this regard.
   Conduct cybersecurity reviews in the wake of Significant 
        Cyber Incidents.--One subtlety overlooked about the Oldsmar 
        water treatment facility breach in February 2021 was the 
        willingness of law enforcement and plant officials to share 
        details about the attack vector used to gain access to the 
        network, as well as the potential consequences to public safety 
        had controls not been in place to mitigate the attacker's 
        actions. There is tremendous value in these details for peers 
        across industries. Compounding the urgency of this narrative is 
        the news that a California water treatment facility was 
        breached by remote attackers just weeks earlier in January--
        using the same exact attack technique in February during the 
        Oldsmar attack. Had details about the California attack been 
        disclosed in a timely manner, that Oldsmar incident may have 
        been prevented. Your legislation, by requiring a review of 
        significant cybersecurity incidents is an important step toward 
        making permanent this concept, which will help reduce the 
        number of cyber incidents across U.S. critical infrastructure. 
        If we look at the effectiveness of the National Transportation 
        Safety Board an exemplar, its successes in driving apolitical 
        learnings that have resulted in improved confidence and the 
        reduction of accidents demonstrate that should be replicated in 
        cybersecurity. As you look to continue making improvements in 
        your bill, you might consider adding more content to this 
        section of your bill consistent with Section 5 of Executive 
        Order 14028 (the section which established a Cyber Safety 
        Review Board, with the charter of reviewing and assessing 
        serious incidents against Federal Civilian Executive branch and 
        non-Federal systems).
   The Scope of the Proposed Legislation Appropriately Calls 
        Out Industrial Economy-Specific Requirements.--As industrial OT 
        environments such as water treatment facilities and electrical 
        substation are being connected to the IT network, new risks are 
        introduced in the physical world that were not risks in the 
        digital world. We therefore believe that the drafted 
        legislation appropriately calls out not only risks to 
        confidentiality, integrity, and availability of information 
        systems, but also addresses the risks to the safety and 
        resiliency of operational systems and processes. This broader 
        scope will ensure that industrial enterprises take a more 
        expansive view of physical and safety risk--not only to the 
        digital risk affecting IT systems.
   The Cyber Incident Notification Period of 72 Hours is in-
        line with Established Standards.--During the initial hours of a 
        potential cyber incident, a significant amount of fact-finding 
        must occur to validate that the event was truly a malicious 
        cyber incident and determine its potential scope and impact. 
        While large enterprises may be able to accomplish this rapidly, 
        smaller or less well-funded organizations may need to enlist 
        the support of third parties to effectively conduct these 
        activities. Establishing the initial reporting period to 72 
        hours is the general expectation established from the 2018 
        European Union's General Data Protection Regulation (GDPR) and 
        would be an effective benchmarking that most organizations are 
        using as a standard. Any shorter of a notification period would 
        run the risk of creating of too many ``false positives'' which 
        would not be an effective use of Federal Government resources.
    As this bill moves through the legislative process, there is one 
additional area that you might consider when perfecting the text. 
Specifically, we encourage you to look at how this bill might create 
disincentives for failure to notify. While the reporting requirements 
for covered entities are clear in the proposed legislation, we are 
concerned that given the increasing frequency and impact of cyber 
attacks, the onus of reporting should be placed on the covered entities 
for Significant Cyber Incidents and backed with disincentives for a 
failure to comply. At present, organizations are open to substantial 
brand and reputational risk for reporting on a cyber incident. The 
executive decision is therefore tipped all too frequently in favor of 
not reporting cyber incidents and working to quietly fix them behind 
the scenes. While focused on privacy, GDPR has driven substantial 
adoption of its obligations world-wide due to the very high fines for 
violating (=20M or 4 percent of global revenue--whichever is higher) 
the breach notification provision. Of note, until the financial 
penalties were enacted in the latest version of GDPR, compliance was 
halfhearted. At present, many organizations view reporting as having a 
reputational and brand impact, and without penalties will decide not to 
report incidents. Claroty believes that given the risk to U.S. National 
security and interest, we must tip the financial calculus in favor of 
notification, that must be done through penalties and enforcement for 
organizations that are clearly in violation. We also believe that this 
new set of risks will drive Boards of Directors to govern and manage 
cyber risk, which will drive funding and action through the 
organization more effectively. By creating effective and material 
economic disincentives for organizations who do not comply with the 
expected outcomes, we tip the scale in favor of reporting. To the end, 
we would encourage you to engage those with experience in GDPR 
compliance to understand how the financial penalties of that measure 
have been received, and then decide whether that might be a valuable 
addition to this bill.
    My Claroty colleagues and I stand ready to assist you in your 
efforts to advance this legislation and look forward to continuing our 
strong working relationship with your staff to that end.
            Sincerely,
                                               Grant Geyer,
                                    Chief Product Officer, Claroty.
                                 ______
                                 
                         Statement of Accenture
                              August 2021
    Accenture supports the Cyber Incident Reporting for Critical 
Infrastructure Act of 2021 and welcomes the opportunity to provide our 
feedback on the draft legislation. To improve the Nation's 
cybersecurity posture, the Federal Government needs to have greater 
awareness of cybersecurity incidents across critical infrastructure, 
and this draft legislation would achieve that. Accenture commends the 
bill drafters for working on a bipartisan basis and for sharing the 
draft with industry to solicit feedback and collaboration prior to 
introduction.
    Accenture believes the draft legislation:
   Strikes the right balance by requiring narrowly-tailored 
        incident information that can help the Federal Government get a 
        more robust picture of the cyber landscape without 
        overburdening companies with unworkable and overly broad 
        reporting mandates. The legislation strikes this balance by 
        directing CISA to focus on the most critical of critical 
        infrastructure owners and operators and narrowly tailor the 
        definition of a covered cybersecurity incident (and excluding 
        potential incidents). We note that CISA's effort to identify 
        the appropriate covered entities could be done in harmony with 
        proposals for it to identify systemically important critical 
        infrastructure.
   Tailors the incident information required to be provided to 
        CISA, which will help CISA get a broader picture of serious 
        threats to critical infrastructure by focusing on IOCs and 
        TTPs. Information, if available, such as behavioral 
        descriptors, failed/subverted controls or other investigational 
        artifacts can help CISA better protect other critical 
        infrastructure owners and operators by looking for trends and 
        warning others who may be similarly targeted.
   Directs CISA to work to harmonize existing regulatory 
        requirements on incident reporting with the new requirements in 
        this draft bill, and coordinate with regulators that already 
        receive cyber incident reports to streamline processes. As the 
        bill drafters know, not all critical infrastructure sectors are 
        alike. Some sectors such as financial services are far along in 
        their cybersecurity maturity and have existing regulations and 
        practices. For those advanced sectors, it is crucial that CISA 
        examine existing incident notification expectations that are 
        both in regulation and in practice to ensure that the reporting 
        is aligned with the risk profile to the sector as well as the 
        Nation's security. Other sectors' cybersecurity posture such as 
        water and agriculture systems are quite nascent. For the 
        nascent entities, budgeting for, building the capacity for, and 
        implementing the new requirements and maturing their 
        cybersecurity posture will take some time. Still others, such 
        as pipelines within the transportation system and Federal ICT 
        providers subject to the new cyber Executive Order, have new 
        incident notification requirements to comply with. It is 
        imperative that policy makers and CISA take all of this into 
        account when developing the new requirements to reduce 
        confusion, complexity, and duplication.
   Focuses on a ``prompt'' reporting standard that cannot be 
        shorter than 72 hours, rather than a 24-hour requirement. Once 
        anomalistic activity is identified, it can take some time for a 
        company to verify the intrusion and identify whether it is a 
        serious enough event to warrant reporting. From Accenture's 
        experience in working with many companies across critical 
        infrastructure to respond to such incidents, 72 hours is a 
        reasonable time frame to be able to determine scope, impact, 
        and initial TTPs and IOCs and possibly share malware samples 
        for further analysis. This information would be important to 
        report the initial understanding of an attack with updates as 
        new information is learned. Timing shorter than 72 hours would 
        likely burden CISA with incomplete, unactionable, unhelpful, 
        and inaccurate information. Accenture commends the bill 
        drafters for appropriately balancing the Government's need for 
        information with the affected companies' ability to perform 
        time-sensitive incident response. It may also be helpful to 
        outline a periodic update cycle even if there is no new 
        information, and then a close-out report indicating the 
        incident is contained and remediated and signaling an end to 
        the requirements.
   Incorporates use and liability protections consistent with 
        CISA 2015. (There are a few provisions seemingly not carried 
        over from CISA 2015 and we look forward to further discussion 
        on those items.) While we endorse the regulatory requirement 
        for incident notification, the legislation should seek to 
        structure the Government's role as part of a partnership to 
        improve America's cybersecurity stance, rather than a 
        compliance exercise.
    To improve the private/public collaboration that is so central to 
this legislation, Accenture recommends 4 points for further 
consideration:
   Require CISA to issue a proposed rule, rather than an 
        interim final rule, to allow for more meaningful industry 
        collaboration which ultimately will result in more engagement 
        and buy-in from the private sector. This significant change to 
        critical infrastructure entities' risk management programs and 
        relationship with CISA warrants fulsome consultation and 
        consideration.
   Companies would like clarification that the information they 
        provided, if shared outside the new office, will be anonymized 
        to protect sensitive information and build companies' 
        confidence that the information sharing will not be used 
        against them.
   Prior to enforcement of the notification provisions, 
        companies would like to understand what protocols will be in 
        place to ensure the security of the information they provide. 
        This will go a long way toward building companies' confidence 
        that the sensitive information provided will be protected.
   Include clear requirements for CISA to promptly share with 
        the private sector the (anonymized) IOCs, TTPs, and threat 
        actor profile (aka SITREP) incident information it receives 
        pursuant to the legislation to improve response by the affected 
        industry and improve resilience across critical infrastructure.
                                 ______
                                 
                   Letter From Multiple Associations
                                   August 27, 2021.
The Honorable Gary Peters,
Chairman, Committee on Homeland Security & Government Affairs, U.S. 
        Senate.
The Honorable Mark Warner,
Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable Bennie Thompson,
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Yvette Clarke,
Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, 
        and Innovation, U.S. House of Representatives.
The Honorable Rob Portman,
Ranking Member, Committee on Homeland Security & Government Affairs, 
        U.S. Senate.
The Honorable Marco Rubio,
Vice Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable John Katko,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Andrew Garbarino,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure 
        Protection, and Innovation, U.S. House of Representatives.
    Dear Chairs, Vice Chairman, and Ranking Members: The undersigned 
associations, representing major sectors of the American economy, 
including the owners, operators, and those that support and maintain 
the Nation's critical infrastructure, appreciate Congress's on-going 
focus on cybersecurity incident reporting legislation. Our industries 
recognize the value of public-private collaboration facilitated by 
mutual sharing of actionable information on significant cybersecurity 
incidents and intrusions with Federal agencies. Incident Reporting 
legislation pending in Congress, when harmonized with the requirements 
of Section 2 of President Biden's Executive Order on Improving the 
Nation's Cybersecurity, have the potential to improve the Nation's 
cybersecurity posture if appropriately developed and implemented.
    To ensure an effective incident reporting regime that leverages the 
limited resources of Federal agencies, enables regulatory compliance, 
provides liability protections, and advances National cybersecurity 
interests, we believe that policy makers in Congress should, at a 
minimum, follow five key principles:
    Establish feasible reporting time lines of no less than 72 hours.--
Cybersecurity incidents are crisis moments for victim organizations. To 
ensure that the Cybersecurity and Infrastructure Security Agency (CISA) 
and its interagency partners receive actionable information on truly 
significant incidents, it is essential to give incident responders time 
to evaluate the intrusion to determine its impact. Shorter time lines 
also greatly increase the likelihood that the entity will report 
inaccurate or inadequately contextualized information that will not be 
helpful, potentially even undermining cybersecurity response and 
remediation efforts. A formal report on a verified, significant 
incident should not preclude less-fulsome notifications to CISA on a 
more flexible time line.''
    Limit reporting regulations to verified incidents and intrusions.--
Incident reporting should focus on verified incidents rather than 
potential incidents or ``near misses.'' Reporting verified incidents, 
that have been well-defined and scoped, will avoid a culture of 
overreporting that will strain limited incident response capacity and 
capabilities inside and outside the Government. It also can help ensure 
that information received is useful and actionable.
    Limit reporting obligations to the victim organization, rather than 
third-party vendors or providers.--Any legislation should ensure that 
the reporting obligation falls only on compromised affected entities. 
Vendors and third-party service providers should not be required to 
report cybersecurity incidents to the U.S. Government that have 
occurred on their customers' networks and vice versa. Such a 
requirement would pose numerous challenges to normal business 
operations, including potentially forcing vendors or third parties to 
disclose business confidential information of that customer or breach 
their contractual obligations. Requiring third-parties to report 
incidents could even disincentivize companies from employing outside 
cybersecurity services to the detriment of those companies' own 
security and resilience.
    Harmonize Federal cybersecurity incident reporting requirements.--
It is imperative that Congress streamline and normalize Federal 
reporting requirements to ensure resources are used to combat malicious 
cyber threat activity, rather than customizing reports on the same 
incident to multiple agencies. Numerous Federal agencies currently have 
disparate incident reporting requirements, many of which are just being 
implemented. Reported information should be aggregated, anonymized, 
analyzed, and shared, with Government and industry, in a manner to 
assist in the mitigation and/or prevention of future cyber incidents.
    Ensure confidentiality and nondisclosure of incident information 
provided to the Government.--It is imperative that any legislation have 
strong and transparent rules about the confidentiality of incident 
information that is shared with or by Federal agencies. Such rules 
should govern not only the dissemination of incident information with 
relevant interagency partners, but should specifically preclude direct 
or indirect use of such information by the Federal Government. These 
rules must be crafted to guarantee compliance with existing legal 
regimes, including contractual, intellectual property, and privacy 
obligations.
    Our industries strongly believe that securing the Nation's digital 
assets is a shared responsibility requiring collaboration between the 
private sector and Federal partners. We stand ready to assist policy 
makers as they develop their proposals on this important National 
security issue.
            Sincerely,
                                            ACT/The App Association
                                         Airlines for America (A4A)
                        American Fuel & Petrochemical Manufacturers
                                       American Petroleum Institute
                                           American Gas Association
                                                Business Roundtable
                                          BSA/The Software Alliance
                      The Computing Technology Industry Association
                              Consumer Technology Association (CTA)
                                                    Cyber Coalition
                                              Cyber Threat Alliance
                                          Edison Electric Institute
                                Electronic Transactions Association
                      Information Technology Industry Council (ITI)
                                               Internet Association
                        Software & Information Industry Association
                                                            TechNet
                     Telecommunications Industry Association (TIA).

    Ms. Clarke. Additionally, without objection, I include in 
the record comments from NTCA, APPA, and NRECA.
    [The information follows:]
           Letter From NTCA--The Rural Broadband Association
                                   August 30, 2021.
The Honorable Gary Peters,
Chairman, Committee on Homeland Security & Government Affairs, U.S. 
        Senate.
The Honorable Mark Warner,
Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable Bennie Thompson,
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Yvette Clarke,
Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, 
        and Innovation, U.S. House of Representatives.
The Honorable Rob Portman,
Ranking Member, Committee on Homeland Security & Government Affairs, 
        U.S. Senate.
The Honorable Marco Rubio,
Vice Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable John Katko,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Andrew Garbarino,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure 
        Protection, and Innovation, U.S. House of Representatives.
    Dear Chairs, Vice Chairman, and Ranking Members: Thank you for your 
leadership to promote the security of our Nation's critical 
infrastructure. NTCA--The Rural Broadband Association represents over 
850 small, rural telecom providers that deliver high-speed broadband 
and voice service in the most remote areas of the country. These small 
companies serve areas where it is difficult if not impossible to make 
the business case for essential broadband network deployment without 
support from programs such as the Federal universal service fund and 
financing from the U.S. Department of Agriculture.
    Despite their small size and razor-thin operating margins, rural 
carriers work hard to manage the risk presented by constant cyber 
attacks against their networks, and several dozen have already joined 
CyberShare: The Small Broadband Provider ISAC, which NTCA initiated to 
promote the resiliency and continuity of operation of small network 
operators across the United States. Nonetheless, because NTCA's members 
operate on thin margins, because there is presently no program that 
specifically supports costs incurred from cyber risk management 
efforts, and because there are no specific mechanisms aimed at helping 
smaller operators and providers in rural areas attract individuals with 
cyber expertise, many small carriers (which average only 30 employees 
overall) have limited resources to devote to such efforts. Indeed, in 
some cases, rural operators may have only 1-2 staff who work on 
cybersecurity, and even these individuals may have other functions and 
responsibilities as well within the enterprise. Therefore, it is 
essential that these staff are free to focus on securing networks 
rather than being consumed by the need to comply with reporting 
requirements.
    With this as background, as you work toward passage of cyber 
incident reporting legislation, please consider making the reports 
voluntary for small businesses that own or operate critical 
infrastructure, or at a minimum provide extended compliance deadlines 
and/or other flexibility to allow small companies to make the necessary 
preparations. A small business exemption will also benefit those 
overseeing such compliance by cutting down on the number of reports to 
review in favor of focusing on the largest networks that are most 
likely to experience wide-spread cyber threats. And, in the event DHS 
determines that information relating to a specific cyber incident is 
necessary to obtain from smaller providers, the agency can always use 
its subpoena authority to request information from such providers.
    Absent a small company exemption, these carriers will benefit at a 
minimum from more clearly articulated expectations and flexibility for 
compliance. For example, reports should only be required for verified 
intrusions that directly and substantially impact operations, providers 
should have at least five business days to report after confirming an 
intrusion, and providers should only be required to report intrusions 
to the network they control as opposed to when they merely serve as a 
conduit for an attack on a third party. Further, duplicative reporting 
should be avoided, and providers should be confident that information 
supplied pursuant to the new requirements will not result in litigation 
or regulatory action.
    Thank you for considering how new cyber incident reporting 
requirements will impact the wide array of critical infrastructure 
owners and operators. We look forward to working with you on this 
important matter as the legislation moves forward.
            Sincerely,
                                        Shirley Bloomfield,
    Chief Executive Officer, NTCA--The Rural Broadband Association.
                                 ______
                                 
   Statement of the American Public Power Association (APPA) and the 
        National Rural Electric Cooperative Association (NRECA)
                                   August 30, 2021.
The Honorable Gary Peters,
Chairman, Committee on Homeland Security & Government Affairs, U.S. 
        Senate.
The Honorable Mark Warner,
Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable Bennie Thompson,
Chairman, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Yvette Clarke,
Chairwoman, Subcommittee on Cybersecurity, Infrastructure Protection, 
        and Innovation, U.S. House of Representatives.
The Honorable Rob Portman,
Ranking Member, Committee on Homeland Security & Government Affairs, 
        U.S. Senate.
The Honorable Marco Rubio,
Vice Chairman, Select Committee on Intelligence, U.S. Senate.
The Honorable John Katko,
Ranking Member, Committee on Homeland Security, U.S. House of 
        Representatives.
The Honorable Andrew Garbarino,
Ranking Member, Subcommittee on Cybersecurity, Infrastructure 
        Protection, and Innovation, U.S. House of Representatives.
    Dear Chairs, Vice Chairmen, and Ranking Members: We are writing to 
you regarding several introduced and draft bills that would mandate 
critical infrastructure sectors to report ``cyber incidents'' to the 
Department of Homeland Security's Cybersecurity and Infrastructure 
Security Agency (DHS CISA). The American Public Power Association 
(APPA) and the National Rural Electric Cooperative Association (NRECA) 
do not support additional cyber incident reporting mandates for the 
electric sector. We believe that the incident reporting mandates 
currently under discussion would burden electric utilities--especially 
smaller public power and cooperative utilities--with increased 
administrative tasks that will not materially increase their, or the 
country's, cybersecurity posture, but would likely divert limited 
resources away from securing and defending systems. That said, if 
Congress chooses to enact broad mandatory cyber incident reporting 
legislation for critical infrastructure, we agree with the principles 
laid out in the August 27 letter lead by the Information Technology 
Industry Council (ITI) and endorsed by numerous other critical 
infrastructure sector entities and associations.
    APPA is the voice of not-for-profit, community-owned utilities that 
power 2,000 towns and cities nationwide. APPA represents public power 
before the Federal Government to protect the interests of the more than 
49 million people that public power utilities serve, and the 96,000 
people they employ. Public power utilities range in size, from very 
large to very small; approximately 67 percent of public power utilities 
serve communities of 10,000 people or less. They own, operate, or use 
generation and transmission infrastructure, as well as distribution 
infrastructure directly serving homes and businesses.
    NRECA is the national trade association representing nearly 900 
local electric cooperatives and other rural electric utilities. 
America's electric cooperatives are owned by the people that they serve 
and comprise a unique sector of the electric industry. From growing 
regions to remote farming communities, electric cooperatives power one 
in eight Americans and serve as engines of economic development for 42 
million Americans across 56 percent of the nation's landscape. Electric 
cooperatives operate at cost and without a profit incentive. NRECA's 
member cooperatives include 62 generation and transmission (G&T) 
cooperatives and 831 distribution cooperatives. Both distribution and 
G&T cooperatives share an obligation to serve their members by 
providing safe, secure, reliable, and affordable electric service.
    Combined, the members of our two groups serve close to 30 percent 
of the American population, which is equivalent to more than twice the 
population of Canada. Having provisioned such electric service for 
decades, our members know that a reliable energy grid is the lifeblood 
of the nation's economic and national security, as well as vital to the 
health and safety of all Americans. Electric utilities take very 
seriously their responsibility to maintain a secure and reliable 
electric grid. It is the only critical infrastructure sector that has 
mandatory and enforceable Federal regulatory standards in place for 
cyber and physical security (collectively known as grid security). 
These standards include mandatory reporting of specific cyber incidents 
to the Department of Energy (DOE) via an Electric Emergency Incident 
and Disturbance Report (OE-417) and to the North American Electric 
Reliability Corporation (NERC) and the Federal Energy Regulatory 
Commission (FERC).
    Outside of these mandatory reporting standards, all electric 
utilities, including public power utilities and rural electric 
cooperatives, participate in robust voluntary information sharing 
systems such as the Electric Subsector Coordinating Council (ESCC) and 
the Electricity Information Sharing and Analysis Center (E-ISAC), as 
well as the Multi-State Information and Sharing Analysis Center (MS-
ISAC) for public power. Most recently, electric utilities have worked 
closely with the National Security Council, DOE, and DHS on the ``100 
Day Electric Sector Industrial Control Systems Cybersecurity Sprint'' 
to encourage and support utilities' visibility and monitoring of their 
industrial control system and operational technology networks, as well 
as automated sharing into government. It is not clear how these bills 
would impact these existing voluntary channels or existing or planned 
machine-to-machine sharing.
    Our biggest concerns with the various versions of incident 
reporting legislation currently under discussion can be grouped into 
two broad categories. The legislation: (1) Treats all critical 
infrastructure entities as equally impactful to national security--
there is no accounting for the wildly differing risk profiles of an 
electric utility serving millions of customers and a small distribution 
electric utility without an industrial control system [a type of 
operational technology] serving 250 customers; and (2) puts the onus on 
the critical infrastructure entity to share information with multiple 
government agencies, instead of encouraging and facilitating the 
sharing of information between and among agencies. While those are the 
two most significant concerns, we are also concerned that some 
proposals include heavy financial fines for failure to report within a 
very short time period. All of our members must be able to focus on the 
matter at hand in the event of a breach and should be given the 
flexibility to report once the crisis is understood and being managed. 
There has also been little discussion on how mandatory reporting 
requirements would impact long existing and robust voluntary 
information sharing systems nor on what the government's responsibility 
is in terms of actionable information sharing and support.
    Given the concerns enumerated above, APPA and NRECA do not support 
including electric utilities in the mandatory cyber incident reporting 
legislation currently under discussion. However, if Congress chooses to 
move ahead with the legislation, we urge a careful and deliberative 
process that takes into account existing reporting mandates, 
appropriately tailors the mandate commensurate with the risk to 
national security, and adheres to the principles laid out in ITI's 
letter. We appreciate the openness that your staff has shown in 
discussions with our teams and we look forward to continuing our 
dialog.
            Sincerely,
                                                 Joy Ditto,
                President & CEO, American Public Power Association.
                                              Jim Matheson,
              CEO, National Rural Electric Cooperative Association.

    Ms. Clarke. Again, I thank the witnesses for being here 
today and look forward to hearing their testimony.
    [The statement of Chairwoman Clarke follows:]
                Statement of Chairwoman Yvette D. Clarke
                            August 30, 2021
    Good afternoon. I would like to thank the witnesses for 
participating in today's hearing on the Cyber Incident Reporting for 
Critical Infrastructure Act of 2021.
    Earlier this year, this committee held a joint hearing with the 
Committee on Oversight and Reform to examine the SolarWinds supply 
chain attack.
    Our oversight revealed a number of gaps in Federal authorities, 
policies, and capabilities that Congress must address to secure its own 
networks and better serve its private-sector partners.
    But what stood out to me was how lucky we were that FireEye 
disclosed that it had been compromised.
    Where we would be if they had chosen not to?
    At the hearing, I asked whether we would benefit from implementing 
a mandatory cyber incident reporting framework.
    Microsoft President Brad Smith observed that today ``information is 
siloed'' and that we need ``one entity is in a position to scan the 
entire horizon and connect the dots between all of the attacks or hacks 
that are taking place.''
    SolarWinds President Sudhakar Ramakrishna testified: ``[H]aving a 
single entity to which all of us can report to will serve the 
fundamental purpose of building speed and agility,'' and argued that 
private enterprises ``should be instructed with reporting requirements 
and be made part of this community vision where public and private 
sectors can work together on addressing this issue.''
    At the same hearing, FireEye CEO Kevin Mandia testified about the 
importance of centralizing intelligence to ``improve the speed at which 
that picture and vision will come together.''
    That hearing convinced me that Congress must act to ensure the 
Cybersecurity and Infrastructure Security Agency (CISA) receives timely 
cyber incident information from critical infrastructure owners and 
operators.
    Since then, I have worked with Chairman Thompson and Ranking Member 
Katko to draft legislation to establish a mandatory cyber incident 
reporting framework at CISA and I would like to thank them both for 
their support in this effort.
    The draft legislation we are discussing today is the product of 
months of dialog with Government officials and private-sector 
stakeholders.
    I want to express my gratitude to those who worked with the 
committee to provide feedback on various drafts of the legislation.
    We have worked hard to draft the legislation in a manner that will 
result in the greatest security impact for both the Federal Government 
and the private sector, and I am proud of the draft we have developed.
    Our bill would direct CISA, after a 270-day period with mandatory 
windows for stakeholder consultation and comment, to issue an interim 
final rule describing:
   which critical infrastructure owners and operators are 
        subject to the reporting requirement;
   which cyber incidents need to be reported;
   the mechanism for submitting reports;
   and other details necessary for implementation.
    Importantly, our bill seeks to establish this new mandatory 
reporting program in a way that sets it apart from CISA's voluntary 
cyber programs by establishing a new Cyber Incident Review Office and 
tasking this new office with the discrete mission of receiving, 
aggregating, analyzing, and securing cyber incident reports.
    The bill also aims to ensure that covered entities benefit from the 
new reporting requirement in three ways:
   First, our bill requires CISA to publish quarterly reports 
        with anonymized findings to provide better situational 
        awareness to its partners;
   Second, it directs CISA to identify any actionable threat 
        intelligence that should be shared rapidly and confidentially 
        with cyber `first responders' to prevent or respond to other 
        attacks; and
   Third, it requires CISA to notify private-sector entities 
        that may have been impacted by data breaches or intrusions on 
        Federal networks.
    I am pleased with the progress we have made on this legislation, 
but want to be clear that our work is on-going.
    We remain open to additional questions and feedback because it is 
important to get this right.
    In recent days, I have been asked whether we would consider 
compliance challenges that certain small businesses may have.
    I want to be clear that we do not expect all critical 
infrastructure owners and operators to be subject to this reporting 
requirement--rather we expect it to apply only to a subset.
    That said, I would certainly be happy to explore whether we need to 
add language directing CISA to provide additional compliance assistance 
to small businesses that are determined to be covered entities.
    I look forward to hearing additional stakeholder perspectives on 
the legislation today.
    Before I close, I would ask unanimous consent to insert into the 
record a letter of support from Claroty, as well as a letter signed by 
18 associations, including ITI, the Cyber Threat Alliance, the American 
Gas Association, Airlines for America, and the Cyber Coalition, among 
others.
    Additionally, I ask to enter into the record comments from 
Accenture, NTCA, APPA, and NRECA.
    Without objection, so ordered.
    With that, I thank the witnesses for being here and I yield back 
the balance of my time.

    Ms. Clarke. The Chair now recognizes the Ranking Member of 
the subcommittee, the gentleman from New York, Mr. Garbarino, 
for an opening statement.
    Mr. Garbarino.
    Mr. Garbarino. Thank you very much, Chairwoman. I would 
like to thank Chairwoman Clarke for calling this important 
hearing today. We have a large panel before us, so, in the 
interest of time, I will keep my remarks brief.
    There should be no question why we are here today. Over the 
past year, our Nation has been subject to devastating 
SolarWinds cyber espionage campaign, as well as the Microsoft 
Exchange and Pulse Secure vulnerabilities, and that is just 
against the Federal Government.
    Our Nation's critical infrastructure has also been under 
attack, and the American people have begun to feel the impact. 
Everyone here remembers the ransomware attacks on Colonial 
Pipeline and JBS Meats, both of which had real-world impacts. 
The fact of the matter is that something here must change. We 
cannot allow these devastating attacks on our Nation to 
continue. We must ensure that CISA has the visibility it needs 
to help defend our Federal networks and to help our critical 
infrastructure owners and operators protect themselves.
    I have been pleased to see our majority counterparts engage 
our Members in productive conversations on this, and I hope we 
can continue the constructive dialog here today. I am 
particularly interested in learning from our witnesses about 
how they viewed some of the key provisions of this bill and 
what, if any, suggestions they have for edits.
    Thank you to our witnesses for being here today.
    Again, thank you, Chairwoman Clarke, for your leadership on 
this incredibly important topic.
    I yield back.
    [The statement of Ranking Member Garbarino follows:]
              Statement of Ranking Member Andrew Garbarino
    I would like to thank Chairwoman Clarke for calling this important 
hearing today. We have a large panel before us, so in the interest of 
time, I will keep my remarks brief.
    There should be no question why we are here today: Over the past 
year, our Nation has been subject to the devastating SolarWinds cyber 
espionage campaign, as well as the Microsoft Exchange and Pulse Secure 
vulnerabilities, and that's just against the Federal Government.
    Our Nation's critical infrastructure has also been under attack and 
the American people have begun to feel the impact. Everyone here 
remembers the ransomware attacks on Colonial Pipeline and JBS Meats, 
both of which had real-world impacts.
    The fact of the matter is that something here must change, we 
cannot allow these devastating attacks against our Nation to continue.
    We must ensure that CISA has the visibility it needs to help defend 
our Federal networks, and to help our critical infrastructure owners 
and operators protect themselves. I'm hopeful that this bill will help 
create a two-way street of information sharing between Government and 
industry.
    I've been pleased to see our majority counterparts engage our 
Members in productive conversations on this topic and I hope we can 
continue the constructive dialog here today.
    I'm particularly interested in learning from our witnesses about 
how they view some of the key provisions in this bill, and what, if 
any, suggestions they have for edits.
    Thank you to our witnesses for being here today and again, thank 
you Chairwoman Clarke for your leadership on this incredibly important 
topic.

    Ms. Clarke. I thank our Ranking Member for his brevity in 
his opening remarks. But certainly anything that you have to 
add, we are all ears. I want to thank Members--to remind 
Members that the subcommittee will operate according to the 
guidelines laid out by the Chairman and Ranking Member in their 
February 3 colloquy regarding remote procedures. I don't see 
our Chairman at this moment, but I do see our Ranking Member. 
So I want to recognize the Ranking Member of the full 
committee, the gentleman from New York, Mr. Katko, for an 
opening statement.
    Mr. Katko. Well, I would like to thank my friend and 
colleague from New York, Chairwoman Clarke, for convening this 
important hearing today. This legislative hearing is a 
fantastic opportunity for our Members to learn directly from 
industry how they are impacted by specific provisions in the 
bill as well as any changes they suggest ahead of introduction.
    Everyone in this hearing should recognize the urgency and 
precision with which we need to act. Every single day, 
entities, large and small, are affected by the scourge of 
ransomware and cyber crime. From street-level criminal gangs to 
nation-state actors, like Russia and China, nefarious actors 
target our private-sector businesses, sting local governments 
and Federal agencies millions of times per day. Unfortunately, 
many of these attempts are ultimately successful.
    In order to bolster our Nation's collective defense, we 
must enhance our visibility across both Federal and private 
networks. I have been pleased with the response we have seen 
from industry so far. I want to thank our witnesses, not just 
for being here today but for their diligent work in thinking 
through this legislative effort.
    I hope that everybody here today recognizes that our 
Nation's cybersecurity cannot simply be a Federal effort or a 
private effort, but that it is--it is and must be a joint 
effort. There is no doubt in my mind that cybersecurity is a 
deep preeminent threat to our country today. Without enhanced 
collaboration and visibility, we will continue to fall victim 
to the cowardly actors that target our Nation, our 
constituents, and all of us on a daily basis.
    I have been pleased to work with Chairman Thompson, 
Chairwoman Clarke, and all our critical industry partners on 
this bill. I look forward to continue prioritizing major 
cybersecurity reforms through this committee on a bipartisan 
basis, including my SICI bill, which is coming up in the next 
few days. That is the Systemically Important Critical 
Infrastructure.
    One of the things that drew me to this committee other than 
just my background in law enforcement over 20 years is the fact 
that there is a spirit of bipartisanship here, and there is a 
spirit of teamwork here that is manifesting itself again today. 
I mean, I commend the Chairwoman for that and Mr. Garbarino as 
well. But going forward, there is a lot of other things like my 
Systemically Important Critical Infrastructure bill and many 
others that are going forward, and I hope we can have the same 
type of teamwork on that again as well.
    So thank you, again, Ms. Clarke, for being here today, and 
thank you for holding this important hearing.
    Thank you for the witnesses as well, and thank you, Mr. 
Garbarino.
    I yield back.
    [The statement of Ranking Member Katko follows:]
                 Statement of Ranking Member John Katko
    I would like to thank Chairwoman Clarke for convening this 
important hearing today.
    This legislative hearing is a fantastic opportunity for our Members 
to learn directly from industry how they are impacted by specific 
provisions in the bill, as well as any changes they suggest ahead of 
introduction.
    Everyone in this hearing should recognize the urgency and precision 
with which we need to act.
    Every single day, entities large and small are affected by the 
scourge of ransomware and cyber crime.
    From street-level criminal gangs to nation-state actors like Russia 
and China, nefarious actors target our private-sector businesses, State 
and local governments, and Federal agencies millions of times per day. 
Unfortunately, many of those attempts are ultimately successful.
    In order to bolster our Nation's collective defense, we must 
enhance our visibility across both Federal and private networks.
    I have been pleased with the response we've seen from industry so 
far, and I want to thank our witnesses, not just for being here today, 
but for their diligent work in thinking through this legislative 
effort.
    I hope that everyone here today recognizes that our Nation's 
cybersecurity cannot simply be a Federal effort, or a private effort, 
but that it must be joint effort.
    Without enhanced collaboration and visibility, we will continue to 
fall victim to the cowardly actors that target our Nation--our 
constituents--on a daily basis.
    I have been pleased to work with Chairwoman Clarke, Chairman 
Thompson, and all our critical industry partners on this bill. I look 
forward to continue prioritizing major cybersecurity reforms through 
this committee on a bipartisan basis, including my SICI bill in the 
coming days.
    Thank you again to our witnesses for being here today, and thank 
you Chairwoman Clarke for holding this important hearing.

    Ms. Clarke. I thank our Ranking Member for his comments and 
opening statement, and I am going to then proceed to our 
witnesses. Should our Chairman join us, we will take a break to 
hear his comments.
    I now welcome our panel of witnesses. First, I would like 
to welcome Mr. Ronald Bushar, the senior vice president and 
global government CTO for FireEye Mandiant who works at the 
intersection of public-private incident response efforts for 
the types of cyber attacks we are here to discuss today.
    Second, we will hear from Ms. Heather Hogsett with the Bank 
Policy Institute, also known as BPI, a nonpartisan research 
advocacy group representing the Nation's top banks. Ms. Hogsett 
is the senior vice president of technology and risk strategy 
for BITS, the technology policy division of BTI.
    Third, we have Mr. John Miller, the senior vice president 
of policy and general counsel for the Information Technology 
Industrial Council, also known as ITI, which represents the 
world's leading information and communication technology 
companies.
    Next, I am pleased to welcome Mr. Robert Mayer back before 
the subcommittee. Mr. Mayer is the senior vice president for 
cybersecurity and innovation at the USTelecom and chairs the 
Communications Sector Coordination Council.
    Then, finally, we have Ms. Kimberly Denbow, the managing 
director of security and operations for the American Gas 
Association, who also co-chairs the Cybersecurity Working Group 
for the Pipeline Sector Coordinating Council and the oil and 
natural gas sector.
    Without objection, the witnesses' full statement will be 
inserted in the record.
    I now ask each witness to summarize his or her statement 
for 5 minutes, beginning with Mr. Bushar.
    Mr. Bushar, I believe you may be muted.

STATEMENT OF RONALD BUSHAR, VICE PRESIDENT AND GOVERNMENT CTO, 
                       FIRE EYE MANDIANT

    Mr. Bushar. Always a good start to a hearing. Apologies, 
Chairwoman.
    Thank you, Chairwoman Clarke, Ranking Member Garbarino, and 
all the Members the subcommittee for the opportunity to talk 
with you today about this important cyber incident reporting 
topic.
    FireEye Mandiant applauds your efforts to tackle this 
complex issue and appreciates the open dialog we have enjoyed 
with you and your staff.
    Public-private partnerships are critical to the success of 
any cyber incident reporting or disclosure program, both in its 
development and ultimately in its execution. My comments for 
today's hearing will focus primarily on the major tenets and 
benefits of the cyber incident reporting framework.
    But before I turn to this specific topic, let me share some 
background on myself and my company to establish context for my 
narrative and statements today.
    I started my career in the United States Air Force as an 
officer in what was at the time termed information warfare. For 
more than 20 years, I have worked in cyber defense operations, 
cybersecurity consulting, and incident response services in 
both the Government and commercial sectors, including time at 
the U.S. Department of Justice.
    In my current role at FireEye Mandiant, I lead a global 
team of cyber experts who deliver our capabilities and security 
functionality and solutions to protect critical missions, 
infrastructure, and National security interests world-wide.
    As I testify today, FireEye Mandiant employees are on the 
front lines of a cybersecurity battle, really, responding to 
over 150 active computer intrusions at some of the largest 
organizations and companies in the world. Over the last 17 
years, we have responded to tens of thousands of security 
incidents. It is unfortunate, but we receive calls almost daily 
from organizations that have suffered a cybersecurity breach. 
For each security incident we respond to, it is our objective 
to determine what happened and what organizations can do to 
avoid similar incidents in the future. We also maintain over 
200 intelligence professionals and analysts located in more 
than 20 countries, speaking over 30 languages, who pursue 
attribution, identification, and more detailed information 
about threat actors, their motivations, and intents.
    FireEye Mandiant is encouraged by the draft legislation the 
subcommittee has developed to improve cyber incident reporting. 
The bill is a positive step forward in achieving important, 
long-term goals of enabling early detection of malicious cyber 
attacks. It would also enhance the Federal Government 
situational awareness to better partner with and assist 
private-sector entities that become cyber attack victims. This 
whole-of-community approach is critical to increasing capacity 
and to prevent future cyber attacks as well as to drive 
ultimately, we believe, deterrence in this space.
    Any legislation on this matter should take into 
consideration the evolving cyber threat landscape; the 
increasingly sophisticated tactics, techniques, and procedures 
used by adversaries; and lessons learned from existing 
voluntary information-sharing models as established by the 
Cybersecurity Information Sharing Act of 2015. Simply put, any 
reporting framework must be agile and include opportunities for 
the Federal Government to pivot or adjust its reporting 
requirements to keep pace with the threat landscape and actor 
and adversary actions and activity.
    The U.S. Government should consider a Federal incident 
reporting program that goes beyond voluntary sharing of threat 
indicators as authorized under the 2015 legislation. It should 
also include mandatory disclosure requirements for cyber 
incidents. Major tenets of such a program should safeguard the 
protection and integrity of electronic and other types of data; 
ensure confidential sharing; encourage entities to adapt, 
recognize cybersecurity standards and practices with a minimum 
threshold; provide greater incentives for private-sector 
entities, including liability protections and statutory 
privilege to not be disclosed in civil litigation; protect 
privacy and civil rights; and provide outreach and technical 
assistance to entities that do not have cybersecurity expertise 
or capabilities.
    FireEye Mandiant believes that strong cyber community 
protection is predicated on several key concepts, and lawmakers 
should consider the following additional components that we 
believe would constitute a robust and ultimately successful 
cyber incident reporting program.
    No. 1, reporting requirements should account for two key 
outcomes: Timely and relevant reporting of critical 
intelligence to relevant Government authorities for assessment, 
correlation, and decision support; and, No. 2, reasonable 
latitude for the victim to determine nature, extent, and 
potential impact of a breach or attack. In the first instance, 
the timeliness and quality of the data reported to the 
Government will largely determine how effective the response to 
and disruption of the attack will ultimately be.
    In the second instance, cyber attacks are often complex and 
require sophisticated analysis to fully understand the scope of 
compromise. Victims require support from external firms to 
fully analyze a breach and will likely be dealing with other 
business impacts and crisis management activities during such 
activities.
    Allowing for a reasonable amount of time to properly assess 
the situation before requiring reporting will limit false 
positives and redundant or contradictory information and 
prevent unnecessary data collection on the part of CISA. 
FireEye Mandiant encourages lawmakers to consider harmonizing 
reporting requirements with existing Federal acquisition 
regulations and standards to provide for consistent and 
streamlined regime that simplifies business processes and 
ultimately encourages and streamlines compliance as well.
    Second, FireEye Mandiant strongly believes in the concept 
of a public-private partner approach to cybersecurity. Unlike 
most other domains at risk, cyber attacks and cyber crimes are 
almost always predicated on the use of--use traversal or 
compromise of privately-owned infrastructure, even when the 
attacks are focused on Government or National security assets. 
The private sector, especially critical infrastructure sector 
businesses, is both a key component over all National cyber 
resiliency and a key source of intelligence on our adversaries' 
capability, intent, and activities in cyber space. Over the 
past decade, many Federal agencies, including CISA, the FBI, 
the United States Secret Service, and the National Security 
Agency, have built strong partnerships with key cybersecurity 
and critical infrastructure organizations through voluntary 
programs outreach and support.
    While we recognize that much more needs to be done, without 
these efforts and support functions, many private-sector cyber 
attacks would have likely remained undetected for much longer 
and would have been much more severe. Under a new cyber 
incident reporting program, these trusted relationships and 
partnerships must be strengthened and enhanced to advance our 
common goals in reducing the frequency and severity of cyber 
attacks.
    No. 3, a reporting program must encourage cooperation and 
strengthen trust between public and private-sector entities. A 
regulatory-based approach or a regime that focuses on punitive 
actions rather than mutual benefits would be counter to the 
goal of creating a strong National partnership model to counter 
the increasing cyber threats we are facing.
    As previously suggested, although mandatory reporting is 
necessary, the focus should be on supporting organizations to 
achieve compliance, not punishment for noncompliance. Fines and 
other financial or legal punishments do not properly reflect 
the truth that, barring gross negligence or willful misconduct, 
organizations that suffer cyber attacks are victims of a crime. 
Mechanisms to compel collection of critical information, when 
necessary, such as subpoenas, better align to the general 
concept of criminal investigation and response.
    Fourth, information sharing must be bidirectional. An 
incident reporting framework should allow for a consistent flow 
of two-way information sharing between public and private 
sectors to help maximize the ability to resolve and consider 
attribution. Organizations that invest significant effort into 
collecting, analyzing, and sharing cyber attack technical 
information require feedback on the usefulness and value of 
what they provided. They also benefit from data that can be 
only provided by the U.S. Government to enhance their own 
security posture and to help hone their threat detection in 
response functions.
    Finally, I would like to highlight several clear benefits 
of broader security incident reporting and bidirectional 
information sharing. Timely reporting of incidents within and 
across sectors allow for early detection of large, 
sophisticated cyber campaigns that have the potential for 
significant impacts to critical infrastructure or National 
security implications. Technical indicators, along with 
contextual information, provide a more robust data set to 
conduct faster and more accurate attribution in adversary 
intent. This type of analysis is critical in formulating the 
most impactful response to such attacks and to do so in a time 
frame that has a high probability of successful countermeasures 
or deterrence.
    On behalf of FireEye Mandiant, thank you for the 
opportunity to testify before the subcommittee today. We are 
committed to working with our public and private-sector 
partners to safeguard the Nation from cyber attacks by sharing 
cyber threat information, lessons learned, and best practices, 
including through the newly-established Joint Cyber Defense 
Collaborative at CISA. We stand ready to work with you and 
other interested parties to devise effective solutions to deter 
malicious behavior in cyber space and to build a better 
resiliency into our networks and ultimately improve and enhance 
the security and well-being of all Americans.
    Thank you, and I look forward to your questions today.
    [The prepared statement of Mr. Bushar follows:]
                  Prepared Statement of Ronald Bushar
                           September 1, 2021
                              introduction
    Thank you Chairwoman Clarke, Ranking Member Garbarino, and all the 
Members of the subcommittee, for the opportunity to talk with you today 
about the importance of cyber incident reporting. FireEye Mandiant 
applauds your efforts to tackle this complex issue and appreciates the 
open dialog we have enjoyed with you and your staff--public-private 
partnerships are critical to the success of any cyber incident 
reporting or disclosure program--both in its development and execution.
                               background
    My comments for today's hearing will focus primarily on the major 
tenets and benefits of a cyber incident reporting framework. Before I 
turn to this specific topic, let me share some background on myself and 
my company to establish context for my narrative.
    I started my career in the United States Air Force as an officer in 
the Information Warfare Aggressor Squadron. For more than 20 years, I 
have worked in cyber defense operations, cybersecurity consulting, and 
incident response services in both the Government and commercial 
sectors, including the Justice Department. In my current role at 
FireEye Mandiant, I lead a global team of cyber experts who deliver our 
unique platform of innovative security program capabilities and 
solutions to protect critical missions, infrastructure, and National 
security interests world-wide.
    As I testify today, FireEye Mandiant employees are on the front 
lines of the cyber battle, currently responding to over 150 active 
computer intrusions at some of the largest companies and organizations 
in the world. Over the last 17 years, we have responded to tens of 
thousands of security incidents. It is unfortunate, but we receive 
calls almost daily from organizations that have suffered a 
cybersecurity breach. For each security incident we respond to, it is 
our objective to determine what happened and what organizations can do 
to avoid similar incidents in the future. We also maintain over 200 
intelligence analysts, located in more than 20 countries, speaking over 
30 languages, who pursue attribution and identification of the threat 
actors via research and sources.
                      incident reporting framework
    FireEye Mandiant is encouraged by the draft legislation the 
subcommittee has developed to improve cyber incident reporting. The 
``Cyber Incident Reporting for Critical Infrastructure Act of 2021'' is 
a positive step forward in achieving important long-term goals of 
enabling early detection of malicious cyber attacks. It would also 
enhance the Federal Government's situational awareness to better 
partner with and assist private-sector entities that become cyber 
attack victims. This ``whole-of-community'' approach is critical to 
increasing capacity to prevent and deter future cyber attacks.
    Any legislation on this matter should take into consideration the 
evolving cyber threat landscape; the increasingly sophisticated 
tactics, techniques, and procedures used by adversaries; and lessons 
learned from existing voluntary information-sharing models, as 
established by the ``Cybersecurity Information Sharing Act of 2015.'' 
Simply put, any reporting framework must be agile and include 
opportunities for the Federal Government to pivot or adjust its 
reporting requirements to keep pace with the threat environment and bad 
actors.
    The U.S. Government should consider a Federal incident reporting 
program that goes beyond voluntary sharing of threat indicators as 
authorized under the 2015 law--it should also include mandatory 
disclosure requirements for cyber incidents. Major tenets of such a 
program should:
   Safeguard the protection and integrity of electronic and 
        other types of data.
   Ensure confidential sharing.
   Encourage entities to adopt recognized cybersecurity 
        standards and practices with a minimum threshold.
   Provide greater incentives for private-sector entities, 
        including liability protections and statutory privilege to not 
        be disclosed in civil litigation (e.g., confidentiality 
        obligations).
   Protect privacy and civil rights.
   Provide outreach and technical assistance to entities that 
        do not have cybersecurity expertise or capabilities.
    FireEye Mandiant believes that strong cyber community protection is 
predicated on several key concepts. Lawmakers should consider the 
following additional components that we believe would constitute a 
robust and ultimately successful cyber incident reporting program:
Establish reasonable and effective time lines for reporting.
    Reporting requirements should account for two key outcomes: (1) 
Timely and relevant reporting of critical intelligence to relevant 
Government authorities for assessment, correlation, and decision 
support, and (2) reasonable latitude for the victim to determine the 
nature, extent, and potential impact of a breach. In the first 
instance, the timeliness and quality of the data reported to the 
Government will largely determine how effective the response to and 
disruption of the attack will be. In the second instance, cyber attacks 
are often complex and require sophisticated analysis to understand the 
full scope of compromise.
    Victims require support from external firms to fully analyze a 
breach and will likely be dealing with other business impacts and 
crisis management activities. Allowing for a reasonable amount of time 
to properly assess the situation before requiring reporting will limit 
false positives, redundant or contradictory information, and prevent 
unnecessary data collection.
    FireEye Mandiant encourages lawmakers to consider harmonizing 
reporting requirements with existing Federal acquisition regulations 
and standards to provide for a consistent and streamlined regime that 
simplifies business processes and compliance.
Preserve existing trusted relationships and partnerships.
    FireEye Mandiant strongly believes in the concept of a public-
private partner approach to cybersecurity. Unlike most other domains of 
risk, cyber attacks and cyber crime are almost always predicated on the 
use, traversal, or compromise of privately-owned infrastructure, even 
when the attacks are focused on Government or National security assets. 
The private sector, especially critical infrastructure sector 
businesses, is both a key component of overall National cyber 
resiliency and a key source of intelligence on our adversaries' 
capabilities, intents, and activities in cyber space.
    Over the past decade, many Federal agencies, including the 
Cybersecurity and Infrastructure Security Agency, the Federal Bureau of 
Investigation, the U.S. Secret Service, and the National Security 
Agency have built strong partnerships with key cybersecurity and 
critical infrastructure organizations through voluntary programs, 
outreach, and support. While we recognize that much more needs to be 
done, without these efforts and support functions, many private-sector 
cyber attacks would have likely remained undetected for much longer and 
would have been much more severe. Under a new cyber incident reporting 
program, these trusted relationships and partnerships must be 
strengthened and enhanced to advance our common goals of reducing the 
frequency and severity of cyber attacks.
Ensure compliance is non-punitive.
    A reporting program must encourage cooperation and strengthen trust 
between the public and private sector. A regulatory-based approach or a 
regime that focuses on punitive actions rather than mutual benefits 
would be counter to the goal of creating a strong National partnership 
model to counter the increasing cyber threats we are facing.
    As previously suggested, although mandatory reporting is necessary, 
the focus should be on supporting organizations to achieve compliance, 
not punishment for non-compliance. Fines and other financial or legal 
punishments do not properly reflect the truth that, barring gross 
negligence or willful misconduct, organizations that suffer a cyber 
attack are victims of a crime. Mechanisms to compel collection of 
critical information when necessary, such as subpoenas, better align to 
the general concept of criminal investigation and response.
Require information to flow back into the community.
    Information sharing must be bi-directional. An incident-reporting 
framework should allow for a consistent flow of two-way information 
sharing between the public and private sectors to help maximize the 
ability to resolve and consider attribution. Organizations that invest 
significant effort into collecting, analyzing, and sharing cyber attack 
technical information require feedback on the usefulness and value of 
what they have provided. They also benefit from data that can only be 
provided by the Government to enhance their own security posture and 
help to hone their threat detection and response functions.
                                benefits
    Finally, I would like to highlight several clear benefits to 
broader cyber incident reporting and bi-directional information 
sharing. Timely reporting of incidents, within and across sectors, 
allows for earlier detection of large, sophisticated cyber campaigns 
that have the potential for significant impacts to critical 
infrastructure or National security implications.
    Technical indicators, along with contextual information related to 
attacks, provide a more robust dataset to conduct faster and more 
accurate attribution and adversary intent. This type of analysis is 
critical in formulating the most impactful response to such attacks and 
to do so in a time frame that has a higher probability of successful 
countermeasures or deterrence.
    Cyber incident information also allows for cross-correlation and 
collaboration with international partners, thereby enabling a 
multilateral response to state-sponsored or state-sanctioned cyber 
criminals that often originate overseas and travel through an allied 
nation's infrastructure.
    Last, robust and centralized collection of incident information 
provides the Government with a much more accurate cyber risk picture 
and enables more effective and efficient investments and support 
before, during, and after major cyber attacks.
                               conclusion
    On behalf of FireEye Mandiant, thank you for the opportunity to 
testify before the subcommittee. We are committed to working with our 
public and private-sector partners to safeguard the Nation from cyber 
attacks by sharing cyber threat information, lessons learned, and best 
practices, including through the newly-established Joint Cyber Defense 
Collaborative at the Cybersecurity and Infrastructure Security Agency.
    We stand ready to work with you and other interested parties to 
devise effective solutions to deter malicious behavior in cyber space 
and to build better resiliency into our networks. I look forward to 
your questions.

    Ms. Clarke. All right.
    Thank you, Mr. Bushar, for your expert testimony here 
today.
    I would like to acknowledge that we have been joined by the 
gentleman from Mississippi, the Chairman of our full committee, 
Mr. Thompson, who will be submitting his opening statement for 
the record, but I wanted to acknowledge his presence.
    [The statement of Chairman Thompson follows:]
                Statement of Chairman Bennie G. Thompson
                           September 1, 2021
    Good afternoon. I want to thank Chairwoman Clarke and Ranking 
Member Garbarino for holding this important legislative hearing to 
discuss the Cyber Incident Reporting for Critical Infrastructure Act of 
2021.
    Establishing a mandatory cyber incident reporting framework at CISA 
has been a priority for the Homeland Security Committee since last 
Congress.
    I applaud Chairwoman Clarke for engaging with stakeholders and 
working so hard to get the language right.
    I look forward to continuing to work with her as she continues to 
refine the text.
    I would also like to thank Ranking Member Katko for his support of 
this important legislation.
    For a decade and a half, I have served as either Chairman or 
Ranking Member of this committee.
    Over the years, there has been an evolution in thinking about how 
closely the public and private sector need to collaborate to protect 
our Nation's critical infrastructure.
    I have seen the Federal Government struggle to find the right way 
for critical infrastructure owners and operators to share security 
information with the Government and to zero in on how to turn that 
information into an actionable security product.
    The Cybersecurity Information Sharing Act of 2015 was the product 
of extensive negotiations on the part of both Government and industry.
    When the legislation was finally enacted into law, we had high 
expectations that it would spur timely sharing and enhance our Nation's 
cybersecurity posture.
    But the 2015 bill did not fully deliver.
    There was reluctance among many in the private sector to share 
information with the Department.
    And, for its part, the Department struggled to turn what data it 
did get into something the private sector could use to drive down risk.
    It focused too much on the volume of indicators shared and not 
enough on the quality of the information.
    For 6 years, this committee has engaged with the Department and 
stakeholders to try to correct course, but over time it has become 
clear that we need a new approach.
    Last Congress, former Subcommittee Chair Cedric Richmond offered an 
amendment to the National Defense Authorization Act that would 
establish a mandatory cyber incident reporting framework at the 
Cybersecurity and Infrastructure Security Agency.
    It was included in the House-passed package but was stripped during 
conference negotiations with the Senate.
    Since then, a series of high-profile, high-consequences cyber 
incidents over the past year, have made it clear we need to take urgent 
action to improve the way the private sector shares information with 
the Government.
    As Chairwoman Clarke said in her opening statement, the text we are 
discussing today is the product of months of stakeholder engagement and 
bipartisan negotiations to fine tune the bill.
    And we are here today to further refine the legislation to ensure 
it serves the purposes of the Federal Government and will result in 
security benefits to covered entities.
    I am committed to getting this framework right and across the 
finish line this Congress.
    I thank the witnesses for being here today, and I look forward to 
their testimony.

    Ms. Clarke. But I now recognize Ms. Hogsett to summarize 
her statement for 5 minutes.

STATEMENT OF HEATHER HOGSETT, SENIOR VICE PRESIDENT, TECHNOLOGY 
        & RISK STRATEGY FOR BITS, BANK POLICY INSTITUTE

    Ms. Hogsett. Thank you.
    Chairwoman Clarke, Ranking Member Garbarino, and honorable 
Members of the subcommittee, thank you for inviting me to 
testify. I am Heather Hogsett, senior vice president of 
technology and risk strategy for BITS, the Technology Policy 
Division at the Bank Policy Institute.
    BPI is a nonpartisan policy, research, and advocacy 
organization, representing the Nation's leading banks. Through 
our technology division, BITS, we work with our member banks as 
well as other leading financial institutions on cyber risk 
management and critical infrastructure protection as well as 
fraud reduction, regulation, and innovation. I also serve as 
policy committee co-chair for the Financial Services Sector 
Coordinating Council, which coordinates across the financial 
sector and with Government partners to enhance security and 
resiliency.
    On behalf of BPI's member firms, we greatly appreciate this 
committee's leadership on cybersecurity and critical 
infrastructure protection. We also appreciate the work of the 
committee on the Cyber Incident Reporting for Critical 
Infrastructure Act of 2021, which is focused on addressing the 
urgent need for Government and critical infrastructure to share 
cyber information to improve awareness of cyber threats and 
better inform our collective ability to mitigate and respond to 
them.
    Banks and other financial institutions have had legal and 
regulatory requirements for cybersecurity and incident 
reporting for more than 20 years. In addition to required 
regulatory reporting, financial firms have made significant 
investments to protect the industry, developing high-trust 
collaboration centers to improve resilience of individual firms 
and across the broader financial system, through digital 
infrastructure, comprehensive use of security tools, exercise 
programs, and extensive training.
    Based on past experience, we are encouraged to see that the 
current draft bill includes five key elements that we believe 
are vital to achieving our shared goal of protecting the 
Nation's critical infrastructure. First, the bill appropriately 
tailors the scope of incidents that should be reported to those 
that could cause actual harm. This will ensure CISA receives 
accurate and useful data to help achieve its goal of greater 
situational awareness.
    Second, the time line for reporting of no earlier than 72 
hours after confirmation an incident has occurred strikes the 
right balance to allow a firm sufficient time for investigation 
and implementation of response measures while reporting timely, 
accurate, and useful information to CISA. The initial stages of 
an incident response require all hands on deck, and front-line 
cyber defenders should be focused on investigation response and 
remediation, rather than completing compliance paperwork.
    Third is the need to ensure harmonization with existing 
requirements. For already-regulated critical infrastructure 
sectors, it is vital to ensure new requirements are harmonized 
with existing laws and regulations. Financial institutions are 
regularly examined for their cybersecurity operations and 
compliance with reporting requirements and may be subject to 
penalties and other enforcement mechanisms for deficiencies or 
failures to comply.
    The bill currently includes helpful provisions to require 
CISA to coordinate with other agencies and regulatory 
authorities to streamline reporting requirements.
    The bill also builds off the Cybersecurity and Information 
Sharing Act of 2015. We support the committee clearly 
incorporating the key definitions and protections already 
created by the CISA Act for private firms sharing information 
with Government. Any bill that seeks to mandate cyber 
information sharing should incorporate these protections, and 
we appreciate that you have clearly defined that in your bill.
    Finally, the bill addresses the need to help companies 
understand if their data has been compromised by an attack on a 
Government system. While the SolarWinds attack targeted several 
Federal agencies, it also impacted a much broader swath of 
entities, including critical infrastructure companies.
    Financial services firms are required to share sensitive 
and confidential information with regulators and other 
Government agencies that, if breached, could pose risks to the 
institution and its customers. To this end, the bill includes 
language to address this need for greater transparency.
    In closing, I would note that there is an additional area 
that we would like to continue working with you on, and that is 
around the need for improvements to bidirectional information 
sharing and collaboration. Current information sharing is often 
one-sided from Government--from industry to Government, and the 
alerts and warnings industry receives from Government are often 
delayed, limiting their usefulness.
    At CISA, along with intelligence from law enforcement 
agencies, strengthened coordination, and collaboration with the 
private sector, we urge Congress to ensure Government agencies 
are improving the speed and quality of information provided 
back to critical infrastructure.
    Again, thank you for your leadership on cybersecurity and 
your thoughtful approach to crafting this legislation. We look 
forward to continuing to work with this committee, and I am 
happy to answer any questions you may have.
    [The prepared statement of Ms. Hogsett follows:]
                 Prepared Statement of Heather Hogsett
                           September 1, 2021
    Chairwoman Clarke, Ranking Member Garbarino, and Honorable Members 
of the subcommittee, thank you for inviting me to testify. I am Heather 
Hogsett, senior vice president of technology and risk strategy for 
BITS, the technology policy division of the Bank Policy Institute 
(BPI).
    BPI is a nonpartisan policy, research, and advocacy organization 
representing the Nation's leading banks. BPI members include universal 
banks, regional banks, and major foreign banks doing business in the 
United States. BITS, our technology policy division, works with our 
member banks as well as other leading financial institutions on cyber 
risk management and critical infrastructure protection, fraud 
reduction, regulation, and innovation.
    I also serve as co-chair of the Financial Services Sector 
Coordinating Council (FSSCC) Policy Committee. The FSSCC coordinates 
across the financial sector to enhance security and resiliency and to 
collaborate with Government partners such as the U.S. Treasury and the 
Cybersecurity and Infrastructure Security Agency (CISA), as well as 
financial regulatory agencies.
                           executive summary
    Banks and other financial institutions are increasingly under cyber 
attack by foreign nations and criminal groups seeking to disrupt the 
financial system and undermine the functioning of the U.S. economy. The 
financial sector takes these risks seriously and has a long history of 
working across industry and with Government partners to address and 
manage these risks. We were the first sector to form an information 
sharing and analysis center in 1999 and established a strong sector 
coordinating council in 2002--both of which have served as leading 
examples other critical infrastructure sectors have sought to 
replicate. We are also one of the few critical infrastructure sectors 
that has had cybersecurity and incident reporting requirements in law 
and regulation for over 20 years.
    We greatly appreciate the committee's leadership to address the 
Nation's cybersecurity challenges and efforts to improve the resilience 
of critical infrastructure. We share a mutual commitment to 
cybersecurity and the value in sharing threat and incident information, 
and support efforts to fortify CISA as a leader in this space.
    As Congress considers legislation to require critical 
infrastructure entities to report cyber incidents to the Federal 
Government, we believe the following elements in the bill--the Cyber 
Incident Reporting for Critical Infrastructure Act of 2021--which are 
discussed in greater detail below, are vital to achieving our shared 
goal of protecting the Nation's critical infrastructure:
   Scope.--The scope of required reporting focuses on incidents 
        that could cause actual harm, which will ensure CISA receives 
        accurate and useful data to help achieve its goal of greater 
        situational awareness. Approaches which seek to mandate 
        reporting of ``potential'' incidents are too broad and would 
        lead to over-reporting that is insufficiently focused on the 
        actual risks.
   Time Line.--The time line for reporting of no earlier than 
        72 hours after confirmation an incident has occurred strikes 
        the right balance to allow sufficient time for investigation 
        and implementation of mitigation and response measures while 
        reporting timely and useful information to CISA. The initial 
        stages of an incident response require ``all-hands-on-deck'' 
        and front-line cyber defenders should be focused on response 
        and remediation rather than completing compliance paperwork.
   Harmonization.--For already-regulated critical 
        infrastructure sectors, it is vital to ensure new reporting 
        requirements are harmonized with existing laws and regulations. 
        We appreciate the approach taken in the bill and would 
        recommend continued Congressional focus to ensure 
        implementation avoids unnecessary duplication and establishes a 
        streamlined process for all required reporting.
   Maintain Protections and Definitions in the Cybersecurity 
        and Information Sharing Act of 2015 (CISA Act).--We support the 
        committee clearly incorporating the key definitions and 
        protections already created by the CISA Act for private firms 
        sharing information with Government. This bill builds on that, 
        and the consistency for industry is important. Any bill in 
        Congress that seeks to mandate cyber information sharing should 
        incorporate these protections and we appreciate that is clearly 
        defined in the bill.
   Helping Companies Understand if Their Data has Been 
        Compromised.--The SolarWinds attack targeted several Federal 
        agencies but also impacted a much broader swath of entities 
        including critical infrastructure companies. Government 
        agencies who are attacked should be required to notify critical 
        infrastructure entities when their sensitive information may be 
        compromised. We appreciate the language in this bill that seeks 
        to address this important issue.
Working Together on Other Priorities
   There is an additional area that we would like to work on 
        with this committee and Congress that we believe is essential 
        to improving our cyber defense capabilities, and that is around 
        the need for greatly improved bi-directional information 
        sharing. The Government should use reported information from 
        critical infrastructure and other Government entities to 
        improve the relevancy and speed of alerts and other analyses 
        that can be provided to critical infrastructure. More timely 
        and actionable information being shared with the private sector 
        would benefit our collective security and resilience 
        capabilities.
 background on existing financial services sector cybersecurity efforts
Legal and Regulatory Requirements
    The banking/financial services sector is one of the few critical 
infrastructure sectors that has had mandatory cybersecurity and 
incident reporting requirements in law and regulation for over 20 
years. As a result, we have experienced what is most effective and 
would emphasize that it is important to ensure that any new 
requirements are harmonized and align with existing requirements for 
financial firms.
    For example, financial institutions are regularly examined for 
compliance with the Gramm-Leach-Bliley Act and its implementing 
regulations, which require cyber incident reporting when unauthorized 
access to or misuse of customer data occurs. The New York Department of 
Financial Services Cybersecurity Regulation expanded on these 
requirements and requires reporting if a cyber incident is likely to 
cause harm to the financial institution's operations. In the course of 
on-going robust oversight from regulatory authorities--such as the 
Federal Reserve Board, the Office of the Comptroller of the Currency 
and the Federal Deposit Insurance Corporation, among others--banks are 
regularly examined for their cybersecurity practices including the use 
of security controls, third-party risk management and senior management 
and board oversight.
    A summary of the main banking/financial services requirements is 
attached as Appendix A.
Information-Sharing and Collaboration Efforts
    In addition to required regulatory reporting, financial firms have 
made significant investments to protect the industry, developing high-
trust collaboration centers to improve resilience at individual firms 
and across the broader financial system, through digital 
infrastructure, comprehensive use of security tools, exercise programs 
and extensive training. They have also created joint initiatives to 
address systemic challenges such as:
   The Financial Services Information Sharing and Analysis 
        Center (FS-ISAC),\1\ which shares cyber threat information and 
        best practices for nearly 7,000 members across the globe, 
        including 4,600 U.S. financial institutions. The FS-ISAC was 
        one of the first ISACs created among industry.
---------------------------------------------------------------------------
    \1\ https://www.fsisac.com/.
---------------------------------------------------------------------------
   The Financial Services Sector Coordinating Council 
        (FSSCC),\2\ which strengthens the resiliency of the financial 
        sector against cyber attacks and other threats by proactively 
        identifying threats, promoting protection, driving 
        preparedness, collaborating with Government partners and 
        regulatory authorities and coordinating crisis response.
---------------------------------------------------------------------------
    \2\ https://fsscc.org/.
---------------------------------------------------------------------------
   The Analysis and Resilience Center,\3\ which works to 
        mitigate systemic risk to the Nation's most critical financial 
        and electric infrastructure, and facilitates operational 
        collaboration between firms, the U.S. Government, and other key 
        partners.
---------------------------------------------------------------------------
    \3\ https://systemicrisk.org/.
---------------------------------------------------------------------------
   Sheltered Harbor,\4\ a secure data repository for consumer 
        bank and securities holdings to protect customers, financial 
        institutions, and public confidence in the event a cyber attack 
        causes critical systems to fail; and
---------------------------------------------------------------------------
    \4\ https://www.shelteredharbor.org/.
---------------------------------------------------------------------------
   The Cyber Risk Institute's ``Cyber Profile''\5\ which is 
        derived from the National Institute of Standards and 
        Technology's Cybersecurity Framework and incorporates financial 
        services regulatory requirements and industry best practices to 
        address one of the industry's most pressing needs to harmonize 
        regulation globally to improve security and resilience.
---------------------------------------------------------------------------
    \5\ https://cyberriskinstitute.org/.
---------------------------------------------------------------------------
      discussion points: effective cyber incident reporting model
    The recent string of ransomware attacks and supply chain 
compromises have highlighted the need for more transparency about the 
nature and depth of cybersecurity attacks affecting the public and 
private sectors. BPI member banks are committed to improving 
protections across critical infrastructure sectors and recognize the 
value in sharing cyber threat and incident information with CISA.
    As noted above, banks and other financial institutions already 
adhere to extensive cybersecurity and regulatory reporting 
requirements. It must be a priority for Congress to harmonize any new 
requirements for reporting, oversight and enforcement with existing 
regulatory requirements to minimize confusion on competing requirements 
and avoid distracting from response efforts.
    Based on the industry's experience with long-standing regulations 
and requirements, we are encouraged to see that the current draft bill 
includes the following elements that will help ensure an effective 
structure for incident reporting for all critical infrastructure 
sectors:
Scope
    The current draft of the legislation appropriately tailors the 
kinds of incidents to be reported to actual incidents, which will 
ensure CISA receives accurate, timely, and useful information. Other 
approaches that would collect information on ``potential incidents'' 
would create near-constant reporting to CISA by financial services 
firms based on the number of incidents those firms see on a daily 
basis. It is unclear what a ``potential incident'' is, how it would be 
reported and what value that provides. As the U.S. Government seeks to 
increase its analytical capabilities, it is also critical for it to be 
able to turn around threat information and share it with all sectors 
quickly. Collecting information on potential incidents would add noise 
to the signal of material incidents and thus overwhelm, rather than 
enhance, CISA's analytical efforts.
Time Line
    The bill's reporting requirement of no earlier than 72 hours after 
confirmation an incident has occurred, strikes an important balance 
between allowing an affected entity to implement immediate response 
measures while ensuring CISA receives timely, useful, and accurate 
information. The initial stages of an incident response require ``all-
hands-on-deck'' to focus immediately on understanding the incident and 
implementing mitigation and response measures. Other approaches that 
would require reporting within 24 hours would distract from critical 
work in the early stages of a response and result in reports that were 
premature and likely erroneous.
Harmonization
    For already regulated critical infrastructure sectors, it is vital 
to ensure new reporting requirements are harmonized with existing laws 
and regulations. The bill currently includes helpful provisions to 
require CISA to coordinate with Sector Risk Management Agencies and 
regulatory authorities to streamline reporting requirements.
    As noted above, financial institutions comply with a multitude of 
reporting requirements which establish key definitions, time lines, and 
reporting thresholds, as well as oversight and enforcement mechanisms 
which may include fines and other penalties. There is value in 
reporting to CISA, but it is important to ensure Government agencies 
and regulators work together quickly to develop a common reporting form 
that would be good for all Government entities requiring incident 
reporting. Otherwise, still more time will be spent by first responders 
working with firms' legal and compliance teams to ensure that each 
agency's nuanced requirement is met, rather than reporting uniformly 
and allowing more time for protecting critical infrastructure.
Maintain Protections of the Cybersecurity and Information Sharing Act 
        of 2015
    The bill incorporates existing definitions and protections from the 
CISA Act, which will provide helpful continuity for industry. These 
measures, which include privacy and liability protections, serve as 
instrumental building blocks to greater sharing and collaboration 
between the public and private sectors, and should be continued as 
Congress expands the information firms are required to submit to CISA.
Helping Companies Understand if Their Data has Been Compromised
    Financial services companies are required to share sensitive and 
confidential information, including operational and customer data, with 
regulators and other Government agencies that, if breached, could pose 
risks to the institution and its customers. The current draft of the 
bill recognizes the importance of ensuring that Government agencies are 
also required to provide greater transparency and alert critical 
infrastructure companies if their sensitive data is affected by a 
breach at a Federal agency. Such notification would allow the firm to 
take proactive measures to mitigate risks, helping protect the firm, 
its customers, and potentially the broader sector.
                          future work together
    Recent disruptive ransomware attacks on critical infrastructure are 
a stark reminder of the threats we face and the urgent need to rethink 
how Government and industry work together to protect against National 
security threats. Expanding CISA's awareness of cyber incidents 
affecting critical infrastructure through required reporting will help 
improve the quality of cyber threat analysis that can be shared more 
broadly across the public and private sectors. We appreciate the 
committee's thoughtful approach and efforts to take input from critical 
infrastructure sectors in crafting this important legislation and look 
forward to continued collaboration.
    We also look forward to working with the committee on other 
opportunities to improve public-private collaboration to address 
cybersecurity threats. As CISA and other Government agencies 
increasingly receive incident data and other threat information, they 
should be required to improve the quality, timeliness, and actionable 
nature of the information that can be provided to critical 
infrastructure. Current information sharing is often one-sided from 
industry to Government and the alerts and warnings industry receives 
from Government are often delayed, limiting their usefulness. As CISA, 
along with intelligence and law enforcement agencies, strengthen 
coordination and collaboration with the private sector, we urge 
Congress to ensure Government agencies are improving the speed and 
quality of information provided back to critical infrastructure.
    I appreciate the opportunity to testify today and look forward to 
any questions.
                               APPENDIX A
    The following is a snapshot of the main banking/financial services 
cybersecurity incident notification and reporting requirements, a 
myriad of others exist as well.
    Gramm-Leach-Bliley Act (GLBA).--Under the GLBA and its implementing 
regulations,\6\ cyber incident reporting is triggered when a financial 
institution becomes aware of unauthorized access to sensitive customer 
information that is, or is likely to be, a misuse of the customer's 
information. Notification to regulators is required as soon as possible 
after the institution determines that misuse of customer data has 
occurred or is reasonably possible (e.g. at the start of an 
investigation to determine the likelihood that the information has been 
or could be misused). To ensure adherence to these requirements, 
regulators conduct on-going and rigorous reviews of institutions' 
operating and governance processes, including data security and data 
handling processes and third-party risk management measures. Failure to 
report incidents and adhere to these requirements could result in 
serious enforcement measures including mandatory corrective action 
directives, restrictions on activities, and fines.
---------------------------------------------------------------------------
    \6\ Interagency Guidance on Response Programs for Unauthorized 
Access to Customer Information and Customer Notice. See https://
www.federalregister.gov/documents/2005/03/29/05-5980/interagency-
guidance-on-response-programs-for-unauthorized-access-to-customer-
information-and.
---------------------------------------------------------------------------
   Reporting Time Line.--As soon as possible once the 
        institution determines unauthorized access occurred.
   Definitions.--A cyber incident is defined as unauthorized 
        access to sensitive customer information.
   Scope of Reporting.--Covers non-public customer information 
        such as personally identifiable financial information, 
        financial transaction information, income, and credit rating 
        data, etc.
   Reporting Mechanism.--Report provided to regulators; 
        information becomes part of on-going regulatory oversight/
        examinations.
    New York Department of Financial Services (NYDFS) Cybersecurity 
Regulation. The NYDFS regulations \7\ became effective on March 1, 2017 
and add another layer of mandatory cybersecurity reporting requirements 
for financial services companies. A financial institution must notify 
NYDFS when a cyber event triggers reporting to any other Government 
body, regulatory or self-regulatory agency. Notification is also 
triggered if there is a reasonable likelihood of material harm to the 
institution's operations. Once a triggering event has occurred, 
notification must occur as promptly as possible, but not later than 72 
hours from the determination that a cybersecurity event has occurred.
---------------------------------------------------------------------------
    \7\ See New York Codes, Rules and Regulations (23 NYCRR 500). 
https://govt.westlaw.com/nycrr/Browse/Home/NewYork/
NewYorkCodesRulesandRegulations?guid=I5be30d2007- 
f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Def
ault&context- Data=(sc.Default).
---------------------------------------------------------------------------
   Reporting Time Line.--72 hours from the determination that a 
        cyber event has occurred.
   Definitions.--A cyber event is defined as any act or attempt 
        to gain unauthorized access to, disrupt, or misuse an 
        information system or information stored on an information 
        system.
   Scope of Reporting.--Covers non-public customer information 
        and information technology systems.\8\
---------------------------------------------------------------------------
    \8\ Defined as ``a discrete set of electronic information resources 
organized for the collection, processing, maintenance, use, sharing, 
dissemination, or disposition of electronic information, as well as any 
specialized system such as industrial/process controls systems, 
telephone switching and private branch exchange systems, and 
environmental control systems.''
---------------------------------------------------------------------------
   Reporting Mechanism.--Report provided to NYDFS; information 
        becomes part of on-going regulatory oversight.
    European Union General Data Protection Regulation (GDPR).--In the 
case of a personal data breach, notification is required without undue 
delay and, where feasible, not later than 72 hours after having become 
aware of it. GDPR sets specific privacy parameters for use, data 
security, and handling of consumer data.
   Reporting Time Line.--72 hours.
   Definitions.--A ``data breach'' is defined as ``the 
        accidental or unlawful destruction, loss, alteration, 
        unauthorized disclosure of, or access to, personal data 
        transmitted, stored or otherwise processed.''
   Scope of Reporting.--Personal data.\9\
---------------------------------------------------------------------------
    \9\ Personal data is under GDPR here: https://gdpr-info.eu/art-4-
gdpr/.
---------------------------------------------------------------------------
   Reporting Mechanism.--Entities report to the agency 
        designated by each member state, which then notifies other 
        member states as needed.
    European Union NIS Directive 1.0.--In 2016, the European Union 
mandated cyber incident reporting for all sectors defined under the 
term Essential Services which is like the U.S. term of Critical 
Infrastructure. However, the European Union has both mandatory security 
mandates on Digital Service Providers and stricter reporting 
requirements on DSPs.\10\ The European Union is in the midst of 
updating the NIS Directive 2.0 where notification must occur with any 
event compromising the availability, authenticity, integrity, or 
confidentiality of stored, transmitted, or processed data or of the 
related services offered by, or accessible via, network and information 
systems.
---------------------------------------------------------------------------
    \10\ Essential Services are defined by the European Union in the 
NIS Directive and was implemented in 2016. See: https://eur-
lex.europa.eu/eli/dir/2016/1148/oj.
---------------------------------------------------------------------------
   Reporting Time Line.--24 hours from when an entity is aware 
        of an incident, and then a report 30 days later.
   Definitions.--An incident means any event having an actual 
        adverse effect on the security of network and information 
        systems.\11\
---------------------------------------------------------------------------
    \11\ For definition of ``incident,'' see https://eur-lex.europa.eu/
eli/dir/2016/1148/oj.
---------------------------------------------------------------------------
   Scope of Reporting.--The directive does not define the 
        threshold of what is a significant incident requiring 
        notification to the relevant E.U. member state National 
        authority and defines 3 parameters for reporting: Number of 
        users affected; duration of incident; geographic spread. DSPs 
        have 5 requirements that are broader.
   Reporting Mechanism.--Entities report to the agency 
        designated by each member state.
    Notice of Proposed Rulemaking (NPR) from OCC/Federal Reserve/
FDIC.--On Jan. 12, 2021, the Office of the Comptroller of the Currency 
(OCC), the Board of Governors of the Federal Reserve System (Board), 
and the Federal Deposit Insurance Corporation (FDIC) published a 
proposed rule on ``Computer-Security Incident Notification Requirements 
for Banking Organizations and Their Bank Service Providers.'' Under the 
proposal, incident notification would be triggered after the 
determination by a banking organization that a computer-security 
incident has occurred that the bank believes in good faith could cause 
significant disruption to the institution's operations and ability to 
deliver products and services to a significant portion of its customers 
or could pose a risk to the financial stability of the United States. 
Upon determining that an event has reached the notification incident 
threshold, a banking organization would be required to notify as soon 
as possible but no later than 36 hours.
   Reporting Time Line.--36 hours after a ``good faith'' 
        determination of an incident.
   Definitions.--A computer security incident is defined as an 
        occurrence that jeopardizes confidentiality, integrity or 
        availability of an information system or the information a 
        system processes, stores, or transmits;\12\ a notification 
        incident is defined as a significant computer security incident 
        that could jeopardize the viability of the operations of a 
        financial institution, prevent customers from accessing their 
        deposit and other accounts, or impact the stability of the 
        financial sector.
---------------------------------------------------------------------------
    \12\ This definition is taken from NIST which states a computer 
security incident is ``an occurrence that results in actual or 
potential jeopardy to the confidentiality, integrity, or availability 
of an information system or the information the system processes, 
stores, or transmits or that constitutes a violation or imminent threat 
of violation of security policies, security procedures, or acceptable 
use policies. See NIST, Computer Security Resource Center, Glossary 
https://csrc.nist.gov/glossary/term/Computer_Security_Incident.
---------------------------------------------------------------------------
   Scope of Reporting.--Covers non-public customer information 
        and information technology systems.\13\
---------------------------------------------------------------------------
    \13\ The NPR does not define information technology systems.
---------------------------------------------------------------------------
   Reporting Mechanism.--Notification to be provided to primary 
        Federal regulator; intended to provide early awareness of 
        emerging threats to individual institutions and potentially the 
        broader financial system.

    Mr. Mayer. Chairwoman, I believe you may be muted.
    Ms. Clarke. I think I was on mute. Did everyone hear me?
    Mr. Mayer. No.
    Ms. Clarke. I am sorry about that. They always catch you, 
don't they?
    Let me thank Ms. Hogsett for her expert testimony here 
today. I now recognize Mr. Miller to summarize your statement 
for 5 minutes.

 STATEMENT OF JOHN S. MILLER, SENIOR VICE PRESIDENT OF POLICY, 
  AND GENERAL COUNSEL, INFORMATION TECHNOLOGY INDUSTRY COUNCIL

    Mr. Miller. Thank you.
    Chairs Clarke and Thompson, Ranking Members Garbarino and 
Katko, distinguished Members of the subcommittee, on behalf of 
the Information Technology Industry Council, or ITI, thank you 
for the opportunity to testify today on the Cyber Incident 
Reporting for Critical Infrastructure Act of 2021.
    ITI is a global policy and advocacy organization 
representing 80 of the world's leading ICT companies. I lead 
ITI's trust data and technology policy team, including our work 
on cybersecurity globally. As the current vice chair of the 
Information Technology Sector Coordinating Council and co-chair 
of the ICT Supply Chain Risk Management Task Force, I have 
significant experience partnering with CISA on efforts to 
improve cyber supply chain and critical infrastructure security 
and welcome your interest on this important topic. I would also 
like to thank you and your staffs for the thoughtful and 
collaborative approach you have taken with stakeholders while 
drafting this legislation.
    If narrowly scoped and carefully crafted, we believe that 
an incident reporting regime can help improve the Nation's 
cyber resilience and security by increasing situational 
awareness across Government and critical infrastructure and 
driving more effective operational collaboration in response to 
significant incidents.
    We commend the subcommittee for its leadership on this 
issue and commitment to developing an effective and efficient 
cyber incident reporting regime, and we appreciate the Act 
leads many of the details to be worked out through a rule-
making process prioritizing CISA engagement with stakeholders.
    Developing an effective and efficient incident reporting 
regime while at the same time preserving the partnership and 
collaborative model that is central to CISA's mission are both 
important goals. Just last month, ITI published policy 
principles for cyber incident reporting which are attached to 
my written testimony and I encourage the subcommittee to 
consider in full.
    ITI also led a multi-association letter to Congress sent 
last Friday stressing several issues that any incident 
reporting legislation should address. I will focus the balance 
of my time on five key recommendations included in both our 
policy principles and the letter.
    First, we recommend any legislation allow for feasible 
reporting time lines commensurate with incident severity levels 
but of no less than 72 hours. Ensuring time lines are feasible 
is important for several reasons, including allowing entities 
sufficient time to determine what has occurred and ensuring an 
incident is properly contextualized, upholding cybersecurity 
while an entity investigates an incident and to align with 
global best practices. We appreciate the Act makes clear CISA 
may not require reporting earlier than 72 hours after an entity 
confirms an incident has occurred.
    Second, we recommend any legislation maintain appropriate 
confidentiality, nondisclosure, and liability protections. We 
welcome the act's intent to extend liability protections and 
FOIA exemptions from the CISA 2015 information sharing 
legislation to reports provided pursuant to the Act but note 
the language of CISA 2015 may need to be updated to align with 
the specific categories of incident reporting information that 
are ultimately required by the pending rule.
    Further, the Act should define clear confidentiality and 
privacy requirements regarding the use of shared information, 
including to require that any information disseminated to 
interagency partners is scrubbed of the providing entity's 
identifying information.
    Third, we urge Congress to harmonize existing regulatory 
reporting requirements to ensure companies are able to 
efficiently report incidents and not subject to contradictory 
or duplicative reporting requirements that may hamper 
notification. We appreciate the Act directs CISA to consider 
existing regulatory requirements and work with relevant 
regulatory authorities and recommend adding language clarifying 
that CISA should leverage existing channels to collect incident 
information whenever possible, including active interfaces with 
the FBI, SEC, and financial sector regulators to truly lessen 
the regulatory burden.
    Fourth, we recommend any legislation establish appropriate 
reporting thresholds and limit reporting to verified incidents. 
The act's inclusion of minimum thresholds for reporting a 
covered incident built on a risk-based analytical model and its 
focus on verified incidents, as opposed to near misses hit the 
mark. However, there is ambiguity in the minimum threshold 
language that could be resolved through the concept of an 
incident categorization matrix which could more accurately 
determine the severity of actual harm posed by incidents, 
enabling finer prioritization and more precise reporting.
    Finally, we maintain that reporting obligations in any 
legislation should fall only on impacted entities, not on 
vendors or third-party service providers. An incident reporting 
requirement with a broader scope could disrupt normal business 
operations, including potentially forcing vendors or third 
parties to disclose business confidential information of 
impacted customers or breach their contractual obligations and 
result in flooding CISA with multiple, duplicative reports 
diverting limited resources away from cyber incident response.
    Thank you again for the opportunity to testify today. I 
look forward to your questions.
    [The prepared statement of Mr. Miller follows:]
                  Prepared Statement of John S. Miller
                           September 1, 2021
    Chairwoman Clarke, Ranking Member Garbarino, and distinguished 
Members of the Subcommittee on Cybersecurity, Infrastructure 
Protection, and Innovation of the House Committee on Homeland Security, 
thank you for the opportunity to testify today. My name is John Miller, 
senior vice president of policy and general counsel at the Information 
Technology Industry Council (ITI).\1\ I lead ITI's Trust, Data, and 
Technology team, including our work on cybersecurity policy globally, 
and I have deep experience working on public-private security 
initiatives in the United States, including currently serving as co-
chair of the Cybersecurity and Infrastructure Security Agency (CISA)-
sponsored Information and Communications Technology Supply Chain Risk 
Management Task Force (ICT SCRM Task Force), and as vice chair of the 
Information Technology Sector Coordinating Council (ITSCC), the 
principal IT sector partner to CISA on critical infrastructure 
protection and cybersecurity policy. I am honored to provide ITI's 
perspective on the important topic of cyber incident reporting and the 
legislation the subcommittee is considering today.
---------------------------------------------------------------------------
    \1\ See ITI membership list at: https://www.itic.org/about/
membership/iti-members.
---------------------------------------------------------------------------
    ITI represents the world's leading information and communications 
and technology (ICT) companies. We promote innovation world-wide, 
serving as the ICT industry's premier advocate and thought leader in 
the United States and around the globe. ITI's membership comprises 
leading innovative companies from all corners of the technology sector, 
including hardware, software, digital services, semiconductor, network 
equipment, cybersecurity, and other internet and technology-enabled 
companies that rely on ICT to evolve their businesses. Cybersecurity is 
rightly a priority issue for governments and our industry, and we share 
the common goals of improving cybersecurity, protecting the privacy of 
individuals' data, and maintaining strong intellectual property 
protections. Further, our members service customers across all levels 
of government and the full range of global industry sectors, such as 
financial services, health care, and energy. We thus acutely understand 
the importance of cybersecurity as not only a global business 
imperative for companies and customers alike, but as critical to our 
collective security. As a result, our industry has devoted significant 
resources, including expertise, initiative, and investment in 
cybersecurity efforts to create a more secure and resilient internet 
ecosystem.
    The SolarWinds compromise and the latest wave of damaging 
ransomware attacks, along with other recent cyber attacks, serve as an 
important reminder that the cyber threat landscape is constantly 
evolving and that we need innovative new policy ideas to help confront 
the emergence of new threats. We have seen policy makers increasingly 
consider incident reporting as a potentially appropriate tool to 
improve Government's ability to leverage its resources toward not only 
helping victim organizations recover from incidents, but ideally to 
help protect others from similar threats or vulnerabilities. If 
narrowly scoped and carefully crafted, we believe that an incident 
reporting regime can help improve the Nation's digital resilience and 
security.
    We commend the subcommittee for its leadership on this issue and 
its commitment to developing an effective and efficient cybersecurity 
incident reporting regime. As a general matter, we appreciate that the 
Cyber Incident Reporting for Critical Infrastructure Act of 2021 
(hereafter ``the Act'') leaves many of the details to be worked out 
through a rule-making process in which CISA solicits feedback from 
stakeholders, as opposed to laying out stringent requirements in 
statute.
    Just last month ITI published our Policy Principles for Cyber 
Incident Reporting in the United States (hereafter ``Policy 
Principles'') to help inform on-going efforts domestically, which is 
attached as an Appendix to my testimony (see Appendix A). We make ten 
recommendations to policy makers in the Policy Principles, all of which 
we encourage the subcommittee to take into account as it considers 
incident reporting legislation and works on further refinements to the 
Act. We also led a recent multi-association letter to Congress 
stressing several key areas aligned with our principles that should be 
included in any incident reporting legislation.\2\
---------------------------------------------------------------------------
    \2\ Letter available here: https://www.itic.org/documents/
cybersecurity/MultiassnLetter-SecurityIncidentReporting-
08.27.2021FINALFINAL.pdf.
---------------------------------------------------------------------------
    After briefly providing important context to help inform the 
current security incident reporting debate, I will focus the bulk of my 
written testimony on five recommendations that were included in our 
Policy Principles, as well as the above-referenced multi-association 
letter, including: (1) Establishing feasible reporting time lines of no 
less than 72 hours; (2) ensuring appropriate confidentiality, 
nondisclosure, and liability protections; (3) limiting reporting to the 
impacted organization, rather than third-party vendors or providers; 
(4) harmonizing Federal cybersecurity incident reporting requirements; 
and (5) limiting reporting to verified intrusions and incidents. My 
testimony concludes by stressing the importance of seizing the 
opportunity to develop a workable security incident notification regime 
while preserving CISA's collaborative role with private-sector 
partners.
               i. security incident reporting in context
    Devising a successful cybersecurity incident reporting regime 
requires an understanding of adjacent and overlapping cybersecurity 
information sharing and data breach notification measures, as well as 
the evolving global policy debates regarding this issue.
a. Clarifying and Understanding Terms Can Help Efficiently Harmonize 
        Requirements
    In thinking about security incident reporting, it is essential that 
policy makers and other stakeholders recognize that it is distinct from 
other concepts with which it is often confused: Primarily, data breach 
notification and cybersecurity threat information sharing. Security 
incident notification such as that contemplated by the Act requires 
organizations to report on the details of a cybersecurity incident that 
has already occurred to help increase visibility into such events; data 
breach notification requirements are also triggered post-incident but 
relate specifically to reporting details regarding the unauthorized 
access to or disclosure of personally identifiable information or other 
sensitive data for privacy purposes. Importantly, policy makers should 
consider that in some instances a single incident could trigger both 
types of notification and reporting requirements and should consider 
how to reduce potential inefficiencies in reporting. Both of the 
preceding two concepts are distinct from cyber threat information 
sharing, which refers to the proactive sharing of threat information to 
help all entities better understand cybersecurity threats and take 
steps to prevent future cyber attacks. Given the subcommittee's intent 
to leverage the Cybersecurity Information Sharing Act of 2015 (CISA 
2015) in the security incident reporting context, including to extend 
CISA 2015's liability protections, it is critical to understand both 
the differences and similarities between the two concepts. We further 
elaborate on all three of these concepts in our Policy Principles (see 
Appendix A).
b. The Global Policy Debate Can Help Inform U.S. Policy
    ITI is an active participant in policy conversations on 
cybersecurity incident reporting globally. Indeed, it is not only the 
United States that is considering implementing a mandatory incident 
reporting regime. Europe, in the proposal for a revised Network and 
Information Systems Directive (NIS 2 Directive), as well as Australia, 
in their Security Legislation Amendment (Critical Infrastructure) Bill 
of 2020, which revises the Security of Critical Infrastructure Bill of 
2018, are contemplating mandatory incident reporting as a way to 
increase Government visibility into cybersecurity events.\3\ We have 
similarly encouraged both the European Commission and the Australian 
Government to adopt the principles discussed in my testimony and 
referenced in ITI's Policy Principles.\4\ These global efforts are 
relevant and important to consider as Congress seeks to develop 
legislation that establishes a mandatory incident reporting regime, as 
the subcommittee acknowledges in the Act by requiring the CISA director 
to align the reporting requirements CISA develops with international 
standards.
---------------------------------------------------------------------------
    \3\ Security Legislation Amendment (Critical Infrastructure) Bill 
of 2020, first reading text, available here: https://
parlinfo.aph.gov.au/parlinfo/download/legislation/bills/r6657_first-
reps/toc_pdf/20182b01.pdf;fileType=application%2Fpdf; proposal for NIS 
2 Directive text, available here: https://digital-
strategy.ec.europa.eu/en/library/proposal-directive-measures-high-
common-level-cybersecurity-across-union.
    \4\ ITI Comments on NIS 2 Directive, available here: https://
ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/
12475-Cybersecurity-review-of-EU-rules-on-the-security-of-network-and-
information-systems/F2004660_en; ITI Comments on Security Legislation 
Amendment Bill of 2020, available here: https://www.aph.gov.au/
DocumentStore.ashx?id=04c36c84-3067-4ffb-bec2-
53c780079a02&subId=701444.
---------------------------------------------------------------------------
  ii. recommendations for a successful security incident notification 
                                approach
    ITI's Policy Principles set forth ten recommendations that policy 
makers should incorporate to develop and implement a successful 
cybersecurity incident notification regime. While all of these 
recommendations are important, my testimony focuses on five key 
recommendations below. Please refer to the Policy Principles at annex 
for the full set of recommendations.
a. Establish Feasible Reporting Time Lines
    In our Policy Principles, we recommend that any legislation allow 
for reasonable reporting time lines commensurate with incident severity 
levels, but of no less than 72 hours. Ensuring that time lines are 
feasible is important for a number of reasons, including:
    Allowing companies sufficient time to determine what has 
occurred.--Requiring an entity to report an incident on a shorter time 
line may be insufficient for companies to determine the nature of the 
issue--is it a cyber attack or is it merely a network outage? In the 
early hours following the discovery that something anomalous has 
occurred, our companies are focused on figuring out what has happened 
and developing a response plan. Indeed, the primary initial focus for 
companies should be on identifying and responding to malicious 
activities, rectifying the problem, and ensuring (or restoring) 
business continuity.
    Upholding cybersecurity while a company investigates the issues.--A 
shorter time line for reporting may also serve to undermine 
cybersecurity, in that such a requirement can expose information about 
an incident before a patch is applied or operations are restored, 
making operators and their customers vulnerable to additional attacks 
by hackers.
    Ensuring resources are leveraged appropriately and ensuring the 
incident is properly contextualized.--Requiring reporting on a shorter 
time line may also divert limited Government resources away from 
addressing incidents that are actually having a significant impact. If 
entities are required to report incidents before they have the 
opportunity to verify what has occurred, an agency such as CISA runs 
the risk of being inundated with reports that do not offer meaningful 
information or otherwise lack the appropriate context. It is incredibly 
difficult to narrow the scope on the back end when an agency is sifting 
through reports trying to retroactively determine what is important. 
Instead, the focus should be on only requiring incident reporting of 
severe and significant attacks that cause actual disruption or loss and 
that include specific parameters.
    Aligning with global best practices.--A 72-hour time line also 
aligns with global best practices, which we believe is of great 
importance to facilitating interoperability of approaches. For example, 
the German IT Security Act and various state-level notification 
requirements in the United States allow for a reporting window of 72 
hours.\5\ Article 33 of the EU's General Data Protection Regulation 
(GDPR) also states that in the case of a personal data breach, impacted 
companies shall without undue delay and, where feasible, not later than 
72 hours after having become aware of it, notify the personal data 
breach to the competent supervisory authority.
---------------------------------------------------------------------------
    \5\ German IT Security Act 2.0 available here: https://
www.bundesrat.de/SharedDocs/beratungsvorgaenge/2021/0301-0400/0324-
21.html; Regarding state-level time lines, see, e.g., New York 
Department of Financial Services reporting requirements: https://
www.crowell.com/NewsEvents/AlertsNewsletters/all/Newly-Proposed-Cyber-
Reporting-Rules-for-Banking-Organizations.
---------------------------------------------------------------------------
    We appreciate that as currently drafted, Subsection (d)(5) of the 
Act makes clear that the CISA director may not require reporting any 
earlier than 72 hours after an entity has confirmed that an incident 
has occurred. We also stress that requiring a formal report on a 
verified, significant incident should not preclude an impacted 
organization from voluntarily providing less-fulsome notifications to 
CISA on a more flexible time line. Indeed, should an entity want to 
notify CISA of an event before a formal report is finalized and 
submitted, it should have the ability to do so. Section (f) of the Act 
seems to contemplate such a layered approach, which would allow for an 
initial voluntary, preliminary notification to CISA, with more 
substantial reporting coming once the impacted organization has 
confirmed that an incident reached the severity metrics established in 
the IFR called for by the Act.
b. Maintain Appropriate Confidentiality, Nondisclosure, and Liability 
        Protections
    In ITI's Policy Principles we also stress the importance of 
ensuring the confidentiality of information provided in incident 
reports. It is imperative to have strong and transparent rules about 
the confidentiality of incident information that is shared with or by 
Federal agencies in order to cultivate trust in the process and between 
the private and public sectors. Such rules should govern not only the 
dissemination of incident information with relevant interagency 
partners but should specifically preclude direct or indirect regulatory 
use of such information. Such rules should additionally govern how 
unclassified information on a specific incident is further shared with 
the U.S. Government, other governments, and with nongovernmental 
entities. These rules must be crafted to guarantee compliance with 
existing legal regimes, including contractual and privacy obligations.
    This is an area that we believe could be strengthened in the Act. 
Indeed, it is our view that the language surrounding how the 
information provided in an incident report can be used based on the 
Act's Subsection (e): (1) Does not provide a sufficient level of 
confidentiality for industry partners. The language lays out broad 
circumstances where information can be shared (i.e., for a 
``cybersecurity purpose''), but it does not provide details as to how 
that information will be protected from disclosure. We believe that the 
Act should define clear confidentiality and privacy requirements 
regarding the use of such information and that it should require that 
any information that is further disseminated is scrubbed of all 
identifying information of the entity that provided it.
    We also make the point in our Policy Principles that it is 
important that policy makers ensure that there are appropriate 
liability protections maintained in incident reporting legislation, so 
that information provided in a report cannot later be used against an 
entity. Of course, if there are instances in which entities have 
engaged in unlawful misconduct, such liability protections would not 
apply. We also believe that security incident reporting legislation 
should make clear that cybersecurity incident reports shared with the 
U.S. Government should be exempt from FOIA requests. Given this 
recommendation, we welcome the Act's provisions in Section (f) which 
offer protection to entities that report or provide information under 
Section 106 of CISA 2015. At the same time--and this is an issue which 
extends beyond the specific legislation that is being considered at 
present--we believe that the language in CISA 2015, which is primarily 
limited to ``cyber threat indicators,'' may well need to be updated to 
include the categories of incident reporting information that are 
ultimately required to be included in the reports submitted to CISA 
under the Act. Adding such definitional clarity to CISA 2015 itself 
will help to ensure that entities receive liability protection for all 
relevant information that is shared, whether through voluntary cyber 
threat indicator sharing, or mandatory or voluntary incident reports 
provided to CISA under the Act.
c. Limit Reporting to the Impacted Entity
    Another question that arises not only in the domestic conversation 
on incident reporting but in the global conversation as well is who is 
responsible for reporting an incident to the competent authority (CISA, 
in the case of the Act). We believe that the reporting obligation 
should fall only on the impacted entity, and that vendors or third-
party service providers should not be required to report cybersecurity 
incidents to the U.S. Government that have occurred on their customers' 
networks.
    An incident reporting requirement with a broader scope would pose 
numerous challenges to many organizations' normal business operations, 
including potentially forcing vendors or third parties to disclose 
business confidential information of impacted customers or breach their 
contractual obligations. Such a requirement, if scoped broadly to 
incorporate third parties and vendors, may also result in duplicative 
incident reports which, as mentioned previously, could inundate CISA 
with multiple duplicative reports that they then must sift through, 
diverting limited resources away from meaningfully addressing 
significant cybersecurity incidents.
d. Streamline Incident Reporting Requirements
    There are currently several different measures that govern Federal 
cybersecurity incident reporting, making for a complex and often 
confusing landscape. Numerous Federal agencies currently have disparate 
incident reporting requirements, many of which are just starting to be 
implemented. For example, the banking sector is subject to multiple 
specific notification requirements (see, e.g., 12 CFR part 30, appendix 
B, supp. A (OCC); 12 CFR part 208, appendix D-2, supp. A, 12 CFR 
211.5(l), 12 CFR part 225, appendix F, supp. A (Board); 12 CFR part 
364, appendix B, supp. A (FDIC) (italics omitted); NPRM on Computer 
Security Incident Reporting Requirements for Banking Organizations and 
their Bank Service Providers) as is the defense industrial base (see 32 
CFR  236.4--Mandatory cyber incident reporting procedures). There are 
also reporting requirements captured in FISMA (see 44 U.S.C.  3553-54 
& associated Binding Operational Directive 16-03); FedRAMP Incident 
Communications Procedures; NERC Incident Reporting and Response 
Planning as required by FERC; and the US-CERT Federal Incident 
Notification Guidelines. Additionally, Section 2 of the President's 
Executive Order on Improving the Nation's Cybersecurity includes a 
number of provisions aimed at improving incident reporting on the part 
of Federal contractors. There may also be interactions with existing 
privacy reporting requirements or with law enforcement processes. And 
additionally, as alluded to above, various State laws impose data 
breach reporting requirements, often stemming from the same incidents.
    To alleviate the confusion that is brought about by this complex 
incident reporting landscape, we urge Congress in our Policy Principles 
to harmonize existing regulatory reporting requirements to ensure that 
companies are more efficiently able to report incidents and are not 
subject to contradictory, duplicative, or otherwise confusing reporting 
requirements that may serve to hamper the notification process. We also 
recommend that reported information be aggregated, anonymized, 
analyzed, and shared in a manner that facilitates the mitigation and/or 
prevention of future cyber incidents.
    All that being said, we appreciate that the Act recognizes in 
Subsections (d)(7)(A) and (B) that covered entities may be subject to 
existing regulatory requirements, and that it directs the CISA director 
to consider those existing regulatory requirements in establishing 
reporting requirements for covered entities, including working with 
other regulatory authorities to see whether and how streamlining is 
feasible. While we appreciate the inclusion of this provision, the Act 
currently does little to actually lessen the regulatory burden. We 
recommend adding language that clarifies that CISA should leverage 
existing channels to collect incident information whenever possible, 
including having existing interfaces such as the FBI, SEC, and 
financial sector regulators provide updates based on engagement with 
the private sector. This could be accomplished by directing the Office 
of Management and Budget to issue guidance to Federal regulators and 
law enforcement requiring agencies to share information related to 
covered incidents against covered agencies with the Cyber Incident 
Review Office.
e. Establish Appropriate Reporting Thresholds and Limit Reporting to 
        Verified Incidents
    We appreciate that the Act attempts to establish minimum thresholds 
for reporting a ``covered incident'' based on a risk-based, analytical 
model. We consistently encourage policy makers to take a risk-based 
approach to cybersecurity, and incident reporting is no exception. It 
is important that the threshold for requiring an incident report is 
sufficiently narrow and clearly delineated. Reporting requirements 
should include specific parameters and be mapped to objective criteria, 
and incident severity levels should be related to identifiable harms, 
such as to public health and safety, or operational disruption.\6\ 
However, the considerations outlined in the Act's Subsection (4)(A) 
introduce ambiguity that is not resolved in the minimum threshold 
language outlined in Subsection (4)(B). Relatedly, providing additional 
rigor around what constitutes a ``significant cyber incident'' would be 
helpful.
---------------------------------------------------------------------------
    \6\ Currently, the United States approach to categorizing cyber 
incidents in the National Cyber Incident Response Plan defines a 
``Significant Cyber Incident'' as a cyber incident that is (or group of 
related cyber incidents that together are) likely to result in 
demonstrable harm to the National security interests, foreign 
relations, or economy of the United States or to the public confidence, 
civil liberties, or public health and safety of the American people.
---------------------------------------------------------------------------
    In our Policy Principles, we recommend that policy makers explore 
the idea of an incident categorization matrix, which can represent the 
severity of an incident more accurately, therefore allowing for 
prioritization of incidents. We believe that a similar concept would be 
useful to introduce here and encourage the subcommittee to include 
language that directs CISA, in conjunction with interagency partners, 
to develop such an incident categorization matrix. A categorization 
matrix can be used to help determine the severity of, and potential 
for, actual harm posed by an incident more accurately, helping to 
prioritize incidents and ultimately enabling more precise reporting. 
Focused reporting that is limited to severe incidents that may result 
in actual harm reduces the burden on information security teams and 
frees up resources for the essential tasks of examining and remediating 
incidents and securing an organization's systems.
    Similar approaches have been proposed by CISA and have already been 
adopted by the United Kingdom (UK) and Australia. The United Kingdom's 
National Cyber Security Center developed a Cyber Attack categorization 
system, with incidents broken down into six categories, ranging from a 
category 1 national cyber emergency to a category 6 localized incident. 
Along with breaking out incidents into categories, the United Kingdom's 
matrix includes a definition of the type of incident, information about 
who responds to that incident, and what activities responders should 
undertake.\7\ This approach helps lend additional clarity to 
determining the severity of an incident and allows for resources to be 
deployed more efficiently. Australia has developed a similar Cyber 
Incident Categorization Matrix, which lays out similar categories 
ranging from 1-6 and provides illustrative examples of the types of 
incidents and impacted entities that fall in a given category. This 
matrixed approach allows the Australian Cybersecurity Centre to triage 
incident reports and respond appropriately based on level of impact.\8\
---------------------------------------------------------------------------
    \7\ Overview of NCSC cyber categorization matrix available here: 
https://www.ncsc.gov.uk/news/new-cyber-attack-categorisation-system-
improve-uk-response-incidents.
    \8\ Matrix available at https://www.transparency.gov.au/annual-
reports/australian-signals-directorate/reporting-year/2019-20-6.
---------------------------------------------------------------------------
    We applaud the committee's focus on incidents that produce actual 
harms as established by the minimum thresholds for a ``covered 
cybersecurity incident'' as set forth in Subsection (4)(b). This 
emphasis on incidents that cause disruption of business operations, 
compromises of the integrity or confidentially of data, and loss of 
services ensures CISA's limited resources can be effectively and 
efficiently leveraged. We were pleased to see that the Act focuses on 
such confirmed incidents, as we have observed a somewhat troubling 
trend in proposed incident reporting policies globally which require 
entities to report ``potential'' incidents or ``near misses.'' In our 
view, requiring the reporting of ``potential'' incidents does little to 
improve cybersecurity and could inadvertently create an information 
overload, preventing the competent authority from prioritizing actual, 
confirmed incidents, and undertaking appropriate action to respond, 
particularly when it is not clear what would constitute a ``potential'' 
incident. As we noted in the multi-association letter and in our Policy 
Principles, reporting verified or confirmed incidents that have been 
well-defined and scoped will help to avoid a culture of overreporting 
that will strain limited incident response capacity and capabilities 
inside and outside the Government. It will also help ensure that 
information received is useful and actionable.
 iii. prioritizing partnership and collaboration puts cisa in the best 
            position for success in cyber incident reporting
    ITI has long advocated that public-private partnerships are 
essential to improving cybersecurity, and CISA and its predecessor 
entities at the Department of Homeland Security have been established 
as key partners to industry on issues such as cybersecurity threat 
information sharing and supply chain risk management. These 
partnerships are essential to: (1) Identify potential threats; (2) 
understand how and to what extent risks can be managed; and (3) 
determine what actions should be taken to address risks without 
yielding unintended consequences. The Act we are discussing today 
acknowledges that Government and industry often have access to unique 
information sets; this is certainly the case in the context of a 
security incident, which is why sharing or reporting certain categories 
of information can help all relevant stakeholders see the complete 
picture, increasing situational awareness, and driving more effective 
operational collaboration in response to significant incidents.
    The private sector ICT community has not only been foundational in 
developing the infrastructure of cyber space but, for well over a 
decade, in providing leadership, innovation, and stewardship in all 
aspects of cybersecurity, including helping to develop and 
participating in numerous public-private partnership structures and 
efforts. For example, global ICT companies have long participated in 
sector coordinating councils (SCC), self-organized, self-governed 
councils that allow owners and operators of critical infrastructure to 
engage on a range of cybersecurity strategies, policies, and activities 
with CISA and other U.S. Government counterparts, and also participate 
in the ICT SCRM Task Force launched in 2018. I am pleased to serve as 
the vice chair of the ITSCC and to work closely with my counterparts in 
the Communications SCC, as well as CISA and other U.S. Government 
partners as co-chair of the ICT SCRM Task Force.
    We believe that if an incident reporting regime is crafted 
carefully, it can be a helpful tool to improve Federal agencies' 
situational awareness into cybersecurity incidents as well as to drive 
improvements in operational collaboration between CISA and industry. In 
order to realize such an effort, CISA's role as a trusted and 
collaborative partner to industry must be preserved, if not 
strengthened, as it must be able to continue to engage with relevant 
stakeholders, including critical infrastructure owners and operators, 
on not just the cybersecurity incident notification and reporting 
requirements contemplated here but on the array of other important and 
on-going cybersecurity and supply chain risk management partnership 
activities referenced above.
    This is an important moment in the history of CISA, still a 
relatively new agency that has had to adapt itself to meet what seems 
like a new set of threats and challenges every year. The legislation 
under consideration by this subcommittee holds the promise of not only 
developing an effective and efficient cybersecurity incident reporting 
regime, but in doing so in a way that preserves the partnership and 
collaborative model that this subcommittee set out when it created CISA 
3 years ago. We urge the subcommittee to ultimately adopt legislation 
that achieves both of these goals.
                               conclusion
    Members of the subcommittee, ITI and our member companies once 
again commend you for your leadership on this issue. We appreciate your 
approach to engaging with stakeholders to ensure the partnership model 
that CISA was founded on will be protected and continue to evolve as it 
tackles these new threats. We encourage you to keep both the 
partnership model and goal of improving operational collaboration in 
mind as you consider how to best refine the Act in order to lend 
additional clarity to questions around issues including minimum 
thresholds for incident reporting, confidentiality and liability 
protections, and conflicting or duplicative reporting requirements.
    ITI stands ready to provide the subcommittee with any additional 
input and assistance as it seeks to develop an approach to 
cybersecurity incident reporting for critical infrastructure owners and 
operators. And we reiterate our request that the subcommittee consider 
our full set of Policy Principles, which, when taken together, will 
help policy makers to structure a clear, straightforward incident 
reporting regime that provides actionable, appropriately contextualized 
information.
    I would like to again thank the Chair, Ranking Member, and Members 
of the subcommittee for inviting me to testify today and for your 
interest in and examination of this important issue. I look forward to 
your questions.
    Thank you.
 Appendix A.--ITI Policy Principles for Security Incident Reporting in 
                                the U.S.
                               july 2021
    The SolarWinds compromise has demonstrated how the cyber threat 
landscape is constantly evolving, resulting in the emergence of new 
threats. In search of a suitable policy response, policy makers have 
increasingly turned to incident reporting policy regimes as a 
potentially appropriate tool. The proposals introduced to date often 
conflate multiple issues and misunderstand the goals and the 
applicability of security incident reporting.
    ITI recognizes the importance of cybersecurity incident reporting 
to inform actions to respond to incidents and to contain or prevent 
further impacts. ITI views the concepts related to security incident 
reporting as distinct from those of cyber threat information sharing or 
a data breach notification (see box for details). If a report provides 
sufficient technical details about the suffered incident, Federal 
agencies can understand the nature of the attack and take steps to 
mitigate the associated risk. Likewise, actionable reporting may help 
Government officials to prioritize incident response assistance to 
affected organizations, particularly while dealing with an active 
campaign targeting multiple organizations. This assumes that affected 
organizations required support and that the principles articulated 
below have been fully adopted.
    As such, if carefully crafted, incident reporting has the potential 
to be a helpful policy lever. It is through this lens that we offer our 
recommendations on several key areas that policy makers should consider 
in developing an effective, efficient security incident reporting 
regime.
    Security incident reporting is distinct from other concepts with 
which it is often confused: Data breach notification and cyber threat 
information sharing. While some incidents may blur the line between 
these concepts, it is important to understand the difference between 
these terms and what each process is meant to achieve.
    Security Incident Reporting focuses on the past because it reports 
on the details of a cybersecurity incident that has already occurred. 
This could include the vector of compromise, the systems and 
information compromised or targeted by the attacker, and any attributes 
of the attacker's behavior. Reports may focus on the actual or the 
potential harm caused by an incident. Information conveyed in the 
reporting highly depends on the reporting time line, reporting purpose 
(and use) and segment needs.
    Data Breach Notification relates specifically to the unauthorized 
access to or disclosure of personally identifiable information or other 
sensitive privacy data. In the United States, there are more than 50 
State and local laws focused on data breach notification.
    Cyberthreat Information Sharing focuses on the future and refers to 
the proactive sharing of threat information to help all entities 
understand threats and take steps to prevent successful cyber attacks. 
Threat information sharing should be voluntary and may include 
indicators such as anomalous network activity or methods of 
circumventing security controls.
          develop and adopt an incident categorization matrix
    Policy makers should ensure that the threshold for reporting 
requirements is mapped to specific objective criteria and specific 
incident severity levels related to identifiable harms, such as to 
public health and safety, or operational disruption.\1\ Reporting 
requirements should only focus on severe and significant attacks that 
cause actual disruption or loss and should include specific parameters. 
An incident categorization matrix \2\ can represent the severity of an 
incident more accurately which helps with the prioritization of 
incidents and ultimately supports more precise reporting. Focused 
reporting that is limited to severe incidents reduces the burden on 
information security teams and frees resources for the essential tasks 
of examining and remediating incidents and securing the organization's 
systems. Moreover, it reduces the likelihood of an informational 
overload for applicable authorities that would undermine their ability 
to prioritize responses and divert limited agency resources from 
critical risk mitigation activities. These considerations are also key 
in the context of defining the scope and object of reporting (e.g., 
avoiding the confusion of ``incident'' with other concepts or expanding 
to ``potential'' incident reporting). We recommend policy makers 
advance the joint understanding of the matrix and severity concept, by 
facilitating a consensus-driven processes.
---------------------------------------------------------------------------
    \1\ Currently, the U.S. approach to categorizing cyber incidents in 
the National Cyber Incident Response Plan defines a ``Significant Cyber 
Incident'' as a cyber incident that is (or group of related cyber 
incidents that together are likely to result in demonstrable harm to 
the National security interests, foreign relations, or economy of the 
United States or to the public confidence, civil liberties, or public 
health and safety of the American people.
    \2\ Similar approaches have been proposed by CISA and are already 
adopted by the United Kingdom and Australia.
---------------------------------------------------------------------------
  establish feasible reporting time lines commensurate with incident 
                             severity level
    Any incident reporting legislation should ensure that time lines 
are aligned with global best practices. The required time lines should 
be commensurate with incident severity levels but allow for at least a 
72-hour reporting window after an entity has verified the incident. 
Anything shorter is unnecessarily brief and injects additional 
complexity at a time when entities are more appropriately focused on 
the difficult task of understanding, responding to, and remediating a 
cyber incident. Shorter time lines also greatly increase the likelihood 
that the entity will report inaccurate or inadequately contextualized 
information that will not be helpful, potentially even undermining 
cybersecurity response and remediation efforts.
   limit responsibility for reporting only to the compromised entity
    Any legislation should ensure that the reporting obligation falls 
only on compromised entities. Vendors and third-party service providers 
should not be required to report cybersecurity incidents to the U.S. 
Government that have occurred on their customers' networks. Such a 
requirement would pose numerous challenges to normal business 
operations, including potentially forcing vendors or third parties to 
disclose business confidential information of that customer or breach 
their contractual obligations.
  ensure confidentiality and appropriate protections around sensitive 
information shared with federal agencies, including against regulatory 
                                  use
    It is imperative to have strong and transparent rules about the 
confidentiality of incident information that is shared with or by 
Federal agencies. Such rules should govern not only the dissemination 
of incident information with relevant interagency partners but should 
specifically preclude direct or indirect regulatory use of such 
information. Such rules should additionally govern how unclassified 
information on a specific incident is further shared with the U.S. 
Government, other governments, and with nongovernmental entities. These 
rules must be crafted to guarantee compliance with existing legal 
regimes, including contractual and privacy obligations. A designated 
centralized reporting agency should provide a secure method of 
communication. This could be as simple as publishing a PGP encryption 
key or using the Traffic Light Protocol (TLP). Trust is essential.
  establish targeted liability protections and appropriate exemptions 
               from the freedom of information act (foia)
    Entities providing incident reports should receive liability 
protections for providing such information to Federal agencies, 
including engaging in activities related to monitoring or network 
awareness of their information systems, other than in instances where 
entities engage in willful misconduct. Additionally, cybersecurity 
incident reports shared with the U.S. Government should be exempt from 
FOIA requests.
    harmonize federal cybersecurity incident reporting requirements
    There are currently several different measures that govern Federal 
cybersecurity incident reporting, making for a complex and oftentimes 
confusing landscape.\3\ To alleviate such confusion, Congress should 
consider harmonizing existing regulatory reporting requirements to 
ensure the efficient sharing of covered cybersecurity incidents.
---------------------------------------------------------------------------
    \3\ See, for example, banking sector notification requirements: 12 
CFR part 30, appendix B, supp. A (OCC); 12 CFR part 208, appendix D-2, 
supp. A, 12 CFR 211.5(l), 12 CFR part 225, appendix F, supp. A (Board); 
12 CFR part 364, appendix B, supp. A (FDIC) (italics omitted); NPRM on 
Computer Security Incident Reporting Requirements for Banking 
Organizations and their Bank Service Providers; defense industrial base 
mandatory reporting requirements: 32 CFR  236.4--Mandatory cyber 
incident reporting procedures; FISMA reporting requirements: 44 U.S.C. 
 3553-54 & associated Binding Operational Directive 16-03; FedRAMP 
Incident Communications Procedures; NERC Incident Reporting and 
Response Planning as required by FERC; and US-CERT Federal Incident 
Notification Guidelines.
---------------------------------------------------------------------------
 designate a single point of contact for companies to report security 
                   incidents to within the government
    Incident response and recovery resources are in short supply. To 
effectuate the efficient use of limited resources, the Federal 
Government should designate, and adequately fund, a single point of 
contact for all companies that need to report an incident. If existing 
reporting requirements have not been harmonized and sector-specific 
reporting requirements remain in place, impacted organizations should 
not be required to report an incident twice. All future legislative 
proposals should designate CISA as the single point of contact where no 
sector-specific regulator exists, and appropriate resources should be 
allocated for that purpose.
         define an appropriate and flexible reporting template
    All incident reports should follow a standardized template to 
ensure consistent reporting across agencies and industries. Consensus-
driven processes are needed to refine the elements of such a template 
to ensure consistency with existing frameworks, like MITRE ATT&CK or 
VERIS, and international industry best practices, as well as to ensure 
that the template fits the needs and existing practices of a particular 
sector. Reporting entities can use such a template to report the most 
relevant information where available. By way of example, the template 
may include appropriate and reasonably obtained information on: (1) The 
attack vector or vectors that led to the compromise; (2) the indicators 
of compromise; information on the affected systems, devices, or 
networks; (3) information relevant to the identification of the threat 
actor or actors involved; (4) a point of contact from the affected 
entity; and (5) impact, earliest known time, and duration of 
compromise.\4\ Entities should have the option to report additional 
types of information on cybersecurity incidents to help to identify 
emerging trends or otherwise preempt attacks. Entities should also not 
be penalized for or precluded from reporting an incident if all 
information, including the information proposed in this list, is not 
available.
---------------------------------------------------------------------------
    \4\ This initial list is based on the following CISA documents: 
https://www.cisa.gov/sites/default/files/publications/
Law%20Enforcement%20Cyber%20Incident%20Reporting.pdf https://
www.cisa.gov/sites/default/files/publications/Non-
Federal%20Entity%20Sharing%20Guid- 
ance%20under%20the%20Cybersecurity%20Information%20Sharing%20Act%20of%- 
202015_1.pdf; other resources are available: https://us-cert.cisa.gov/
sites/default/files/publications/Federal_Incident_Notification_Guide- 
lines.pdf.
---------------------------------------------------------------------------
  align reporting processes and mechanisms to ensure consistency with 
   industry best practices and allow for bi-directional information 
                                sharing
    The protocols and mechanisms of reporting an incident should be 
consistent with existing frameworks, recognized sectoral, 
international, and industry best practices. To ensure incident 
information is shared quickly and continuously, sections 2.f and 2.g of 
Executive Order 14028 direct improvements to the inter-agency sharing 
of incident information. In addition to these provisions, Federal 
agencies also need to streamline legal agreements involving industry 
partners to allow for bi-directional sharing of incident information.
      build agency capability to act on security incident reports
    Security incident reporting will be of limited utility if the 
designated recipient agency does not have the capacity to ingest and 
act on the information it receives. A manual-intensive approach will 
quickly max out resources and elevate the risk that important alerts 
are inadvertently missed. Before a security incident reporting scheme 
is established, the designated recipient agency should have the 
capability to automate data collection so that internal data can be 
cross-referenced with externally available data. This will inform and 
improve the orchestration of incident response actions.

    Ms. Clarke. We thank you for your expert testimony here 
today, Mr. Miller.
    I now recognize Mr. Mayer to summarize his statement for 5 
minutes.

       STATEMENT OF ROBERT MAYER, SENIOR VICE PRESIDENT, 
                   CYBERSECURITY, US TELECOM

    Mr. Mayer. Good afternoon, Ranking Member Garbarino, 
Chairwoman Thompson, and Ranking Member Katko, and other 
distinguished Members of the committee, thank you for the 
opportunity to testify at today's hearing to express our 
industry support for the provisions included in the Cyber 
Incident Reporting for Critical Infrastructure Act of 2021.
    My name is Robert Mayer, and I am the senior vice president 
for Cybersecurity and Innovation at USTelecom, the broadband 
association representing broadband providers, suppliers, and 
innovators connecting our families, communities, and 
enterprises. My diverse membership ranges from large publicly-
traded global communications providers, manufacturers, and 
technology enterprises to local companies and cooperatives, all 
providing advanced communication services to markets, urban and 
rural, and everything in between.
    I also serve as the chair of the Communications Sector 
Coordinating Council, which represents five communication 
segments: Broadcast, cable, satellite, wireless, and wire line 
and as co-chair of the Department of Homeland Security 
Information and Communications Technology Supply Chain Risk 
Management Task Force. In all of these roles, I have seen 
first-hand how the cybersecurity threats we face are real and 
growing.
    On an almost daily basis, we learn of attacks by nation-
state adversaries and global criminal enterprises that disrupt 
or exploit access to functions that support our daily lives. We 
in industry recognize the core interest of Government in 
enhancing the Nation's cybersecurity and the key role of 
Government-industry partnership in doing so, including through 
more robust and coordinated information sharing and incident 
reporting and response. We also recognize the unique resources 
the Government has available to aid private-sector 
organizations when responding to a major cybersecurity crisis.
    For these reasons, I am here today to express our industry 
support for legislation that would establish cyber incident-
reporting capabilities within CISA. We believe that the 
following elements are critical success factors in any incident 
reporting regime, and we are encouraged to see that they are 
included in the current proposal.
    First, when a cybersecurity incident occurs, impacted 
organizations need time to investigate the incident, determine 
whether reporting criteria have been met, and comply with 
applicable best practices. The proposed legislation provides 
for a reporting window that is flexible and large enough for 
industry to triage the incident.
    Second, defining reporting thresholds is a highly technical 
exercise that requires extensive subject-matter expertise. The 
thresholds need to be specific enough to avoid ambiguity so 
that industry knows exactly how to comply. The legislation 
under consideration directs Federal agency experts to define 
thresholds in consultation with industry. Moreover, to avoid 
undermining the system with overreporting, only confirmed 
cybersecurity incidents that will be reported, not potential or 
unverified incidents. This grounds the thresholds and criteria 
that are verifiable, attributable, and actionable.
    Third, the legislation strives to protect the Government's 
industry partners when they are victims of cyber attacks. By 
building upon liability protections afforded in the 
Cybersecurity Information Sharing Act of 2015, the stage is set 
for strong, legal, and conceptual foundation for such 
protections.
    Fourth, when the Government collects sensitive information 
from industry partners, it has a responsibility to protect that 
information. To that end, the legislation includes provisions 
to ensure data from incident reports is not shared 
inappropriately or leaked once it is provided to CISA.
    Fifth, any policy requiring ISPs to report customers' 
incidents would be cause for concern on a number of grounds, 
including public policy and privacy concerns, disruptions to 
business relationships, and operations and possible legal 
issues associated with those kinds of disclosures. The 
reporting obligations in the proposed legislation reside with 
the victims of cyber attacks and not intermediaries or third 
parties.
    In addition to the above critical success factors that are 
included in the bill, we are further encouraged by the 
following aspects of the proposed legislation. Cyber incident 
reporting is best enforced with subpoenas rather than fines. 
The legislation under consideration today wisely relies on 
subpoenas rather than fines as an enforcement mechanism for 
cybersecurity reporting.
    CISA should serve as a central hub for information sharing 
and incident reporting. This legislation appropriately directs 
CISA to shape and maintain this reporting and information-
sharing program. CISA is uniquely well-suited to serve as a 
central hub for cybersecurity information sharing and incident 
reporting. While CISA has a central role to play, a new 
reporting concert should take into account that other Federal 
agencies will consider to be engaged with the private sector.
    Recognizing that cybersecurity is a shared responsibility 
across the ecosystem, we appreciate that the legislation 
requires the U.S. Government to take its obligations to report 
and share cybersecurity information seriously, just as industry 
takes its own obligations seriously. USTelecom and the 
communications sector stand ready to work with the committee to 
advance this legislation and will continue to collaborate in 
partnership with CISA to continuously advance our Nation's 
cybersecurity, risk management, management, and response 
capabilities.
    Thank you for your leadership and for prioritizing this 
critical issue. I look forward to your questions.
    [The prepared statement of Mr. Mayer follows:]
                   Prepared Statement of Robert Mayer
                      Wednesday, September 1, 2021
    Chairwoman Clarke, Ranking Member Garbarino, Chairman Thompson, and 
Ranking Member Katko and other distinguished Members of the committee, 
thank you for the opportunity to testify at today's hearing to express 
our industry's support for the provisions currently included in the 
Cyber Incident Reporting for Critical Infrastructure Act of 2021.
    My name is Robert Mayer, and I am the senior vice president for 
cybersecurity & innovation at USTelecom--The Broadband Association, 
representing broadband providers, suppliers, and innovators connecting 
our families, communities, and enterprises. Our diverse membership 
ranges from publicly-traded global communications providers, 
manufacturers, and technology enterprises, to local Main Street 
companies and heartland cooperatives--all providing advanced 
communications services to markets, both urban and rural, and 
everything in between.\1\
---------------------------------------------------------------------------
    \1\ USTelecom The Broadband Association, www.ustelecom.org.
---------------------------------------------------------------------------
    I also serve as the chair of the Communications Sector Coordinating 
Council and as co-chair of the Department of Homeland Security (DHS) 
Information and Communications Technology (ICT) Supply Chain Risk 
Management Task Force.\2\
---------------------------------------------------------------------------
    \2\ Communications Sector Coordinating Council, www.comms-scc.org; 
ICT Supply Chain Risk Management Task Force, https://www.cisa.gov/ict-
scrm-task-force.
---------------------------------------------------------------------------
    In all of these roles, I've seen first-hand how the cybersecurity 
threats we face are real and growing. On an almost daily basis, we 
learn of attacks by nation-state adversaries and global criminal 
enterprises to disrupt or exploit access to functions that support our 
daily lives. Some of these attacks--such as those mounted against 
SolarWinds and its Government and private-sector customers, and the 
attack against Colonial Pipeline that had the effect of gas price 
spikes and gas shortages down the East Coast--target critical functions 
that enable the basic activities of commerce and consumers' lives. We 
now have actual experience with a significant disruption to critical 
infrastructure, highlighting the importance of securing all 16 critical 
infrastructure sectors including water, transportation, energy, 
finance, information technology, and communications.
    We in industry recognize the core interest of the Government in 
enhancing the Nation's cybersecurity, and the key role of Government-
industry partnership in doing so--including through more robust and 
coordinated information sharing and incident reporting and response. We 
also recognize the unique resources the Government has available to aid 
private-sector organizations when responding to a major cyber crisis.
    The Council to Secure the Digital Economy (CSDE), founded by 
USTelecom and other key industry partners, described the necessary 
foundations for this coordination in its 2019 Cyber Crisis Report, 
noting that in the midst of a cybersecurity crisis, Government and 
industry must be prepared to mobilize together rapidly and collaborate 
with relevant responders.\3\ This means building close working 
relationships with the companies whose diverse leadership, assets, and 
operational experience within the digital ecosystem provide unique 
value in the global fight against cyber threats.
---------------------------------------------------------------------------
    \3\ Council to Secure the Digital Economy, Cyber Crisis: 
Foundations of Multi-Stakeholder Coordination (2019), https://
securingdigitaleconomy.org/wp-content/uploads/2019/09/CSDE_CyberCrisis-
Report_2019-FINAL.pdf.
---------------------------------------------------------------------------
    We've seen this partnership work, perhaps most significantly in 
recent years in the context of the COVID-19 pandemic's unprecedented 
demands on IT and communications systems to keep us connected, 
learning, and working, just as threat actors used our increased 
reliance on connected technology to find new avenues to exploit. 
Throughout the pandemic, the Communications Sector has worked hand-in-
hand with DHS's Cybersecurity and Infrastructure Security Agency 
(CISA), the National Telecommunications and Information Administration 
(NTIA), the Federal Communications Commission (FCC), and other 
Government agencies to allocate and deliver resources, establish access 
for critical workers, maintain services, and address threats.
    This collaboration was not a response to top-down regulatory 
directives, but rather an operationalization of trusted partnerships 
cultivated over decades between Government and industry and across 
diverse members of the ICT sector. It worked--together, we kept the 
Nation connected through the pandemic, and this successful experience 
in communications security and reliability is a model to follow in the 
years ahead.
    We have also seen the benefit of this engagement in the DHS ICT 
Supply Chain Risk Management Task Force over the past 2 years. When I 
last had an opportunity to testify before this committee, the Chair and 
Ranking Member expressed interest in addressing the essential segment 
of small and medium-sized businesses (SMBs). The IT and Communications 
Sectors have similarly recognized the unique set of challenges SMBs 
face and that these challenges constitute a National security 
imperative as U.S. critical infrastructure relies on the defensive 
posture of these individual, yet highly-connected organizations. This 
year, USTelecom produced a survey examining these challenges and found 
that critical infrastructure SMBs are distinctly vulnerable to breaches 
that can take longer to detect and from which to recover.\4\ As we 
enter the Task Force's third year, we plan to continue focus on the 
critical element of SMBs and how we can further leverage cross-sector 
and Government-industry partnership to provide greater support.
---------------------------------------------------------------------------
    \4\ USTelecom, USTelecom 2021 Cybersecurity Survey: Critical 
Infrastructure Small & Medium-Sized Businesses, at 6, 
www.ustelecom.org/cybersurvey.
---------------------------------------------------------------------------
    For these reasons, I am here today to express our industry's 
support for the committee's efforts to facilitate establishing cyber 
incident reporting and analysis capabilities within CISA rooted in the 
foundational information-sharing framework of the 2015 Cybersecurity 
Information Sharing Act. In the context of this hearing, we see the 
Cyber Incident Reporting for Critical Infrastructure Act of 2021 as 
another foundational building block in the growing whole-of-Nation 
collaboration across industry and Government.
    To support our collective interest in leveraging trusted 
partnerships to enhance cybersecurity, information sharing and incident 
reporting must be done effectively and efficiently. With this in mind, 
we believe that the following elements are critical success factors in 
any incident reporting regime, and we are encouraged that many of these 
are included in the current legislation proposed by Chairwoman Clarke 
and Ranking Member Katko:
    1. The reporting window should be large enough for industry to 
        triage the incident.--When a cyber incident occurs, impacted 
        organizations need time to investigate the incident, determine 
        whether reporting criteria have been met, and comply with 
        applicable best practices. The committee should consider giving 
        CISA discretion to establish reporting windows within 
        reasonable parameters and with appropriate flexibility afforded 
        to meet the unique needs of a given situation. If the mandatory 
        reporting window is too short, CISA will likely receive an 
        overwhelming quantity of ``false alarm'' reports that do not 
        merit reporting, which could strain Government resources and 
        undermine the value of the reporting program.
    2. Thresholds for incidents that merit reporting should be clearly 
        defined by subject-matter experts, and only confirmed incidents 
        should be reported.--Defining reporting thresholds is a highly 
        technical exercise that requires extensive subject-matter 
        expertise. The thresholds need to be specific enough to avoid 
        ambiguity, so that industry knows exactly how to comply. Given 
        these complexities, the committee should consider directing 
        Federal agency experts to define thresholds in consultation 
        with industry, rather than attempting to include thresholds in 
        legislation itself. Moreover, to avoid undermining the system 
        with over-reporting, only confirmed cyber incidents should be 
        reported--not potential or unverified incidents. The thresholds 
        must be grounded in criteria that are verifiable, attributable, 
        and actionable.
    3. Legislation should protect the Government's industry partners 
        when they are victims of cyber attacks.--There are numerous 
        operational benefits to affording protection to entities that 
        report cyber incidents. The Cybersecurity Information Sharing 
        Act of 2015 provides a strong legal and conceptual foundation 
        for such protections, but the committee should also consider 
        ways it and CISA can leverage consultation with stakeholders to 
        refine these protections in the incident reporting context. 
        Different organizations may provide unique insights into how 
        incident reporting affects them legally and operationally.
    4. The Government must safeguard the sensitive information it 
        collects.--When the Government collects sensitive information 
        from industry partners, it has a responsibility to protect that 
        information. To that end, the committee should consider 
        provisions to ensure data from incident reports is not shared 
        inappropriately or leaked once it is provided to CISA. We must 
        ensure that the victim names reported to CISA are not shared 
        outside the agency. This is essential to ensuring the 
        information is safeguarded appropriately and not misused.
    5. Reporting obligations should reside with the victims of cyber 
        attacks and not intermediaries or third parties.--Any policy 
        requiring Internet Service Providers (ISPs) to report 
        customers' incidents would be cause for concern on a number of 
        grounds, including public policy and privacy concerns, 
        disruptions to business relationships and operations, and 
        possible legal issues associated with those kinds of 
        disclosures.
    In addition to the above critical success factors that are included 
in the bill, we are further encouraged by the following aspects of the 
proposed legislation:
   Cyber incident reporting is best enforced with subpoenas 
        rather than fines. The legislation under consideration today 
        wisely relies on subpoenas rather than fines as an enforcement 
        mechanism for cybersecurity reporting. Where fines are 
        inherently punitive--and may in some cases actually punish 
        entities that aim to report cyber incidents in good faith--
        subpoenas enable the Government access to the information it 
        seeks and also inform industry more specifically about the 
        Government's interests and priorities. This will enable the 
        overall information-sharing regime to improve with the benefit 
        of experience over time.
   CISA should serve as a hub for information sharing and 
        incident reporting, but must work with its partner agencies. 
        This legislation also directs CISA to shape and maintain this 
        reporting and information-sharing program. Since the agency's 
        statutory establishment in 2018, CISA is well-suited to serve 
        as a hub for cybersecurity information sharing and incident 
        reporting. CISA's expertise and on-going relationships will 
        enable it to build an effective information-sharing framework 
        that will be nimble enough to keep pace with cybersecurity 
        innovation over time. However, any new mandatory reporting 
        requirements should not overlook the extensive collaboration 
        that industry currently has with the broader Federal 
        Government. While CISA has a critical role to play and can 
        serve as a central location for reporting, other Federal 
        agencies will continue to be engaged with the private sector. 
        Indeed, consistent with the Federal Government's 
        recommendation, many companies will contact law enforcement if 
        they have a cyber incident. If a company has a significant 
        intrusion, its first reaction may be to reach out to the FBI, 
        for example, who could take any appropriate criminal action 
        (e.g., seize back some of the ransom payment). Policy makers 
        should ensure that a new reporting construct takes into 
        consideration this dynamic and does not inadvertently punish a 
        private entity for heeding the Government's advice and/or put 
        the entity in the middle of two competing Government agencies 
        in the wake of an attack.
   Information-sharing obligations should be reciprocal between 
        Government and industry partners. We also appreciate that the 
        proposed legislation places expectations on Government 
        stakeholders to report cyber incidents and share cybersecurity 
        risk information. Recognizing that cybersecurity is a shared 
        responsibility across the ecosystem, we appreciate that the 
        legislation would require the U.S. Government to take its 
        obligations to report and share cybersecurity information 
        seriously, just as industry takes its own obligations 
        seriously.
    USTelecom--The Broadband Association and the Communications Sector 
stand ready to work with the committee to advance this legislation and 
will continue to collaborate in partnership with CISA to continuously 
advance our Nation's cybersecurity risk management and response 
capabilities.
    Thank you for your leadership and for prioritizing this critical 
issue. I look forward to your questions.

    Ms. Clarke. We thank you for your expert testimony here 
today, Mr. Mayer.
    I now recognize Ms. Denbow to summarize her statement for 5 
minutes.

 STATEMENT OF KIMBERLY DENBOW, MANAGING DIRECTOR, SECURITY AND 
              OPERATIONS, AMERICAN GAS ASSOCIATION

    Ms. Denbow. Thank you. Thank you, Chairwoman Clarke, 
Ranking Member Garbarino, and Members of the subcommittee. I am 
Kimberly Denbow, managing director of security and operation of 
the American Gas Association, AGA. I have led AGA's Security 
Policy and Technical Program for nearly two decades. I am a 
former member--voting member--former voting member of the TSA 
Surface Transportation Security Advisory Committee and co-
chaired the Cybersecurity Subcommittee. I presently co-chair 
the Cybersecurity Working Group for both the Oil and Natural 
Gas Sector Coordinating Council and the Pipeline Sector 
Coordinating Council. Thank you for inviting me to share my 
perspective on the Cybersecurity Incident Reporting for 
Critical Infrastructure Act of 2021 and sharing AGA's general 
approach to cybersecurity.
    AGA represents more than 200 local energy companies that 
deliver clean and affordable natural gas to 95 percent of 
natural gas customers in the United States. AGA supports the 
provisions necessary for a workable incident reporting 
framework, as laid out in the Cyber Incident Reporting for 
Critical Infrastructure Act of 2021.
    These provisions include report timing of 72 hours after 
confirmation of the incident, clarity provided around 
supplemental reporting, harmonization of new reporting rules 
with preexisting reporting requirements, leveraging the 
information sharing and analysis centers, and operator 
liability, information, and regulatory protections.
    Properly framed cybersecurity incident reporting can help 
counter adversaries and minimize impact. With slight 
alterations, particularly regarding private-sector involvement, 
this bill can be even stronger. Suggested improvements include 
specified outreach to sector coordinating councils in 
development of the interim final role; ensure flexibility and 
regular updates to the list of covered entities; ensure CISA 
has the staffing and sector-specific expertise necessary to 
coordinate and communicate with operators; and limit CISA 
director discretion to ensure any disclosure of reported 
information is nonattributional.
    Cybersecurity management is an endless evolution. For 
nearly two decades, AGA operators worked within a structured 
oversight model, conceived by TSA, our pipeline security 
authority. This unconventional and nonregulatory model achieved 
something the traditional stick-and-carrot approach could not. 
Constructive information exchange at a level of confidence and 
cooperation not typically available to regulators. TSA Surface 
Transportation has always done more with less and on a 
shoestring budget.
    For instance, to develop the TSA pipeline security 
guideline, the mechanism that underpins pipeline security and 
has advanced pipeline security by orders of magnitude, TSA 
collaborated with pipeline operators, CISA, and other entities. 
The quality output from TSA has been the result of the 
dedication of TSA staff in partnership with pipeline operators 
toward a shared common goal: Pipeline security. That said, when 
done right, regulations can be beneficial.
    For example, through the collaboration of nearly 70 
organizations, including TSA, CISA, trade associations, and 
pipeline operators, the consensus-based standard API 1164 
Version 3 Pipeline Control Systems Cybersecurity was developed 
as a tool to help operators manage cyber risks and control 
system environments and at critical connection points along the 
supply chain.
    As TSA transitions from the structured oversight model to 
more traditional regulation, API 1146 Version 3 will be the 
most efficient way to put effective pipeline cyber regulations 
in place.
    In a similar manner, this cyber incident reporting 
legislation has the potential to advance constructive reporting 
requirements. The key to meeting this potential lies with CISA 
and its commitment to the partnership. The AGA board of 
directors supports an industry-wide cybersecurity commitment 
and recently agreed to support reasonable cybersecurity 
regulations. While there is no single cybersecurity solution 
for absolute system protection, vigilance, technological 
capability, and leadership commitment will continue to keep 
America's natural gas delivery system safe, secure, and 
reliable.
    Thank you for the opportunity to testify. I look forward to 
the exchange of ideas.
    [The prepared statement of Ms. Denbow follows:]
                 Prepared Statement of Kimberly Denbow
                           September 1, 2021
    Chairwoman Clarke, Ranking Member Garbarino, and Members of the 
subcommittee, I am Kimberly Denbow, managing director of security & 
operations, of the American Gas Association (AGA). I have led AGA's 
security policy and technical program for nearly 2 decades. Also 
relevant to this hearing, I am a former voting member of the 
Transportation Security Administration (TSA) Surface Transportation 
Security Advisory Committee for which I helped stand up and co-chaired 
the Cybersecurity Subcommittee. I also helped stand up and presently 
co-chair the Cybersecurity Working Group for both the Oil & Natural Gas 
Sector Coordinating Council and the Pipeline Sector Coordinating 
Council. Thank you for inviting me to share my perspectives on the 
Cyber Incident Reporting for Critical Infrastructure Act of 2021 and 
AGA's general approach to cybersecurity.
    Founded in 1918, AGA represents more than 200 local energy 
companies that deliver clean and affordable natural gas throughout the 
United States. There are more than 76 million residential, commercial, 
and industrial natural gas customers in the United States, of which 95 
percent--more than 72 million customers--receive their gas from AGA 
member utilities. Natural gas is a necessary fuel for a clean and 
secure energy future, providing benefits for the economy, our 
environment, and our energy security. Alongside the economic and 
environmental benefits and opportunities natural gas offers our country 
comes the great responsibility to protect our distribution pipeline 
system network from cyber compromise.
    Technological advances over the last 30 years have made natural gas 
utilities more cost-effective, safer, and better able to serve our 
customers via web-based programs and tools. Unfortunately, the 
opportunity cost of a more connected and more efficient industry is 
that we have grown to be an attractive target for increasingly 
sophisticated cyber criminals and terrorists. The cyber threat 
landscape is evolving at an alarming rate comparable to biological 
virus mutations. This said, America's investor-owned natural gas 
utilities are meeting the threat daily via skilled personnel, robust 
cybersecurity system protections, an industry commitment to security, 
and a successful on-going cybersecurity partnership with the Federal 
Government.
    Safety and security are core values for America's natural gas 
utilities. AGA and its member companies are committed to investing in 
leading security technologies, utilizing best practices and training, 
and promoting an industry-wide vigilant security culture to help 
fortify our security defenses.
    cyber incident reporting for critical infrastructure act of 2021
    Effective cybersecurity incident reporting is essential to 
dampening wide-spread cybersecurity compromise. AGA supports the Cyber 
Incident Reporting for Critical Infrastructure Act of 2021, which 
establishes the criteria AGA members argue is necessary for a workable 
incident reporting framework. A few provisions of particular interest 
and which have industry's support include report timing, supplemental 
reporting clarity, recognition of existing reporting requirements, 
Information Sharing & Analysis Centers (ISACs), and liability 
protections. Additional details are outlined below:
   Incident Report Timing.--Providing covered entities 72 hours 
        after confirmation to report on cybersecurity incidents 
        appropriately recognizes that owners/operators need a 
        reasonable amount of time to not just identify but also to 
        verify the validity of a cybersecurity incident before 
        reporting. This minimizes the reporting of non-credible 
        incidents, which can be excessive and resource-intensive with 
        negligible value-add.
   Supplemental Reporting.--The latest draft of this 
        legislation helpfully clarifies what qualifies as supplemental 
        reporting and offers the Department of Homeland Security (DHS) 
        Cybersecurity & Infrastructure Security Agency (CISA) director 
        (and covered entities) the useful option of a flexible 
        reporting time line so as not to specifically ``prioritize 
        incident response efforts over compliance.'' This synchronizes 
        the efforts of CISA with the operator, ensures incident 
        investigation is prioritized, and eliminates unnecessary 
        supplemental information submission.
   Information Sharing and Analysis Organizations.--We 
        appreciate the latest draft bill's increased reliance on 
        industry Information Sharing & Analysis Centers (ISACs) for 
        Government-private-sector outreach as well as incident 
        reporting. Permitting owners/operators to leverage existing 
        mechanisms through third parties, such as AGA's Downstream 
        Natural Gas ISAC, strengthens the function of these entities to 
        the benefit of all stakeholders, since such organizations have 
        sector-specific threat analysts who can provide additional 
        perspectives to CISA.
   Harmonizing Reporting Requirements.--AGA's member natural 
        gas utilities are among the most regulated in the country at 
        the State, Federal, and local level. Complicating matters, well 
        over 50 percent of AGA members are combination natural gas-
        electric utilities with separate electric sector requirements. 
        As such, we appreciate efforts to reduce potential conflicting 
        mandates by harmonizing the cyber incident reporting 
        requirements with preexisting cyber reporting requirements.
   Industry Legal Protections.--We appreciate the inclusion of 
        reasonable information disclosure rules, liability protections 
        for reporting entities (familiar to industry as they mirror 
        those in the Cybersecurity Act of 2015), and regulatory 
        protections in the legislation. Without these provisions, it 
        would be hard to imagine the sort-of streamlined and trusted 
        public-private incident reporting partnership this legislation 
        contemplates.
    While the draft legislation sets a strong foundation for moving 
forward, there are a few policy areas where we recommend some expansion 
and/or clarification. Not surprisingly, most of our suggestions 
surround additional private-sector involvement in the overall process, 
per below:
   Rulemaking Detail [SEC .2220A(d)(1) In General].--This 
        section outlines the incident reporting rule making process. 
        While we appreciate that ``appropriate stakeholders'' will be 
        able to comment on the interim final rule, we strongly 
        recommend greater specific outreach to critical infrastructure 
        organizations (Sector Coordinating Councils, ISACs, individual 
        covered entities, industry organizations, etc.) in developing 
        the rule. Private-sector engagement from the beginning will 
        ensure the rule will be reasonable, credible, and based on 
        vital critical infrastructure experience and operational 
        capabilities.
   Who are the Covered Entities? [SEC .2220A(d)(2) Covered 
        Entities].--The list of covered entities should be flexible and 
        updated regularly (or as necessary) as companies change 
        operations. DHS should be able to accommodate such changes. To 
        help determine covered entities, we recommend: (1) Consulting 
        with the private sector, (2) utilizing preexisting Government 
        lists that identify critical facilities, (3) a periodic review 
        and update of covered entities, and (4) a process that allows 
        critical infrastructure entities to appeal their inclusion on 
        the list.
   Ensuring CISA has the Tools it Needs. [SEC .2220A(d)(6) 
        Responsibilities of Covered Entities].--This subsection focuses 
        on industry's coordination with CISA personnel. This 
        coordination will only be effective and efficient if CISA has 
        the staffing and sector-specific cybersecurity expertise 
        necessary to communicate with private companies in vastly 
        different business sectors. As such, we recommend adding 
        language to ensure that ``CISA will coordinate with SRMAs'' (or 
        similar).
   Director Authority [SEC .2220A(e)(1) Authorized 
        Activities].--This subsection lists the exceptions under which 
        the director may disclose information provided to the Office. 
        The discretion allotted the director in the first two 
        exceptions (A and B) are overly broad, which could lead to 
        literally ANY ``cybersecurity purpose'' as a reason to disclose 
        sensitive company information. AGA recommends adding clarifying 
        language to each exception (A) and (B) specifying ``to 
        circumvent national security or national economic harm.''
    Cybersecurity incident reporting, framed properly, can be the 
difference between pivoting against our adversaries in an effective 
manner and minimizing impact, or fumbling to our adversaries' 
advantage. Cyber Incident Reporting for Critical Infrastructure Act of 
2021 provides the structure while also delivering agility. With slight 
alterations, it can be even stronger.
   natural gas utility cybersecurity management: an endless evolution
    America's natural gas delivery system is the safest, most reliable 
energy delivery system in the world. This said, industry operators 
recognize there are inherent cyber vulnerabilities with employing web-
based applications for industrial control and business operating 
systems. Gas utilities employ multiple mechanisms to support a robust 
cybersecurity program, including participating in an array of 
Government and industry cybersecurity initiatives. The most important 
resource is the existing cybersecurity partnership between the Federal 
Government and industry operators. This partnership fosters the 
exchange of vital cybersecurity information which helps stakeholders 
adapt quickly to dynamic cybersecurity risks. That partnership should 
continue to be supported by Congress.
            the immeasurable value of authentic partnership
    For nearly two decades, AGA favored effective partnership above 
cybersecurity regulations, which we felt served as a ceiling that 
stifled robust cybersecurity management. We valued the structured 
oversight model conceived by TSA, our Federal regulator for pipeline 
security. Though the model was unconventional by Federal Government 
standards, it achieved something the traditional ``stick-and-carrot'' 
approach could not--constructive information exchange and at a level of 
confidence and cooperation not typically available to regulators. The 
TSA ``Pipeline Security Guidelines''\1\ (Guidelines) coupled with the 
trust fostered between industry and Government advanced pipeline 
security by orders of magnitude over the years. Whereas regulations 
serve as a ceiling to which operators rise but are not incentivized to 
exceed, Guidelines serve as the floor upon which an operator's program 
may be built and continuously improved based on the operator's system-
specific risks and applicable counter measures.
---------------------------------------------------------------------------
    \1\ https://www.tsa.gov/sites/default/files/
pipeline_security_guidelines.pdf.
---------------------------------------------------------------------------
                          a shared common goal
    Some have suggested cyber compromise in the pipeline industry is a 
direct consequence of the structured oversight model. TSA has been 
criticized for not doing more prior to the recent issuance of the 
pipeline security directives. For the record, TSA Surface 
Transportation did more with less and on a shoestring budget. The TSA 
Pipeline Group has been the epitome of innovation--leveraging the 
infrastructure subject-matter expertise of pipeline operators, 
partnering with CISA and Idaho National Labs for in-house industrial 
control system cybersecurity knowledge, and collaborating with the 
Department of Transportation's Pipeline and Hazardous Materials Safety 
Administration (PHMSA) on cybersecurity reviews of control centers. AGA 
helped champion the CISA/TSA Pipeline Cybersecurity Initiative \2\ and 
promoted effortlessly the Pipeline Validated Architectural Design 
Reviews.\3\ The quality output has been the result of the dedication of 
TSA and CISA staff, in partnership with pipeline operators, toward a 
shared common goal--pipeline security.
---------------------------------------------------------------------------
    \2\ https://www.cisa.gov/pipeline-cybersecurity-initiative.
    \3\ https://us-cert.cisa.gov/resources/
ncats#Validated%20Architecture%20Design%20Review- %20(VADR).
---------------------------------------------------------------------------
                             driving change
    Over the past few years, more than 70 organizations, including TSA, 
CISA, PHMSA, the Department of Energy (DOE), Federal Energy Regulatory 
Commission, National Institute of Standards & Technology (NIST), trade 
associations, and numerous pipeline operators, worked on revising a 
standard managed by the American Petroleum Institute (API) for control 
system cybersecurity. The revision was designed to align with existing 
cybersecurity guidelines, the NIST Cyber Security Framework,\4\ and 
prominent industry cyber standards. This recently-updated consensus-
based standard, API 1164 version 3, ``Pipeline Control Systems 
Cybersecurity''\5\ (API 1164 version 3), helps the operator manage 
cyber risks associated with control system cybersecurity environments 
by providing requirements and guidance for proper isolation of control 
system environments from non-control system environments. It also 
addresses enhanced protections at critical connection points along the 
supply chain.
---------------------------------------------------------------------------
    \4\ https://www.nist.gov/cyberframework.
    \5\ API Standard 1164, 3d edition.
---------------------------------------------------------------------------
Walking the Talk
    The AGA Board of Directors continues to be forward-leaning on 
multiple fronts--with security at the forefront. Actions and activities 
include:
   Creation of the Downstream Natural Gas ISAC, which 
        facilitates the sharing of threat information within the 
        natural gas industry and across sectors by providing analysis, 
        coordination, and summarization of threat indicators and other 
        relevant information to its members--a community of nearly 100 
        percent of our Nation's natural gas utilities and transmission 
        companies;
   Membership-wide adoption of the AGA Commitment to Cyber and 
        Physical Security \6\ to demonstrate dedication to ensuring the 
        natural gas pipeline infrastructure remains resilient to the 
        growing and dynamic cyber and physical security threats; and
---------------------------------------------------------------------------
    \6\ https://www.aga.org/sites/default/files/sites/default/files/
media/commitment_to_cy- ber_and_physical_security_sep2016.pdf.
---------------------------------------------------------------------------
   Development of a three-point Cybersecurity Action Plan which 
        encompasses enhancing cyber standards for gas utility 
        operations, collaborating with CISA for the enhancement of a 
        cybersecurity verification tool, and developing an operator 
        accountability mechanism. The roadmap includes the progression 
        from guidelines to regulations.
    Recently, the AGA Board passed a resolution in support of 
reasonable cybersecurity regulations. Such regulations would be 
characterized by four critical components:
    1. a risk-based methodology,
    2. a framework organized by the functions Identify, Protect, 
        Detect, Respond, and Recover,
    3. operator flexibility to pivot to a constantly-evolving cyber 
        threat landscape, and
    4. alignment with natural gas industry cybersecurity guidelines and 
        standards for operational technology.
    These four critical components are satisfied by API 1164 version 3.
An Effective & Timely Transition
    As TSA, in collaboration with CISA, transitions from issuing 
pipeline security directives to issuing cybersecurity regulations, the 
Federal Government is encouraged to leverage API 1164 version 3 which 
reflects practical, attainable, sustainable, and measurable state-of-
the-art cybersecurity protections tailored specifically to pipeline 
operations. Given the imminent threat that prompted issuance of the 
pipeline security directives, incorporating this standard by reference 
will be the Federal Government's most efficient way to put effective 
pipeline cyber regulations in place.
A Commitment to America--A Commitment to the Communities We Serve
    America's natural gas utilities are cognizant of enduring cyber 
threats and the continued need for vigilance through cybersecurity 
protection, detection, and mitigation mechanisms. There is no single 
solution for absolute system protection. Through a combination of 
cybersecurity processes and timely and credible information sharing 
amongst the Government intelligence community and industry operators, 
America's natural gas delivery system remains protected, safe, and 
reliable, and will remain so well into the future.

    Ms. Clarke. Ms. Denbow, I want to thank you for your expert 
testimony here today.
    I thank all of our witnesses for testifying.
    I will remind the subcommittee that we will each have 5 
minutes to question the panel.
    I will now recognize myself for questions.
    This first question is to all of our witnesses today. For 
the past several months, I have worked with stakeholders to 
craft legislation that, No. 1, gives CISA the visibility it 
needs to be a more effective partner to the private sector; 
and, No. 2, informs our understanding of cyber threats in a way 
that supports long-term systemic improvement to the 
cybersecurity ecosystem. Many of the questions about how to do 
this effectively are questions of scope, defining what 
information CISA needs to be bringing in and setting clear 
expectations about what CISA needs to be putting out.
    What specific information does CISA need about a cyber 
incident in order to detect cyber campaigns early and help 
other owners and operators defend themselves? Is this the same 
information CISA needs in order to understand threats over time 
and help owners and operators buy down the risks?
    Mr. Bushar. So I can start, Chairwoman, answering that 
question.
    Ms. Clarke. Thank you.
    Mr. Bushar. So I believe, you know, generally speaking, 
that CISA will require what we often term technical indicators 
of compromise, or IOCs, as part of any analysis function and 
collection effort on their behalf. So what we often recommend 
is the ability for the victims and the covered entities to be 
able to provide technical indicators of compromise, which can 
include things such as IP addresses, domain names, tools, 
pieces of malware software that are being used in the attack, 
along with techniques, not necessarily software, but 
behavioral-based techniques that the victims are observing the 
attackers taking, such as phishing, lures, or email, and things 
of that nature.
    That sort of information, when correlated across sectors or 
across industries or even within several organizations, can 
often increase the rapidity and accuracy of attribution of 
threat actors.
    The additional context that CISA may require related to 
strategic analysis would have to do with things such as 
targeting. What I mean by that, that would be information more 
related to what sort of data or information systems appear to 
be targeted by the threat actor, what data was confirmed to be 
taken out of the environment, if that is known, what sort of 
people or personas attempted to be compromised during the 
attack, whether that is, you know, positioned--executive 
positions in the organization, other sorts of key leadership 
inside the organization. Those can all be useful information--
points of information for analysis of threat actor intent and 
where they would likely see similar sorts of attacks and 
behavior emerging again across sectors or within sectors. So 
those two broad categories of information we feel are valuable 
to CISA to collect and understand, again, in a nonattributional 
way, wherever possible, or at least in a anonymized way for 
each victim.
    Ms. Clarke. So, if the other panelists agree with Mr. 
Bushar, let me ask what information and intelligence do your 
industries need from CISA in order to defend against threats 
today and in the future? What makes information actionable for 
your purposes?
    Mr. Bushar. Yes, that is great question, Chairwoman. It is 
very similar to the answer in the direction of CISA, and 
frankly. So, when the Government has access to that sort of 
indicator information, again, in a nonvictim attribution model, 
we in the private sector can often make use of that information 
in similar ways by correlating information, by comparing that 
information to what we are seeing across our customer set, and 
to deconflict or to understand where these threat actors may be 
operating that we don't have perfect visibility.
    It is really completing, you know, that fuller picture for 
everyone in the community to understand where threat actors are 
acting and how they are behaving and how to catch them as well. 
So that data is extremely valuable to commercial companies to 
put into detection tools, to software, to drive more rapid 
again detection and, ideally, prevention, right? So the 
ultimate goal in feeding information back from the Government 
to the private sector would be to inoculate. To use kind-of a 
comparison, it would be an inoculation. So we saw the first 
victim. We understand what happened there. Now, I can take that 
vaccine of information and apply it to all my other clients. 
Now if that same threat actor tries to use that exact same 
capability against other victims, it won't work; they are 
protected.
    Ms. Clarke. Thank you, Mr. Bushar.
    My time has elapsed.
    I now recognize the Ranking Member of the subcommittee, the 
gentleman from New York, Mr. Garbarino, for his questions at 
this time.
    Mr. Garbarino. Thank you, Chairwoman. Actually, I want to 
follow up--I wasn't aware I was going to start, but I wanted to 
follow up on what you were just talking about with what should 
be reported. My question to witnesses is, on a covered 
incident--and we have different groups on here, telecom and 
banks and energy--it shouldn't be a one-size-fits-all approach, 
right? How do we determine--is this something we set out 
legislatively in the actual text, or are we going to have to do 
this in rule making? Or how do we make sure it is done right in 
the rule making?
    Ms. Denbow, I will start with you. I saw you raise your 
hand real quick.
    Ms. Denbow. Thank you. This is something that is very near 
and dear to my heart. I believe that the quickest way to get to 
an effective solution is, again, to consult with the Sector 
Management Risk Agencies and the Sector Coordinating Councils. 
That is where you are able to bring together the communities 
that have the subject-matter expertise in the various critical 
infrastructure sectors already there. So you already have that 
learning curve taken care of, and you are diving right into the 
middle of the pool, so to speak.
    Mr. Garbarino. Mr. Mayer, you wanted to add onto that?
    Mr. Mayer. Yes, I do. Thank you. So I think definitely it 
is not about putting legislative language in that becomes very 
prescriptive in terms of how to characterize an incident 
because incidents are evolving, and we need the flexibility to 
take in the information, relevant information associated with 
different attacks.
    One of the things that, I think, speaks relative to 
legislation is you have already identified some considerations 
that would be considered. So, for example, how sophisticated is 
the attack? Is this a novel attack, something, though, we 
haven't seen before? Who is going to be affected by the attack? 
What is the potential impacts of cascading effects? Does it 
impact industrial control systems, skaters, different systems? 
How does that work? I think that we can work within those 
parameters. As I fully anticipate, we will have an opportunity 
to engage CISA in the interim rules and then the final rules, 
is to bring subject-matter experts--sector-specific subject-
matter experts, because what works, involves our networks and 
our systems is different than what Kimberly's systems look like 
or what the banking systems look like.
    We really need--and this is something where I think 
industry makes a very significant contribution, is we bring 
subject-matter experts to the discussion to the partnership 
with CISA. These are front-line workers, so there are some 
limitations in terms of how much we can demand from them, but 
we really can't go forward in making these kind of decisions 
around how to define a covered incident without that kind of 
industry-specific input.
    Mr. Garbarino. I actually appreciate that both of your 
answers because I think it is great idea, Ms. Denbow, that we 
deal specifically with the 16 different critical infrastructure 
subgroups there are now. I think DHS should--maybe there is 
something we can put in that maybe they set up different 
requirements for different ones, but they deal specifically 
with those agencies. I think that is a great idea.
    Another question I have is about the quarterly reporting. 
Mr. Mayer, you just talked about how these things happen very 
quickly. Is CISA releasing a report every quarter? Is that good 
enough? I mean, and the reason why is 3 months later it might 
not mean anything anymore? I mean, things move very quickly.
    Mr. Mayer. Yes, so I tell you, I credit CISA--they are not 
going to wait 3 months. The 3 months, as I understand it, in 
the context of the legislation is designed to encapsulate what 
they learned, aggregate the information, and anonymize it, and 
push it out.
    CISA has been incredibly responsive and timely in pushing 
out information about threats. We send them information on all 
types of malware, on ransomware. In some instances, they have 
affiliated with NSA in pushing out information, affiliated with 
the FBI. They are not sitting on the information. Then we 
engage with CISA I would say pretty much on a daily basis when 
it comes to receiving alerts and what--you know, sharing what 
we have discovered in our systems, what they are observing 
either on the Federal agency. So the dialog is already taking 
place. I think the benefit of this is there is going to be a 
virtual cycle because, as these incidents evolve, there are 
going to be new PTPs, new tactics and techniques and procedures 
that are going to require different ways of responding to them. 
CISA is going to have the benefit of more data and information, 
and they are going take those lessons learned, I believe, and 
deliver them in an un-Classified way to the critical 
infrastructure sector. So I think it is a balance, and I think 
it is accretive in terms of its value.
    Mr. Garbarino. Right, Ms. Denbow, did you just want to add 
something real quick? I saw you raise your hand.
    Ms. Denbow. I actually--thank you. I actually do. With 
respect to working with CISA and our various sector risk-
management agencies and their intel groups, it is very 
important that the intelligence community comes together with 
the operators to be able to determine what is worse, 
downgrading from this Top Secret level to that next level so 
that they are not spending time trying to reclassify something 
that really is of no use to the operator.
    For example, we are still waiting on a threat briefing in 
response to the issuance of the secured--pipeline security 
directive. The challenge there--and it is not on the staff at 
TSA or CISA because they are doing the best that they can--is 
trying to downgrade that information to a level that is 
valuable to the operators. What would be great if we could get 
subject-matter experts from the field sitting in with CISA and 
TSA to say, ``You know what, that is what needs to be 
downgraded; not that. That wastes your time. That wastes our 
time. Just give us this.''
    Mr. Garbarino. I appreciate that. I am out of time, but I 
appreciate those answers. Thank you.
    I yield back, Madam Chairwoman.
    Ms. Clarke. Thank you, Ranking Member.
    I now recognize the Chairman of the full committee, the 
gentleman from Mississippi, Mr. Thompson, for his questions at 
this time.
    Mr. Thompson. Thank you very much, Madam Chair. I apologize 
for being a little late. I was on a call with the FEMA 
administrator. We are managing Hurricane Ida down in my State 
right now.
    As you have indicated, I have a statement for the record.
    I am glad to hear from the witnesses their interest in your 
legislation. One of the things we are trying to do is to get it 
right. Stakeholder engagement is absolutely important. As you 
know, this might be our 2.0 initiative, because we tried a 
similar effort in our Cyber Act of 2015 to incentivize 
volunteer public, private information sharing and, 
unfortunately, no one has gotten out of what they bargained 
for.
    So what I would like to get from our witnesses, starting 
with Mr. Bushar, is, how do you--how can we make sure this 
cyber incident reporting legislation is crafted in a way that 
brings real security value so we aren't having the same 
conversation 6 years from now?
    Mr. Bushar. Yes, sir. Thank you for that question. I think 
it goes to what I--what I stated in my opening statement, as 
well as some of the other witnesses here today, there has to be 
some flexibility in the rule-making process. I think what we 
have learned in the interceding 6 years between the legislation 
being drafted in 2015 and today is, you know, there is 
certainly some limitations to voluntary regimes. Let's be 
honest, right? I think you are only going to get so much, you 
know, cooperation there. I think it has been tremendous, but 
maybe there are certain groups or certain, you know, commercial 
entities that just aren't incentivized to share that data 
today.
    The other factor I believe that comes into play, is really 
important in terms of getting this legislation correct, is the 
flexibility in the process because, as we stated, the threats 
change and rapidly evolve, and that is not only on the 
capabilities of the adversaries we are dealing with; it is also 
the technology and the underlying capabilities of the companies 
using IT infrastructure and the way that that becomes more 
critical to their operations and business over time.
    So we have to be able to adjust what is important from an 
information collection and sharing regime over time. There has 
to be an ability for, you know, regulated but also cohesiveness 
in the way that information is collected and used. As I stated 
in my testimony, I think that two-ways communication 
information sharing has to be effective, timely, and relevant 
to the sector partners participating as well.
    Whether it is mandatory or voluntary, I think the more 
collaboration that occurs over time will strengthen that 
information sharing and collaboration environment in such a way 
that you will be much better positioned to defend our critical 
infrastructure over time.
    Mr. Thompson. All right.
    Ms. Hogsett. Mr. Chairman----
    Mr. Thompson. Thank you.
    Ms. Hogsett [continuing]. May I--may I add to that?
    Mr. Thompson. Yes, please.
    Ms. Hogsett. Thank you. That is a really important question 
that you asked, and so I want to just focus on two things. I 
think, first, this is why the scope, as you have put it in the 
bill, is so important to get right.
    If you are seeking to sort-of boil the ocean and get 
information on a lot of things out there, you are going to wind 
up with a situation where CISA is deluged with information that 
is not helpful to them, it is not useful, and they also get 
bogged down with information that isn't really the actual 
threat and the highest risks that we want them and everyone 
else to focus on.
    So I think through the rule-making process, that will allow 
the opportunity for engagement with sector-specific--excuse 
me--sector risk management agencies, our Sector Coordinating 
Councils, to talk about those risks that we all believe from 
our vantage point are important.
    So beyond the scope, I think also, then again, you know, 
setting up a process where there is a regular feedback loop so 
CISA is also regularly getting feedback from owners and 
operators of critical infrastructure about what they are 
finding valuable.
    I think if we can--that has often been missing. So if we 
can kind-of close that so that CISA then also has real-time, 
you know, valuable information for them to help improve their 
operations, those would be, I think, a couple of key pieces. It 
is set up, the way the bill is drafted, to allow for that. But 
I think your role, of course, helping oversee that as it is 
implemented would also be a critical thing that we would 
highlight.
    Mr. Thompson. Thank you.
    Would any other witness like to comment?
    Mr. Mayer. Real quickly, if I may, you know, there is a 
concept that Tony Sager, who led a big team at NSA, talks 
about, which is the fog of more. When you are in a situation 
like this and where you are in triage mode, what you don't want 
to do is you don't want to put so much information out there to 
CISA that you are putting information that is extraneous, that 
is noise, that is not focused. So you want some time, and that 
is why we think the 72 hours from a confirmed event is an 
important period of time to put in place, and the flexibility 
to engage in conversations after that.
    I think what you are setting up, Chairman, is what I 
consider to be a virtuous cycle, where--you talk about 6 years 
down the road. We know that the attacks are going to be 
probably very different than they are right now. We are going 
to have different types of networks, more software. We are 
going to be certainly in AI--in a world of AI, where systems 
are working with very complex algorithms.
    What we need to do is we need to build information up so 
that we can look at the attacks; they actually become an 
opportunity for us to understand what our adversaries are doing 
to see where we are failing, to see what is working, and build 
that into--going forward--into the kinds of expectations we 
will have for refining the reporting, refining the information 
that comes back, and, most importantly, I think, for 
collaborating with CISA, collaborating with the intelligence 
community, collaborating with, you know, organizations that are 
looking at criminal activities.
    What--the beauty of this legislation in my mind is you are 
building the opportunities for a broader and more effective 
partnership in the context of a mandatory requirement. I think, 
you know, credit to the committee for recognizing the value of 
maintaining the partnership--the best parts of the partnership, 
but also on insisting on accountability and incenting companies 
to participate in this process. I think that is the big story.
    Mr. Thompson. Thank you.
    Madam Chair, I yield back. Again, thank you for this very 
thoughtful legislation, and I look forward to its approval. I 
yield back.
    Ms. Clarke. I thank you, Mr. Chairman.
    The Chair will now recognize the other Members of the 
subcommittee for questions they may wish to ask the witnesses.
    In accordance with the guidelines laid out by the Chairman 
and Ranking Member in their February 3 colloquy, I will 
recognize Members in order of seniority, alternating between 
the Majority and Minority.
    Members are also reminded to unmute themselves and turn on 
their cameras when recognized for questioning.
    The Chair recognizes for 5 minutes the gentleman from 
Georgia, Mr. Clyde, at this time.
    Mr. Clyde.
    OK. I am going to go forward, then, and have the Chair 
recognize for 5 minutes the gentleman from Rhode Island, Mr. 
Langevin, for his questions at this time.
    Mr. Langevin. Thank you, Madam Chair. I want to thank our 
witnesses for their testimony today.
    Mr. Mayer, if I could start with you. In your testimony, 
you recommended that only confirmed incidents should be covered 
by this bill, not potential or universal incidents. I want to 
explore that idea.
    The SolarWinds breach has brought new attention to the 
issue of incident reporting, and for good reason. It took 
FireEye stepping forward and confirming that they had been 
compromised for the revelations of the largest SolarWinds 
campaign to come to light.
    So let's say that, in the future, a nation-state is 
conducting a similar espionage campaign against a U.S. critical 
infrastructure sector. So if critical infrastructure operators 
in this sector are not obligated to report suspicious network 
activity to CISA and they are only obligated to report once 
they have discovered a breach of confidentiality, integrity, or 
ability, how would we be meaningfully better positioned to 
proactively identify and mitigate this hypothetical espionage 
campaign than we are right now?
    Mr. Mayer. So I think, sir, that is--that is an important 
question. So when I--when we say ``confirmed,'' does that mean 
you are going to have every aspect confirmed, that you are 
going to have attribution confirmed, that you are going to know 
every system that is impacted? No. That is going to take some 
time. In fact, if you look at SolarWinds, I believe it took 
months--8 months or so to even detect it.
    I think, in my mind, if you have a significant cyber 
incident that has the kind of impact on confidentiality, 
integrity, and availability, you are going to know it--you are 
going to know it when you see it. It is going to be a very 
obvious impact on a pretty significant system, on a pretty 
significant function.
    U.S. Government, then CISA more likely than not is going to 
be aware of these types of events. They are going to affect 
Federal systems. They are going to be observable in some cases.
    So I think, you know, in the spirit of this legislation 
here, once a company realizes that it has been hit in a very 
significant way and has some visibility into that attack at 
some level and is maybe beyond the initial hours and days of 
triage, I would have every expectation, certainly in my sector, 
that there would be a conversation with CISA.
    Of course, there are provisions here that, if companies are 
not responsive, there are mechanisms in place to apply a stick 
that I think would be very painful and incent companies to come 
forward.
    Mr. Bushar. If I may, sir, can I add to that testimony 
briefly?
    Mr. Langevin. Sure.
    Mr. Bushar. So, actually speaking directly to, you know, 
the experience that we had during SolarWinds, I think the way 
to think about your question is this way.
    So in the early days of our analysis of what was happening 
inside of our own organization, we had some information that 
looked suspicious, but, you know, early, early on, we weren't 
quite sure if that was misbehavior potentially by an employee 
or just anomalous or something, you know, unusual happening 
with our technology inside the organization.
    Once we had confirmation that there was, in fact, a 
significant compromise, we actually--that is when we came 
forward and made the voluntary notifications to Government 
agencies.
    I think the point here is that, not that you would never 
disclose or you would wait until you had all the information 
available, but simply that, you know, in many cases in our 
experience, you could have situations where initial indicators 
aren't indicative of an actual true compromise, and you want to 
allow organizations time to fully analyze what is happening in 
their environment and determine that there is, in fact, a real 
impact, and then have the qualifying event to report to CISA.
    That speaks to the relative value and taking the noise out 
of the data that we talked about earlier.
    Mr. Langevin. Yes. You know, I think, first of all, you 
know, we should ask FireEye when they think they would have 
reported under this bill. You know, Mandia has testified that 
he put hundreds of people on it for weeks before the 
disclosure, not 72 hours. It was weeks. You know, and those 
were weeks where Russia was stealing data.
    Any comment on that?
    Mr. Bushar. Yes, sir. I mean, again, that is a great point. 
It is--I think it is a reason why we are actually endorsing, 
you know, a named time line. It is, you know--we are--at the 
time and still to this day, organizations, when it is the--the 
breach is not affecting covered data, privacy data, HIPAA data, 
et cetera, it is really under your own recognizance to 
determine the appropriate time line and agencies and 
authorities to report to.
    I think, by providing guidelines and actual criteria, you 
are providing us, you know, a very clear structure for 
organizations to report within. I think it is--there is 
something to keep in mind here, and I think it is captured 
inside the bill already, which is 72 hours gets that initial 
window, and it gives some reasonable balance between analysis 
time and getting first indicators and warnings, you know, of 
the hurricane, let's call it, coming, to CISA.
    But I--you know, I can say with assurance to you that that 
information is likely to change, adapt, and evolve beyond the 
72 hours. So I think, in the bill, the way it is captured in 
terms of updating that information is also critically 
important. It can't just be that first reporting. There has to 
be information updates as more is learned throughout the 
investigation and analysis. I think----
    Mr. Langevin. Yes.
    Mr. Bushar [continuing]. That speaks to your question 
regarding Mr. Mandia's testimony.
    Mr. Langevin. So, just so I am clarifying, so you don't 
think that FireEye testified--you don't think that FireEye 
reported early enough? Just to be clear, that is your 
testimony?
    Mr. Bushar. No. Not--I wouldn't say it that way, sir. I 
think we did the best we could under--and under, you know, 
voluntary analysis and trying to understand what was the 
appropriate, again, timeliness and reporting authorities under 
a stressful situation.
    I do--we believe strongly that a reasonable period of time, 
you know, within that 72-hour window, does make sense for most 
entities, at least for an initial reporting requirement.
    Mr. Langevin. Well, OK. I know that my time is--you know, 
is close to end. Let me just say that, Madam Chair, you know, 
as I am highlighting here, I am a bit concerned about the gap I 
see between the amount of information CISA needs to 
meaningfully improve the cybersecurity of our critical 
infrastructure sectors and the amount of information that CISA 
would receive would--only to be notified of--for confirmed 
cyber incidents.
    You know, further illustrate this concern with the second 
example. Let's say that there is a threat actor who is 
deploying destructive ransomware across critical infrastructure 
providers, but it has not yet activated--activated it yet. This 
is not unusual behavior. Once a confirmed cyber incident 
occurs, threat actors know that news will spread quickly and 
they will have a limited opportunity to act before cyber 
defenders close off the vulnerability and root out their 
malware.
    This means threat actors are likely to start encrypting the 
files of all of the targets they have compromised as fast as 
possible. By the time that CISA learns of this first ransomware 
attack, it could be too late for it to take any meaningful 
action and mitigate the threat to other entities in the sector, 
or, importantly, in other sectors which are vulnerable to the 
same malware.
    So, you know, Madam Chair, as we continue to consider this 
bill, I hope that we are going to continue to explore what 
definition of cyber incident will best ensure that CISA is able 
to do a job proactively when--job and proactively warn critical 
infrastructure providers of threats.
    I know my time has expired, so I will yield back, Madam 
Chair.
    Ms. Clarke. Thank you very much, Mr. Langevin. Point well 
taken.
    Wanted to just make sure that everyone is aware we will 
probably do a second round of questioning after we hear the 
questions posed by the gentleman from Georgia, Mr. Clyde, for 5 
minutes at this time.
    Mr. Clyde. Thank you, Chairwoman Clarke, for holding this 
very important hearing with Ranking Member Garbarino.
    As previously stated by my colleagues, cyber attacks are 
one of the biggest national security challenges that our 
nations face. I am dedicated to working with all of you in 
finding solutions that mitigate these threats.
    I think one of the biggest challenges in addressing and 
understanding cyber attacks is encouraging entities to come out 
of the shadows and report these incidents to CISA.
    There seems to be a fear that these stakeholders, that they 
could be unfairly blamed for these attacks. As a society, I 
think we do not blame the store clerk when a business is robbed 
by a gunman. We blame the perpetrator, and we work to bring 
them to justice. So I think our society must take the same 
approach when organizations report cyber instances and stop 
blaming victims for taking the correct actions to address these 
attacks.
    So I have got some questions. I want to follow up on 
something that Mr. Bushar said, and--but I will get to that.
    The Federal Information Security Modernization Act of 2014 
requires the OMB to define a major incident, and directs 
agencies to report major incidents to Congress within 7 days of 
identification. The legislation we are discussing today would 
require the director to determine the time frames, but no 
earlier than 72 hours. I think there is a disconnect between 
the way the Federal Government and the private sector report.
    So what I would like to know is whether this 72 hours or 
this 7 days is the appropriate period, and if--or is it 
something else in between? I think, Mr. Bushar, you said that 
72 hours was probably sufficient. But, Mr. Miller, if I could 
get your input on that. I would also actually like to hear from 
each of the witnesses what their thoughts are on that time 
frame. What should the appropriate time frame be? Thank you.
    If I could go in with Mr. Miller first, and then 
alphabetically, Ms. Hogsett, Mr. Mayer, and Ms. Denbow.
    Mr. Miller. Thanks very much for the question, 
Representative Clyde.
    Yes. Well, as we say in our written testimony and as our 
policy principals indicated and as I think we have heard from 
several other witnesses today already, it does seem like 72 
hours does hit the--kind-of the sweet spot, if you will, for a 
variety of different reasons.
    You know, I don't want to be duplicative of some of the 
other points that were made here, but, you know, just to put a 
fine point on something, you know, whether we are talking about 
the Cybersecurity Information Sharing Act of 2015 and the 
information sharing under that act, or if we are talking about 
incident reporting requirements here, you know, the--the goal 
of these--hopefully of these bills and laws is not to share the 
information or just, you know, provide an avalanche of 
information or as much as possible. Really do need to report 
information in a way that is going to be usable, not only by 
CISA, but by critical infrastructure, by other companies, such 
as FireEye, that are working, you know, on the front lines of 
these incidents.
    So 72 hours seems to be the amount of time that many 
cybersecurity professionals say is sufficient to determine what 
has occurred and to provide some of that additional contextual 
information that is needed, you know, to conduct the 
investigations, to actually make sure that, you know, 
cybersecurity--that you are actually also paying attention to 
trying to shore up your systems and avoid further damage.
    Also, it does seem to be in line with kind-of a global 
standard, if you will, in the 72 hours time frame----
    Mr. Clyde. Well, thank you.
    Ms. Hogsett, do you concur with that?
    Ms. Hogsett. Sure. I think what we are all trying to do is 
we recognize the benefit and the value of providing more 
information into a central place in the Government--in this 
case, CISA--to help everybody else sort-of avoid attacks if it 
hasn't already hit them instant.
    So what you note around FISMA and the 7-day, I would have 
to go back and look specifically at when that time line kicks 
in, because we have often found in industry, when the clock 
starts ticking can be very different. We believe, as structured 
in this legislation, it does allow, as John noted, a reasonable 
time period for a firm to do initial investigation without 
interfering with that important work that needs to happen, 
while still providing then useful information that could 
benefit others.
    I think the larger point that you highlight, though, is 
that we do have already in place varying different standards, 
and there is a need to ensure that there is harmonization. 
Industry certainly faces this. We have it with our existing 
regulations. Government agencies are likely also now, as you 
highlight, you know, to have to face that.
    So this is something that we would encourage and would love 
to continue working with you and Congress on to help ensure 
that there is more of a standardized baseline and that everyone 
has a clear time line and a clear set of expectations around 
reporting.
    Mr. Clyde. OK. Thank you very much.
    Mr. Mayer.
    Mr. Mayer. Yes. So I will be quick here just to add. I 
think--I am looking for the language. I can't find it right 
now. But two things.
    One is the legislation recognizes that there is a balance 
between the agency's desire to get situational awareness and to 
get information out that could be useful, and the desire of a 
company to have--feel that they have some sense of what 
happened. Again----
    Mr. Clyde. Right.
    Mr. Mayer [continuing]. Going back to what constitutes 
confirmation, you are going to know it. You have got a serious 
cascading impact on critical infrastructure. You may not know 
attribution, you may not know all the elements, all the systems 
that have been impacted. You will know you are dealing with a 
significant incident. So I think you accomplish that balance.
    The other thing I would add--and, again, I am looking for 
it here, in the Executive Order 14028 that the White House 
issued on improving the Nation's cybersecurity with respect to 
what Federal agencies are required to do and their contractors, 
they established, subject to check, I believe 3 days as the 
time line for providing information.
    So I am sure a lot of thought went into that, discussion 
with other agencies. As it was pointed out, I think there are 
general standards around that time. So it is a reasonable 
amount of time. I think if you tried to make it 7 days, I think 
a good case could be made that things would be, you know, at 
that point, too far down the road in terms of potential damage. 
So----
    Mr. Clyde. OK.
    Mr. Mayer [continuing]. We wouldn't--I don't think anybody 
on the industry is going to--you are going to find anybody 
arguing for that--that amount of time----
    Mr. Clyde. Well, all right. Thank you. Maybe we should 
tighten up the Federal Government's requirement then.
    Last, Ms. Denbow, do you concur with that? I saw you 
shaking your head yes.
    Ms. Denbow. Thank you very much, Congressman.
    There is not really a good answer to exactly what the right 
number should be. Should it be 72? Should it be 70? Should it 
be 68? It is more of--the key is that they are allowed to 
confirm first that they have an incident rather than just 
speculating that they have an incident.
    By giving it the 72 hours, now you are allowing the 
operator more time to gather valuable, useful information 
rather than just spitting information to CISA, where CISA is 
going to come back and ask more questions anyway.
    So it just allows that little comfort zone and space to be 
able to do the investigation that is needed to be able to 
provide preliminary information.
    Mr. Clyde. Well, thank you very much.
    Madam Chair, I see my time has expired, but I appreciate 
the witnesses' information here.
    You know, it is my intent that we have good industry input 
in the rule-making process to establish this bill, because I 
think that is very, very important. So thank you, and I yield 
back.
    Ms. Clarke. Thank you, Mr. Clyde.
    The Chair now recognizes for 5 minutes the gentlewoman from 
Texas, Ms. Jackson Lee.
    Ms. Lee, are you muted? I think you may need to unmute.
    Ms. Jackson Lee. Can you hear me?
    Ms. Clarke. We can hear you now.
    Ms. Jackson Lee. Thank you so very much.
    Thank you very much, Madam Chair, for your leadership on 
this very crucial issue. I just have two questions that I would 
like to pose for those who would answer it and give their 
insight.
    We know that a key consideration on the value of reporting 
is sharing information on the cyber attack, how a system was 
breached or compromised so that effective defenses can be 
developed.
    I would like to raise the point of whether or not is it 
important for Pfizer--CISA to share this type of data with 
critical infrastructure owners and operators knowing that, even 
to date, there are at least 85 percent or more of the critical 
infrastructures in the private sector?
    The second question would be how this legislation would 
have impacted Colonial Pipeline and the trajectory that they 
utilized, which was not open, which was not--they did not come 
forward quickly, and they did not provide information quickly.
    So I pose those two questions, and I do those to the 
particular witnesses who choose to answer them. Or either I 
will call on each of you.
    Mr. Bushar. Yes, ma'am. I will take a shot at the first 
question.
    It is absolutely important and critical, and as we 
testified today, that the bidirectional information sharing is 
absolutely important for any information-sharing regimen to be 
considered. So those indicators, those technical pieces of 
information around the specific vulnerabilities that were 
exploited and the way in which they were exploited are exactly 
the sorts of data points that CISA should be collecting and 
then, you know, turning around to covered entities or to 
specific sectors as appropriate.
    As we know, in much of our infrastructure today, it is 
fairly common technology sets, so that, in many cases, those 
sorts of information and indicators will apply broadly. But 
there may be very, very specific vulnerabilities that only 
apply to certain pieces of technology that are only relevant in 
certain industries, and, therefore, CISA will be--you know, 
they will have to tailor that information sharing in a way that 
is, again, relevant to the defense--defensibility of those 
particular pieces of technology in those sectors.
    Ms. Jackson Lee. Can you hear me?
    Mr. Bushar. Yes, ma'am.
    Ms. Jackson Lee. Good. Can I have other witnesses answer 
the question, please?
    Ms. Denbow. I will gladly answer. This is Kimberly with the 
American Gas Association.
    Ms. Jackson Lee. Thank you.
    Ms. Denbow. Yes, ma'am.
    So, repeating what Ron said, yes, the bidirectional is 
extremely important.
    Going on to the Colonial Pipeline matter. I will say that 
for nearly a dozen years, if not more so, the oil and natural 
gas sector, as well as the pipeline sector coordinating 
councils, have been asking Government for a more streamlined 
reporting approach. Regardless of whether it was mandated or 
voluntary, we said: Is there a one-stop shop where we can 
report a cyber incident? And there is constant, well, yes; 
well, no, not really.
    So until that can be worked out, I believe the industry 
operators are reporting to whom they feel they need to report 
to, one, under certain given requirements, but then, also, I 
know that, at least with AGA-member utilities, we tell them to 
connect with the FBI.
    So, given the absence of that further information, that is 
kind-of what we are working under, as well as to report to the 
TSOC, the Transportation Security Operations Center.
    Ms. Jackson Lee. So legislation--thank you. Legislation 
that would give a framework for this would be helpful, and also 
the sharing of information would be helpful as well?
    Ms. Denbow. That bilateral part is so important. We feel 
like--we feel like when we share with the Government, it 
becomes a landfill of information with nothing valuable coming 
back out to us in a timely fashion. That is not to criticize 
the individuals that are working with the process on the 
Government side. Much like having a valuable by-product out of 
landfills, such as renewable natural gas, it would be valuable 
if we could have a valuable by-product out of this data 
landfill being bidirectional information sharing in a timely 
fashion of actionable information.
    Ms. Jackson Lee. Thank you.
    Any other witnesses----
    Mr. Miller. Congresswoman Jackson Lee, could I also jump in 
on this briefly?
    Ms. Jackson Lee. I would be very pleased if you would, Mr. 
Miller. Thank you.
    Mr. Miller. Thank you very much.
    You know, just to add on to this--the bidirectional point. 
It is absolutely critical, and, you know, again, as I was 
suggesting earlier, you know, it is not only bidirectional 
information sharing. I mean, what is really key is what is 
the--what is the goal, and what is the--and what is this bill, 
for instance, trying to do with--this incident notification 
bill?
    I think that the bill does a good job of articulating some 
of the different operational, you know, goals that the bill has 
for CISA. You know, greater situational awareness is certainly 
part of it. We can all agree that that would be useful, not 
only for the Government, but for the critical infrastructure 
community.
    But then, also, at least based on our conversations with, 
you know, the relatively new team at CISA, you know, I think 
they are really interested in driving deeper operational 
collaboration between CISA, other Government partners, critical 
infrastructure owners and operators. I mean, that is really 
key, right, to--you know, we always hear cybersecurity is a 
team sport. Maybe it is a cliche because it is true, right?
    I mean, CISA--we shouldn't think of it as, you know, does 
CISA have the information it needs to protect the world from 
cyber threats, because that is--they are never going to have 
enough resources to do that. So they have to work with the 
private sector, and that is why private sector also needs this 
information.
    Ms. Jackson Lee. This is a new world. We even expect 
ransomware from now on, and I think we do need this 
cooperative, collegiate, and important dialog and discourse 
every moment, if we can, in order to fight against those who 
intend to really break our infrastructure.
    Madam Chair, I am sorry, I am not seeing the time, but do I 
have any more time?
    Ms. Clarke. Ms. Jackson Lee, your time has expired. We are 
entering into a second round of questioning. If your time 
permits and you have further questions, please keep your camera 
on and we will acknowledge you.
    Having said that, I want to acknowledge----
    Ms. Jackson Lee. That is it. Thank you so very much. I 
appreciate your patience.
    Ms. Clarke. Absolutely. Absolutely.
    I am going to acknowledge myself for 5 more minutes. There 
are a few more questions that I have for our panelists, and I 
know that our Ranking Member will be joining me in questioning.
    Mr. Bushar, how can CISA use data on cyber incidents to 
empower security researchers outside of CISA to improve 
security systemically across sectors? Can CISA do this in a way 
that protects confidentiality and anonymity of covered 
entities?
    Mr. Bushar. Thank you for that question, Madam. Yes, 
absolutely. There is valuable use cases for information that 
CISA can share with either universities, public sector, other 
public-sector entities or private-sector research firms to do 
deeper-dive analysis, more complex, you know, analytics on 
information. Things that were mentioned earlier by, I believe, 
one of the other Members related to more complex sorts of 
calculations related to machine learning algorithms or other 
sorts of artificial intelligence-based capabilities that are--
today reside largely either in the private sector and academia.
    I think there is a huge amount of value in that 
collaboration and information sharing to allow a broader 
research community to fully understand and analyze not only 
individual attacks, but, again, the totality of what we are 
seeing in cyber space, and hone in on what are some key areas 
of either resiliency or defensibility, you know, to better 
protect our sectors or our infrastructure overall.
    To your other question related to how that information can 
be shared or can it be shared anonymously or in a protected way 
for covered entities, absolutely. We do this all the time as 
part of our cooperation, not only with Government entities but 
with research partners, et cetera, where we are able to take 
collective data in a way that removes any sort of attribution 
to the source of that information or to the identity of the 
victim.
    It is how we produce a number of our own strategic reports, 
you know, in--for our customers and for the wider community, 
and we believe that there is concrete ways for that to be done 
in a way that protects the identity and confidentiality of the 
sources of that information but benefits all parties from a 
research and development effort perspective.
    Ms. Clarke. From your perspective, having worked with CISA 
and critical infrastructure clients to respond to incidents, 
what role do you see incident response firms like Mandiant 
playing in this new reporting regime? Are you concerned that 
forcing security vendors to report on their customers will 
undermine trust and discourage owners and operators from 
working with the companies that have expertise and tools to 
make them more secure?
    Mr. Bushar. Thank you for that question, Madam. Yes. On the 
point of the role that private security firms play in 
protection and response to cyber threats, it is certainly a 
capacity issue, as was stated earlier. We believe that there is 
roles specifically for the Government to assist directly with 
victims as well as private-sector partners like us and other 
firms.
    In order to do that in either model, frankly, there has to 
be a trust relationship. These are often some of the worst days 
that organizations are facing. There is very, very sensitive 
information that is being analyzed within the--during the 
breach and within the organization. You are in a situation of 
high trust with your clients, whether you are Government 
support, whether you are FBI, whether you are Mandiant 
responding to a breach.
    The challenge with a mandated model where you are asking a 
trusted partner of a victim to then report independently of 
that victim's authorization to the Government of the fact of a 
breach puts us in a real challenging position--any individual--
any organization in a challenging position of betraying one 
trust in order to provide information to another partner. We 
don't believe that that encourages a real cooperation or 
collaboration or effective way of sharing information.
    It also can potentially create challenges with contracts 
and language around legal requirements that we put in place 
whenever we are working with clients in a trusted manner.
    So I do think that the model that has been put forth in 
this bill, where it is the covered entity themselves, it is the 
organization that is the victim that is required to and 
responsible for ultimately reporting is the right model. I 
think organizations like ourselves are in a good place to 
advise and support that compliance for the victim, but that 
organization's security vendor should not be compelled to do 
that independently of the client that they are working on 
behalf of.
    Ms. Clarke. Very well. One of the goals in drafting this 
legislation was to provide CISA with enough information to 
analyze and understand threats, but do--but to do so without 
inundating CISA with false positives or inaccurate helpful--
unhelpful reports. I think that was raised in the conversation 
with Mr. Clyde. Toward that end, we have directed CISA to 
consider a number of factors when defining covered cyber 
incidents.
    This is to the panel. What are the risks of improperly 
scoping the definition of covered cyber incidents, and how 
would that frustrate the goals of cyber incident reporting?
    Yes.
    Mr. Mayer. So I might start here. So what you want to look 
for is the Goldilocks solution here. It can be too narrow or it 
could be too broad, and you really have to find that right 
balance in terms of, you know, laser on that kind of 
consideration. So the fact that there is a process of 
engagement, that there is going to be a continuous dialog, I 
believe, there will be opportunities to say, we didn't do 
enough, we did too much, or it was too narrow, too broad, and 
to refine that. But I think there are risks on both sides of 
that equation.
    Ms. Clarke. Thank you, Mr. Mayer.
    Ms. Hogsett, I think I saw your hand.
    Ms. Hogsett. Yes, ma'am. Thank you.
    I agree with Robert. I think the thing--the point that we 
would caution here is, for a number of our financial 
institutions, they will potentially see thousands of pings 
against their systems. So if you leave the definition and the 
scope too broad, you would literally have, from a single firm, 
potentially hundreds if not thousands of reports going in, 
which just is a massive amount, and it is not really the things 
that are going to, I think, cause the level of concern that you 
are looking to focus on.
    So, again, we do believe that, you know, the opportunity 
for public comment and dialog with sectors through the rule-
making process will help us get to a good place, but we also do 
need to be respectful that this is going to be a new--new work 
capability for CISA to build, and we don't want to send too 
much information to them, because that would be too much noise 
in the system and you would miss potentially really big things.
    Also, for a firm who is then having to report, what that 
means is you are taking your front-line cyber defenders away 
from focusing on defending the firm and continuing to keep up 
with this dynamic threat environment that we have, and instead 
they are focusing on making sure that they are submitting 
Government reports so that they are not, you know, missing that 
perspective.
    So I think that is a really critical component to get 
right, and we appreciate at least that the structure you have 
put in place would allow for that dialog to get to the 
Goldilocks moment that Robert mentioned.
    Ms. Clarke. Thank you.
    My time has expired. I thank my Ranking Member for his 
indulgence, and I now yield to him for any additional questions 
that he may have.
    Mr. Garbarino. Of course, Madam Chairman. That is actually 
an important question to get out, so I appreciated and enjoyed 
the witnesses'--their answers.
    I want to do a little follow-up. Ms. Hogsett, maybe you 
could--since most of your Members already deal with reporting 
requirements, both nationally and for a lot of States, what can 
we do--is there anything we can do in this legislation to help, 
you know, harmonize, you know, what you--what your Members have 
to--have to do so that they are not sending--they are not 
reporting on several different hacks, you know, one for one 
agency, one for another, you know, based on different 
standards? You know, how--what can we do so it is easier for 
your Members to comply with this law?
    I will extend that to some of the other witnesses as well 
after she answers, because I am sure you all have great 
opinions.
    Ms. Hogsett. Well, thank you for the question. That is a 
really critical thing for us.
    Attached to my testimony, we did include sort-of a 
compendium or a summary of the variety of requirements that we 
already have. This is why there is a provision in the bill 
currently that requires CISA to coordinate and harmonize 
requirements for those sectors that already have them in place.
    So, for us, this would mean, you know, we would really 
strongly encourage CISA to work not only with our sector risk 
management agency, which is Treasury in our case, but also 
Federal Reserve Board, the Office of the Comptroller of the 
Currency, the Federal Deposit Insurance Corporation. I mean, we 
have a multitude. Hopefully, we have done a lot of that work to 
help funnel that to a good place where we can help align for 
them with what we already do, but that is really such a 
critical point for us, that this gives us an opportunity, 
hopefully, to have a streamlined requirement with a common set 
so firms can provide information to one place, and then CISA 
should be in a position to help work across the Government, 
including independent regulatory agencies, to share that 
information out.
    Based on the conversations we have been having with our 
regulators, we do think that everyone is really trying to align 
and do the right thing to help everybody, you know, protect 
their institutions, their organizations, and also the broader 
sector and our Nation. So this is a unique opportunity to do 
that, and your help and support by ensuring in the 
implementation that that coordination--that required 
coordination occurs would be really helpful for us.
    Mr. Garbarino. Great. Thank you.
    Anybody else want to add on to that?
    Ms.--Mr. Miller?
    Mr. Miller. Sure. Thank you, Ranking Member Garbarino.
    Yes. You know, as I mentioned in my--I mentioned it briefly 
in my oral testimony, and it is certainly in my written 
testimony as well. I mean, this is really a major issue, and, 
frankly, even extends beyond the cyber incident reporting 
context, right? I mean, we have often talked about the need for 
regulatory streamlining, because we not only--we have a lot of 
different sector-specific regulators. You know, I don't need to 
say anything more about that since Heather just took care of 
that.
    But, you know, the reality is there are a number of 
different security incident notification requirements out there 
already, right, on companies, you know, not only in the 
regulated sectors, but, you know, Federal contractors. We have 
the new Executive Order provision that was mentioned earlier.
    One of the things that we recommend is really, you know, 
leveraging these--the various existing channels that are 
already set up and having CISA do that to really make sure 
that, you know, that, frankly, the information is also being 
shared amongst the regulators, the Federal agency, right? We 
are talking about bidirectional information sharing but, in 
this context, it is almost tridirectional.
    We also need CISA talking to FBI and the financial 
regulators and anyone else who really has information or is 
receiving these reports. One of our recommendations is that 
perhaps, you know, the Office of Management and Budget could 
issue guidance to Federal regulators and law enforcement 
requiring this sort-of sharing of information to make sure that 
we are actually having a--you know, an impact on the regulatory 
overload, you know. I appreciate the bill for taking the first 
step in acknowledging the need, so thank you.
    Mr. Garbarino. Yes. Ms. Denbow, I know you are--I think one 
of the next things we have to do is maybe do a little Federal 
preemption, all these different State rules that you all have 
to deal with. We won't get into it now, but I know--I am sure I 
could guess how you all feel, but----
    Mr. Miller. Right. It is beyond your scope perhaps, but 
there are also international rules that we need to deal with, 
so----
    Mr. Garbarino. Oh, yes. One thing at a time.
    Ms. Denbow. So I believe that the biggest challenge really 
is--and I speak from experience at the American Gas 
Association. We worked effortlessly to try to pull together a 
harmonization of all the different cyber assessments out there, 
from all the different agencies: Department of Energy, 
Department of Homeland Security, TSA. We were able to do 
something like that. But then when you take it back to those 
different offices, they believe that their system is the one 
system that works best.
    So I believe that is where--the challenge is actually going 
to be on Congress to convince the different agencies that there 
is one system as opposed to all the different systems, or how 
the--all the different systems that are out there are not going 
to be overly burdensome to the operator.
    Mr. Garbarino. I appreciate those answers. Thank you so 
much. We will definitely take that into consideration.
    Madam Chairwoman, I yield back, but thank you again for 
having this great hearing today.
    Ms. Clarke. I thank you very much, Mr. Ranking Member.
    I want to thank our witnesses for their valuable testimony, 
and the Members of the subcommittee for their questions.
    The Members of the subcommittee may have additional 
questions for our witnesses, and we ask that you respond 
expeditiously in writing to those questions.
    The Chair reminds Members that the subcommittee will--
record will remain open for 10 days--10 business days.
    Without objection, the subcommittee now stands adjourned. 
Thank you for joining us today.
    [Whereupon, at 1:47 p.m., the subcommittee was adjourned.]

                                 [all]