WASHINGTON – Today, global tech trade association ITI and 17 associations representing the tech, telecom, and broader U.S. business industries recommended key priorities lawmakers should consider when developing effective cyber incident reporting legislation. In a letter to the leaders of the U.S. Senate Committees on Intelligence and Homeland Security and Governmental Affairs and the U.S. House of Representatives Committee on Homeland Security, the associations urge lawmakers to pursue legislation that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests.

“The undersigned associations, representing major sectors of the American economy, including the owners, operators, and those that support and maintain the nation’s critical infrastructure, appreciate Congress’s ongoing focus on cybersecurity incident reporting legislation,” wrote the associations. “Our industries recognize the value of public-private collaboration facilitated by mutual sharing of actionable information on significant cybersecurity incidents and intrusions with federal agencies. Incident Reporting legislation pending in Congress, when harmonized with the requirements of Section 2 of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, have the potential to improve the nation’s cybersecurity posture if appropriately developed and implemented.”

The letter recommends five key principles for lawmakers to consider when drafting legislation: establish feasible reporting timelines of no less than 72 hours; limit reporting regulations to verified incidents and intrusions; limit reporting obligations to the victim organization, rather than third-party vendors or providers; harmonize federal cybersecurity incident reporting requirements; and ensure confidentiality and nondisclosure of incident information provided to the government.

The letter was signed by the Information Technology Industry (ITI) Council, ACT | The App Association, Airlines for America (A4A), American Fuel & Petrochemical Manufacturers, American Petroleum Institute, American Gas Association, Business Roundtable, BSA | The Software Alliance, CompTIA, Consumer Technology Association (CTA), Cyber Coalition, Cyber Threat Alliance, Edison Electric Institute, Electronic Transactions Association, Internet Association, Software & Information Industry Association, TechNet, and Telecommunications Industry Association (TIA).

Read the full letter here or below:

August 27, 2021

Dear Chairs, Vice Chairman, and Ranking Members:

The undersigned associations, representing major sectors of the American economy, including the owners, operators, and those that support and maintain the nation’s critical infrastructure, appreciate Congress’s ongoing focus on cybersecurity incident reporting legislation. Our industries recognize the value of public-private collaboration facilitated by mutual sharing of actionable information on significant cybersecurity incidents and intrusions with federal agencies. Incident Reporting legislation pending in Congress, when harmonized with the requirements of Section 2 of President Biden’s Executive Order on Improving the Nation’s Cybersecurity, have the potential to improve the nation’s cybersecurity posture if appropriately developed and implemented.

To ensure an effective incident reporting regime that leverages the limited resources of federal agencies, enables regulatory compliance, provides liability protections, and advances national cybersecurity interests, we believe that policymakers in Congress should, at a minimum, follow five key principles:

Establish feasible reporting timelines of no less than 72 hours. Cybersecurity incidents are crisis moments for victim organizations. To ensure that the Cybersecurity and Infrastructure Security Agency (CISA) and its interagency partners receive actionable information on truly significant incidents, it is essential to give incident responders time to evaluate the intrusion to determine its impact. Shorter timelines also greatly increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts. A formal report on a verified, significant incident should not preclude less-fulsome notifications to CISA on a more flexible timeline."

Limit reporting regulations to verified incidents and intrusions. Incident reporting should focus on verified incidents rather than potential incidents or “near misses.” Reporting verified incidents, that have been well defined and scoped, will avoid a culture of overreporting that will strain limited incident response capacity and capabilities inside and outside the government. It also can help ensure that information received is useful and actionable.

Limit reporting obligations to the victim organization, rather than third-party vendors or providers. Any legislation should ensure that the reporting obligation falls only on compromised affected entities. Vendors and third-party service providers should not be required to report cybersecurity incidents to the US Government that have occurred on their customers’ networks and vice versa. Such a requirement would pose numerous challenges to normal business operations, including potentially forcing vendors or third parties to disclose business confidential information of that customer or breach their contractual obligations. Requiring third-parties to report incidents could even disincentivize companies from employing outside cybersecurity services to the detriment of those companies’ own security and resilience.

Harmonize federal cybersecurity incident reporting requirements. It is imperative that Congress streamline and normalize federal reporting requirements to ensure resources are used to combat malicious cyber threat activity, rather than customizing reports on the same incident to multiple agencies. Numerous federal agencies currently have disparate incident reporting requirements, many of which are just being implemented. Reported information should be aggregated, anonymized, analyzed, and shared, with government and industry, in a manner to assist in the mitigation and/or prevention of future cyber incidents.

Ensure confidentiality and nondisclosure of incident information provided to the government. It is imperative that any legislation have strong and transparent rules about the confidentiality of incident information that is shared with or by federal agencies. Such rules should govern not only the dissemination of incident information with relevant interagency partners, but should specifically preclude direct or indirect use of such information by the Federal government. These rules must be crafted to guarantee compliance with existing legal regimes, including contractual, intellectual property, and privacy obligations.

Our industries strongly believe that securing the nation’s digital assets is a shared responsibility requiring collaboration between the private sector and federal partners. We stand ready to assist policymakers as they develop their proposals on this important national security issue.

Related [Cybersecurity, Public Sector]