for internal review and discussion only
TRANSCRIPT
For internal review and discussion only
Initial Analysis | U.S. Chamber of Commerce
Draft Cyber Incident Notification Act of 2021 (ALB21A18)
Sponsored by Sens. Mark Warner, Marco Rubio, and Susan Collins
July 14, 2021
Background
• The U.S. Chamber of Commerce received the draft Cyber Incident Notification Act of
2021 from congressional staff in June 2021. We applaud them and the bill’s sponsors
for releasing it for public comment.1
• The Chamber wants to pass workable cyber incident reporting legislation that would
lead to tangible improvements in U.S. cybersecurity for the business community and
government. Any legislation in this area needs to meet the interests of industry
organizations, which are the front lines of cyber conflict, and their agency partners.
• We have developed this initial analysis to advance discussions with Congress,
agencies, and other relevant stakeholders. We urge lawmakers and staff to solicit
feedback from multiple private sector parties and not rush writing the bill.
• This paper largely addresses provisions in the legislation. Nonetheless, several
underlying policy themes—including notable successes in cyber threat sharing,2 the
marked shift in the Cybersecurity and Infrastructure Security Agency’s role from a
risk adviser to a regulator,3 and inducements to enhanced operational cybersecurity
collaboration (e.g., defend forward)4—should be factored into the bill’s crafting.
Sec 1. Short Title (Page 2)
This act may be cited as the Cyber Incident Notification Act of 2021.
Sec. 2 Cybersecurity Intrusion Reporting Capabilities (Page 2)
(a) In general, this legislation would amend title XXII of the Homeland Security Act of 2002
(6 U.S.C. 651 et seq.) by adding the following provisions to create subtitle C.
Subtitle C—Cybersecurity Intrusion Reporting Capabilities
Sec. 2231 Definitions (Page 2)
(1) Definitions from section 2201. The definitions in section 2201 would be required to
apply to this subtitle, except as otherwise indicated.
• The Chamber’s feedback on the proposed definitions is provided throughout the bill.
2
(2) Agency. The term “agency” means the Cybersecurity and Infrastructure Security
Agency (CISA).
(3) Appropriate congressional committees. In this section, the term “appropriate
congressional committees” means the (A) Senate Homeland Security and Governmental
Affairs Committee, (B) Senate Intelligence Committee, (C) Senate Judiciary Committee,
(D) House Homeland Security Committee, (E) House Intelligence Committee, and (F)
House Judiciary Committee.
(4) Covered entity. The term “covered entity” has the meaning given the term under the
rules required to be promulgated under section 2233(d).
• The bill should take care not to overreach. As written, the legislation’s definition of a
“covered entity” would be overly inclusive of industry parties.
• The Chamber strongly recommends a step-by-step approach to covering private
organizations. The definition of covered entity should be risk based and limited to
private entities that the government is both able and willing to assist (at the request of
the covered entity) before, during, and/or after a significant cyber incident.
• Cyber incident reporting must not be an end in of itself, which bill writers don’t want.
The Chamber wants workable legislation that leads to industry groups telling us that
they are receiving actionable information and assistance from CISA, law enforcement,
and other national security agencies.
(5) Critical infrastructure. The term “critical infrastructure” has the meaning given under
section 1016(e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C.
5195c(e)).5
• The bill would use the definition for “critical infrastructure” established in the
USA PATRIOT Act (P.L. 107-56), which refers to “systems and assets, whether
physical or virtual, so vital to the United States that the incapacity or destruction of
such systems and assets would have a debilitating impact on security, national
economic security, national public health or safety, or any combination of those
matters.”6
• However, the scope of covered entities—presumably a subset of critical
infrastructure—could still be too broad from a risk-management perspective. Thus, the
definition of covered entities should not include every private entity that could fall
within the 16 critical infrastructure sectors.7
• For the legislation to have a chance at effectiveness, lawmakers should (1) set criteria
in the bill that creates a narrow list of covered entities. Then the legislation should (2)
instruct the Department of Homeland Security (DHS)/CISA to further trim the list of
3
covered entities as part of a proposed rulemaking. In short, both the bill and the
proposed rulemaking should emphasize a focused assemblage of covered entities.
(6) Cyber intrusion reporting capabilities. The term “Cyber Intrusion Reporting
Capabilities” (CIRCs) means the cybersecurity intrusion reporting capabilities established under
section 2232.
• See the Chamber’s comments on CIRCs under subsection 2232(b).
(7) Cybersecurity notification. The term “cybersecurity notification” means a notification
of a cybersecurity intrusion as defined in accordance with section 2233.
• Bill writers should not authorize CISA and other specified agencies to define
“cybersecurity notification” organically, which the legislation suggests. The definition
of a cybersecurity notification should explicitly exclude a “potential” cybersecurity
intrusion. A company told the Chamber that “reporting ‘potential’ intrusions means we
would have to report every time our AV [antivirus] alerts or quarantines ‘threats.’
These events occur hundreds of times a day and would be totally useless to [the
government].” The company added, “The time we spend reporting these events using
the government’s templates and answering officials’ questions would take people and
resources away from defending our networks.”
• To enhance the efficiency of a reporting program, a defined cybersecurity notification
should be triggered only when there exists a reasonable likelihood of a significant
incident or harm to U.S. economic and national security. Also, a significant cyber
incident would demand unity of effort within the government and especially close
coordination between the public and private sectors.8
• As drafted, the bill would make comparatively low-level cybersecurity intrusions a
compulsory, nonstop reporting activity. One firm said to the Chamber, “We
recommend dropping the language as proposed and, instead, focus on events that are
‘material’ to the covered entities. As drafted, the language would require companies to
speculate whether an isolated event on their systems has broader national or
international implications. This arrangement would create a level of subjectivity and
result in varying levels of compliance among covered entities.
• Any definition of a cybersecurity notification created under the bill should be as simple
as possible, including allowing a business principal to make a phone call to CISA or
law enforcement (e.g., the FBI).
(8) Director. The term “director” means the director of CISA.
4
(9) Federal agency. The term “federal agency” has the meaning given the term “agency”
in section 3502 of title 44, U.S. Code.
(10) Federal contractor. The term “federal contractor” (A) means a contractor or
subcontractor (at any tier) of the U.S. government and (B) does not include a contractor or
subcontractor that only holds (i) service contracts to provide housekeeping or custodial services
or (ii) contracts to provide products or services unrelated to information technology below the
micro-purchase threshold (as defined in section 2.101 of title 48, Code of Federal Regulations).
(11) Information technology. The term “information technology” (IT) has the meaning
given the term in section 11101 of title 40, U.S. Code.
(12) Ransomware. The term “ransomware” means any type of malicious software that
prevents the legitimate owner or operator of an information system or network from accessing
computer files, systems, or networks and demands the payment of a ransom for the return of such
access.
Sec. 2232 Establishment of Cybersecurity Intrusion Reporting Capabilities (Page 5)
(a) Designation. Subsection (a) would require CISA to be the “designated agency” within the
federal government to receive cybersecurity notifications from other agencies and covered
entities.
• There is the prevailing view among cybersecurity stakeholders that CISA should be the
main agency to receive cybersecurity notifications from covered entities. Yet we
believe that businesses should be able to notify the FBI and the Secret Service and
satisfy the bill’s reporting requirements. Time and time again, industry has heard
government officials say, “A call to one agency is a call to all agencies. You [business]
tell us on the frontend, and we [agencies] will handle things on the backend.”
• One business questioned the resources available to CISA, given the obligations it
would be shouldering. “What funding is Congress advancing to ensure that CISA has
the resources it needs to take on this new task? Also, such a massive incident reporting
program would require significant resources to make it work well and congressional
oversight of the agencies implementing it.”
(b) Establishment. Subsection (b) would require CISA to establish CIRCs within 180 days
following the enactment of this legislation to facilitate the submission of timely, secure, and
confidential cybersecurity notifications to CISA from agencies and covered entities.
5
• The bill authorizes new CIRCs that would be distinct from CISA’s Automated
Indicator Sharing (AIS) program, which enables organizations to share and receive
machine-readable cyber threat indicators (CTIs) and defensive measures (DMs) in real
time to monitor and defend their networks against known threats.9 The Chamber hears
from many organizations that CIRCs could complement the AIS program in theory—
but in practice there would be much conflict, including a battle for resources within
CISA.
• A business informed the Chamber that CIRCs would massively strain CISA’s ability to
absorb cybersecurity information and push actionable threat data to its partners, which
many cyber practitioners characterize as less than optimal today.
• A CISA-led mandatory cyber intrusion reporting program could severely damage
cooperative public-private partnerships that have taken individuals and institutions
years to build and sustain. The bill, in many respects, seems indifferent to such
concerns.
(c) Reevaluation of security. Subsection (c) would require CISA to reevaluate the security of
CIRCs at least once every 2 years.
(d) Requirements. Subsection (d) would require the CIRCs to enable CISA to (1) accept
classified submissions and notifications and (2) accept a cybersecurity notification from any
entity, regardless of whether the entity is a covered entity.
(e) Limitations on the use of information. Subsection (e) states that any cybersecurity notification
submitted to CISA through the CIRCs (1) shall be exempt from disclosure under section 552 of
title 5 of the U.S. Code (commonly referred to as the Freedom of Information Act), in
accordance with subsection (b)(3)(B) of section 552, and any state or local provision of law
requiring disclosure of information or records. Also, cybersecurity notifications (2) may not be
(A) admitted as evidence in any civil or criminal action or (B) subject to a subpoena unless the
subpoena is issued by Congress for congressional oversight.
• Subsection 2232(e), which pertains to limitations on governmental uses of information
that it receives through CIRCs, should be revised to track with the limits in the
Cybersecurity Information Sharing Act of 2015 (CISA 2015).
• To illustrate, in addition to the liability protection, CISA 2015 provides the following
protections for sharing CTIs and DMs with any federal entity:
o Exemption from federal antitrust laws (not in the draft bill).
o Exemption from federal and state disclosure laws (seemingly in the draft bill).
o Exemption from certain state and federal regulatory uses (not in the draft bill).
o No waiver of privilege (e.g., trade secret protection) for shared material (not in the
draft bill).
6
o Treatment as commercial, financial, and proprietary information (not in the draft
bill).
o Ex parte communications waiver (not in the draft bill).10
• The bill should expressly shield reported information from being shared with
regulatory agencies for regulatory purposes.
• The bill needs to address how CISA would protect the data from compromise. A
business organization said to the Chamber, “The bill would require the establishment
of cyber reporting capabilities and defines data preservation requirements, but it does
not require the development of data protection requirements. Federal agencies have
been compromised by advanced threat actors just as often as private entities. CISA
needs to develop data protection requirements to ensure that critical notification data is
not compromised and weaponized.”
• The business organization added, “Intrusion reports should be treated as SSI [sensitive
security information] and subject to the disclosure protections and penalties of 49 CFR
Part 1520.11 This would help protect investigations from unintentionally or
intentionally leaked information, in addition to the liability/privacy protections
proposed in the draft. Also, information submitted should be exempt from use in
third-party enforcement actions.”
(f) Privacy. Subsection (f) would require CISA to adopt privacy and protection procedures based
on the comparable privacy and protection procedures developed for information received and
shared pursuant to CISA 2015 (6 U.S.C. 1501 et seq.).12 Also, such protections and procedures
would apply to information submitted to CISA through CIRCs that is known at the time of
sharing to contain personal information of a specific individual or information that identifies a
specific individual that is not directly related to a cybersecurity threat.
• The legislation would require CISA to adopt privacy and protection procedures
“comparable” to ones found in CISA 2015. In the rare instances where an individual’s
personal information is embedded within CTIs or DMs, CISA 2015 calls for public and
private entities to remove such personal information unrelated to a cyber threat when
voluntarily sharing CTIs and DMs.13
• Given the draft’s aggressive notification requirements, the government, not the private
sector, should be required to minimize or remove personally identifiable information
that it obtains from the private sector.
(g) Annual reports.
7
(1) Director reporting requirement. CISA would be required to submit a report, in
classified form if necessary, to the appropriate congressional committees on the number of
notifications received through CIRCs not later than 1 year after the date on which CIRCs are
established and once each year thereafter. A report would be required to include a description of
the associated mitigations taken during the 1-year period preceding the report.
(2) Secretary reporting requirement. DHS would be required to submit a report to the
appropriate congressional committees on (A) the categories of covered entities, noting additions
or removals of categories, that are required to submit cybersecurity notifications; and (B) the
types of cybersecurity intrusions and other information required to be submitted as a
cybersecurity notification, including noting any changes from the previous submission not later
than 1 year after the date on which CIRCs are established and once each year thereafter.
• Reports submitted to Congress should ensure the anonymity of covered entities
(e.g., an enterprise owner/operator).
Sec. 2233 Required Notifications (Page 8)
(a) Notifications.
(1) In general, except as provided in paragraph (2), the federal agency or covered entity
that discovered the cybersecurity intrusion or potential cybersecurity intrusion would be required
to submit a cybersecurity notification to CISA through CIRCs not later than 24 hours after the
confirmation of a cybersecurity intrusion or potential cybersecurity intrusion [strikethroughs and
italics added].
• A business group said to the Chamber that the bill should be revised to “remove terms
such as ‘potential,’ ‘has the potential,’ and ‘likely to be’ because these requirements
are imprecise and would lead to unproductive notifications. Critical response and
reporting activity should not be based on speculation that’s rooted in the law.”
• One sector organization described its reactions to the legislation: “The bill
misunderstands the proposals and initiatives undertaken by organizations across sectors
to work more effectively with the government on cyber incident reporting and
information sharing. In short, a legislative mandate to compel reporting is unnecessary.
It would be more productive to require DHS/CISA and sector agencies to establish
reporting networks and ensure timely analyses of reports for patterns, trends, and
indicators of concern.
“For example, the Transportation Sector Coordinating Council (SCC) has repeatedly
proposed14 creating an early notification network for significant cybersecurity concerns
managed by TSA [the Transportation Security Administration] with CISA (formerly
the DHS Office of Infrastructure Protection). … Ironically, TSA’s May 2021
cybersecurity pipeline directive mandates reporting “cybersecurity incidents” for the
8
purpose of enabling analysis for patterns, trends, and indicators of concern.15 The
repeated proposals for action made by the Transportation SCC, dating back some six
years now, and more recently by the STSAC [Surface Transportation Security
Advisory Committee], have sought this same outcome—without adequate action by the
key agencies.”
(2) Exception. If a federal agency or covered entity is required to submit a cybersecurity
notification under paragraph (1) is subject to another federal law, regulation, policy, or
government contract requiring notification of a cybersecurity intrusion or potential cybersecurity
intrusion to a federal agency within less than 24 hours, the notification deadline required in the
applicable law, regulation, or policy would also be required to apply to the notification required
under this section [strikethrough added].
• A company told the Chamber, “The bill does not address potential conflicts for
contractors with existing reporting requirements to the government, such as the
Defense Federal Acquisition Regulations (DFARS) requirement to report a cyber
incident to the Department of Defense (DoD) within 72 hours,16 or potential conflicts
with international laws, which may restrict non-U.S. contractors from sharing sensitive
cyber incident/threat information with the U.S. government.”17
• Similarly, “Some federal contractors,” a business said, “should be permitted to report
to the customer agency versus having to report to CISA. The bill could be a major
issue for the customers in the military and intelligence communities.”
• One business organization urged bill writers to “thoughtfully pump the breaks” in
relation to the administration’s May 2021 cybersecurity executive order (EO).18
“Currently, the bill would establish separate incident reporting requirements on
covered entities that are very similar to the ones in section 2 of the EO. Section 2 of the
EO requires OMB [the Office of Management and Budget], in consultation with other
agencies, to propose changes to the FARs [Federal Acquisition Regulations] and
DFARS relating to incident reporting by IT and OT [operational technology] service
providers. The bill would require that DHS/CISA, in coordination with other federal
authorities, promulgate interim final rules on topics overlapping or conflicting with the
draft legislation.”
The business organization concluded, “The bill is not doing what we thought it would
do in terms of clarifying EO section 2 via statute. Rather, it would add more confusion
to the growing pile of regulations.”
(b) Required updates. A federal agency or covered entity that submits a cybersecurity
notification under subsection (a) would be required to submit updated cybersecurity threat
information to CISA through CIRCs not later than 72 hours after the discovery of new
information. Such reporting on new information would be mandated until the date on which the
cybersecurity incident is mitigated or any follow-up investigation is completed [italics added].
9
• The bill’s proposed respective 24- and 72-hour required notifications should be
reconsidered.
• 24 hours. The initial 24-hour requirement would not give covered entities enough time
to investigate and determine the nature and scope of a cyber intrusion before reporting
would be due to CISA. The Chamber has supported reasonable timing requirements
(e.g., data breaches) that reflect an appropriate and flexible timing standard
government notification. Reasonable timing reflects the practical challenges—and
risks—of imposing unnecessarily aggressive deadlines while setting an acceptable
window for notifying authorities.19
• The rush to report is not without some risk, a firm said to the Chamber. “Viewing this
from an operational standpoint, we would want to ensure that affected entities may
report an incident after the initial mitigation and response have been carried out,
software patches have been installed, and an internal evaluation of the incident has
been conducted.”
• A company told the Chamber that “organizations need sufficient time to develop
adequate facts to determine the likelihood of actual risk of harm. Even cyber incidents
that are ultimately ruled minor in nature may absorb hundreds of personnel work hours
to correctly assess. Hasty notifications would likely lead to incorrect data being
reported in the fog of an incident.”
• 72 hours. The timetable for required updates within 72 hours is equally problematic.
The bill would require a covered entity that submits a cybersecurity notification to also
“submit updated cybersecurity threat information to [CISA] not later than 72 hours
after the discovery of new information” until the incident is mitigated or an
investigation is completed. The legislation is unclear about what a “mitigated” incident
means.
• As with the 24-hour notification stipulation, the tight 72-hour reporting time frame
would likely interfere with the proper analysis of new data. A business group informed
the Chamber that “this proposed regime would almost certainly flood CISA with
information that is neither digestible nor actionable.”
• Similarly, another organization noted, “This system of time-based reporting
requirements is confusing at best. Reporting, whether by an agreed process or mandate,
should be keyed to when the cybersecurity leads for an affected organization have
identified activity deemed significant because of the risk caused by a potential breach,
compromise, or operational disruption. Time standards would generate reports—
though many would be on activity that is neither significant nor based on useful
information.
10
• A firm conveyed to the Chamber, “The update requirements that covered entities are
required to submit not later than 72 hours after the discovery of new information are
also problematic as the time period is too short and the term ‘new information’ is too
broad. The requirements should encompass some type of a materiality standard.”
• The term “new information” should be narrowly defined in the bill to align with a
material change in or important details being discovered specifically associated with
the incident.
• The 24- and 72-hour notification regimes would task many private parties with
building and maintaining expensive reporting infrastructures—all for relatively little
gain to industry and government that the Chamber can discern. Typical of much
industry feedback, a business asked, “Would the new reports come back to the private
sector with anything of value? Or would they simply fall into a black hole?”
(c) Required contents. The notification and required updates submitted under subsections (a) and
(b) would be required to minimally include any information required to be included according to
the rules promulgated under subsection (d).
(d) Required rulemaking.
(1) DHS/CISA, in coordination with the Office of the Director of National Intelligence
(ODNI), OMB, DoD, and the federal chief information officer (CIO), would be called on to
promulgate interim fina1 rules (IFRs) no later than 60 days after the date of enactment of this
legislation. Also, the bill would waive prior public notice yet allow comments after the effective
date. The IFRs would be required to—
• The bill would require CISA to take the lead in writing IFRs, without prior notice and
comment, within 60 days of enactment. Bill writers should step back from this line of
thinking and call to CISA to first provide notice that it intends to promulgate a rule(s)
in the Federal Register. Elements of the bill—ranging from the comparatively
controversial to the trivial—should not be determined by CISA without substantial
input from industry stakeholders.
(A) define “covered entity” for the purpose of identifying entities subject to the
cybersecurity notification requirements and that would need to minimally include federal
contractors, owners or operators of critical infrastructure, and nongovernmental entities
that provide cybersecurity incident response services [italics added];
• The inclusion of “nongovernmental entities that provide cybersecurity incident
response [IR] services” drew much pushback from business entities.
• One organization said to the Chamber that the “preliminary definitions of covered
entities are very broad and should be honed ... to avoid unintended scope creep and
11
recognize the confidentiality obligations of those defined as covered entities. Many
organizations provide cyber incident response services (e.g., forensics firms,
remediation service providers, law firms, and insurers.) It is likely that the legislation’s
authors intend to cover only forensics firms, and if this is the case, the definition
should be amended.”
• Another group mentioned, “Requiring ‘cybersecurity IR services’ to report incidents
seems like an end around [a client], which would require third parties to disclose not
only incidents affecting their internal systems but client incidents too.”
• One firm said to the Chamber, “Sec. 2233(d)(A) reads to include third-party
cybersecurity firms and could create unhelpful outcomes. A company may be hesitant
to reach out to a firm. The subsection creates a weird dynamic where firms are policing
their customers. It would make more sense to just require the owners and operators to
report, not the firms they hire. For example, under current data breach law, the
company reports, not the entity providing cybersecurity IR services.”
(B) define “cybersecurity intrusion” and “potential cybersecurity intrusion” to
determine when a cybersecurity notification would be required of a federal agency or
covered entity [strikethrough added];
(C) define “cybersecurity threat information” to describe the threat information
that would be featured in a cybersecurity notification;
(D) define “confirmation of a cybersecurity incident or potential cybersecurity
incident” to determine when a notification obligation is triggered [strikethrough added];
and
(E) address whether a federal agency or covered entity would be compelled to
provide a cybersecurity notification for a cybersecurity intrusion of which the federal
agency or covered entity is aware, but does not directly impact the networks or
information systems owned or operated by the federal agency or covered entity.
• If the bill includes nongovernmental entities that provide cybersecurity IR services in
the definition of covered entities, subsection (d)(1)(E) needs to be revised. It should
explicitly limit IR notifications to activity on their own networks, not anything else that
they are aware of (i.e., intrusions impacting their clients’ networks and systems).20 The
subsection should be revised in the following way:
(E) [that] address whether a federal agency or limit a covered entity’s would be
compelled to provide a required cybersecurity notification to include only for a
cybersecurity intrusion of which the federal agency or covered entity is aware and
which, but does not directly impacts the networks or information systems owned or
operated by the federal agency or covered entity.
12
• Speaking for many in the private sector, a business federation told the Chamber that
“under no circumstances should legislation pit the interests of cybersecurity support
firms against their customers in critical infrastructure sectors. A reporting mandate for
these firms would do just that, undermining the confidence of their customers in their
integrity and causing longer term damage to business prospects.”
(2) Requirements for definitions. The definitions required to be promulgated under
paragraph (1)(B) would need to include a cybersecurity intrusion that—
(A) involves or is assessed to involve a nation state;
(B) involves or is assessed to involve an advanced persistent threat cyber actor;
(C) involves or is assessed to involve a transnational organized crime group (as
defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C.
2708));21
(D) results (or has the potential to result) in demonstrable harm to the national
security interests, foreign relations, or economy of the U.S. or to the public confidence,
civil liberties, or public health and safety of people in the U.S. [strikethrough added];
(E) is or is likely to be of significant national consequence [strikethrough added];
(F) is identified by covered entities but affects, or has the potential to affect,
agency systems [strikethrough added]; or
(G) involves ransomware.
• The Chamber believes that covered entities would have substantial uncertainty about
the definitions tied to determining a cyber intrusion. One association noted, “In most
cases, an entity observing or encountering activity that indicates a cyber threat,
incident, or significant security concern would not have any insight on the required
definitional elements for reporting set out in this section.”
• The terms in subsection (d)(2) should be defined within the legislation and not left to
the rulemaking process. This way key cybersecurity wording can be crafted in the bill
by public and private stakeholders and further refined in a proposed rulemaking.
(3) Required information for cybersecurity threat information. For purposes of the rules
required to be promulgated under paragraph (1)(B), the cybersecurity threat information required
to be included in a cybersecurity notification shall include at a minimum—
(A) a description of the cybersecurity intrusion, including identification of the
affected systems and networks that were, or are reasonably believed to have been,
13
accessed by a cyber actor, and the estimated dates of when such an intrusion is believed
to have occurred;
(B) a description of the vulnerabilities leveraged, and tactics, techniques, and
procedures used by the cyber actors to conduct the intrusion;
• A company wrote to the Chamber that “this legislative language may insinuate
violating coordinated vulnerability disclosure (CVD) guidelines. The aim of CVD is to
improve the security of systems by sharing knowledge of vulnerabilities in a timely
and confidential manner to the owner/vendor of the system and mitigate further active
abuse by third parties.”22
(C) any information that could reasonably help identify the cyber actor, such as
internet protocol addresses, domain name service information, or samples of malicious
software.
(D) contact information, such as a telephone number or electronic mail address,
that a federal agency may use to contact the covered entity, either directly or through an
authorized agent of the covered entity; and
(E) actions taken to mitigate the intrusion.
(e) Required coordination with sector risk management agencies. DHS/CISA, in coordination
with the head of each sector risk management agency (SRMA) and other federal agencies, as
determined by CISA, shall—
(1) establish a set of reporting criteria for SRMAs and other federal agencies as identified
by CISA to submit cybersecurity notifications regarding cybersecurity incidents affecting
covered entities in their respective sectors or covered entities regulated by such federal agencies
to CISA through CIRCs.
(2) take steps to harmonize the criteria described in paragraph (1) with the regulatory
reporting requirements in effect on the date of enactment of this subtitle [italics added].
• The draft would require SRMAs to submit cybersecurity notifications to CISA.
“However,” a business group told the Chamber that “CISA is not required to provide
covered entities’ cyber incident reporting notifications to their corresponding SRMAs.
Otherwise, an owner/operator would need to notify CISA and several agencies about a
single cybersecurity incident.”
• The business group urged that “CISA be required to share [anonymized] intrusion
reports, in a timely manner, with relevant SRMAs and FEMA ESF-14 [Emergency
Support Function #14, Cross-Sector Business and Infrastructure] sector-specific
agencies. As appropriate, and in consultation with the operator, CISA should also be
14
required to share such reports with appropriate law enforcement agencies, including
FBI. Such communication would build upon the existing PPD 41 [Presidential Policy
Directive 41] framework.”
• The “take steps to harmonize …” language in subsection (e)(2) is positive but does not
sufficiently address the expected conflicts with existing data protection/data
security/cybersecurity reporting rules at the federal level. The bill should explicitly
preempt other agencies’ data protection/data security/cybersecurity reporting
requirements.”
• A business organization said to the Chamber, “One report to one government
component should suffice to meet either agreed security actions or legislative or
regulatory mandates. The reporting should be made either to CISA or the appropriate
[SRMA(s)]. This federal government component should then be charged with ensuring
further dissemination to other interested agencies.”
• The legislation should be amended to require CISA and SRMAs to write and publicize
procedures for stakeholders to submit requests for information/assistance and proposals
to enhance cybersecurity. CISA and SRMAs should also be required to report to
Congress annually on requests and proposals that they receive from stakeholders and
the actions taken on them.
(f) Protection from liability. No cause of action shall lie or be maintained in any court by any
person or entity, other than the federal government pursuant to subsection (g) or any applicable
law, against any covered entity due to the submission of a cybersecurity notification to CISA
through the Cyber Intrusion Reporting System, in conformance with this subtitle and the rules
promulgated under subsection (d), and any such action shall be promptly dismissed.
• The liability protection in the bill should be strengthened. The liability protection
provision in the bill is constructive, but it needs to include both the “submission” and
any information contained in a notification. The liability protection needs to encompass
the act of notifying the government and the data in a notification.
• The term Cyber Intrusion Reporting System appears for the first time on page 14 of the
bill and should be clarified in relation to the term Cyber Intrusion Reporting
Capabilities.
(g) Enforcement.
(1) Covered entities with federal government contracts. If a covered entity violates the
requirements of this subtitle, including the rules promulgated under this subtitle, the covered
entity shall be subject to penalties determined by the General Services Administration (GSA),
which may include removal from the federal contracting schedules.
15
• According to the bill, covered entities (e.g., defense industrial base firms) “shall be
subject” to penalties determined by the GSA—including the potential removal from
federal contracting schedules, which is an extreme step. GSA could take punitive steps
against a covered entity/federal contractor without an understandable framework for
such decision making.
(2) Covered entities without federal government contracts. If a covered entity violates the
requirements of this subtitle, including the rules promulgated under this subtitle, the covered
entity shall be subject to financial penalties equal to 0.5% per day of the entity’s gross revenue
from the prior year [italics added].
• The bill would impose financial penalties equal to 0.5% per day of a covered entity’s
gross revenue from the prior year for a violation of any of its provisions. The financial
penalties provision should be stuck from the bill. Such penalties, which one business
described as “draconian … compared with how our adversaries are punished—or,
rather, not punished,” are unnecessary and unjust and would exacerbate overreporting.
• A common perspective the Chamber hears from industry is that the “enforcement
mechanism is flawed. It would not produce quality reporting, but excessive fines, along
with contentious disputes over the date on which a covered ‘cyber intrusion’ should
have been detected and became reportable. The enforcement provision would compel
covered organizations to report reams of insignificant cyber activity—as the most
effective means of avoiding the prospect of fines—when quality reports on significant
cyber threats, incidents, and security concerns are needed most.”
• Tentative perspective: Financial sanctions should only be applied in an instance where
a covered entity deliberately violates the notification requirements of the bill. As
currently drafted, the bill would provide CISA with no discretion to enforce lower or
nonfinancial penalties. It includes no mechanism for redress of a fine. Rather than say
“equal to 0.5% per day” of the entity’s gross revenue, the language should be modified
to say “up to 0.5% per day” of the entity’s gross revenue or a lesser threshold to
provide CISA with greater discretion. Additionally, CISA should be required to
establish a redress process outside of the judicial system for private entities to contest
or reduce financial sanctions.
(3) Federal agencies. If a federal agency violates the requirements of this subtitle, the
violation shall be referred to the inspector general for the agency and shall be treated as a matter
of urgent concern.
(h) Exemption. All information collection activities under sections 2232 and 2233 of this subtitle
shall be exempt from the requirements of sections 3506(c), 3507, 3508, and 3509 of title 44, U.S.
Code (commonly known as the Paperwork Reduction Act).
16
(i) Rule of construction. Nothing in this subtitle shall be construed to supersede any reporting
requirements under subchapter I of chapter 35 of title 44, U.S. Code.
Sec. 2234 Preservation of Information (Page 15)
(a) In general. Not later than 60 days after the date of enactment of this subtitle, DHS/CISA, in
coordination with the OMB, shall promulgate rules for data preservation standards and
requirements for federal agencies and covered entities to assist with cybersecurity intrusion
response and associated investigatory activities.
(b) Minimum requirements. The rules for data preservation promulgated under subsection (a)
shall require, at a minimum, that a federal agency or covered entity that submits a cybersecurity
notification under this subtitle shall preserve all of the data designated for preservation under
such rules [italics added].
• The data preservation requirements would be deferred under the bill to a rulemaking
process(es). The requirements could be quite onerous unless some reasonable
parameters for data retention by industry are not established in legislation. Additional
topics, such as whether the government must maintain sensitive cybersecurity data in
an encrypted format, need more discussion
• An industry organization remarked to the Chamber, “There are significant information
capture issues existing in older technology and large expenses of adding longer-term
logging/storage capacity. Further, operators must comply with data preservation
requirements mandated by existing cybersecurity authorities (e.g., NERC [the North
American Electric Reliability Corporation] and NRC [the Nuclear Regulatory
Commission]), creating potentially duplicative requirements and introducing new
risks.”
• The preservation rulemaking(s) called for under subsection (b) should address
reasonable exceptions and limitations concerning data volume, retention and deletion
periods, forms (e.g., email), and so forth.
Sec. 2235. Analysis of Cybersecurity Notifications (Page 16)
(a) Analysis.
(1) In general. DHS/CISA, the Attorney General (AG), and the ODNI, shall jointly
develop procedures for ensuring any cybersecurity notification submitted to the System is
promptly and appropriately analyzed to—
(A) determine the impact of the breach or intrusion on the national economy and
national security.
(B) identify the potential source or sources of the breach or intrusion.
17
(C) recommend actions to mitigate the impact of the breach or intrusion.
• Subsection (a)(1)(C) suggests that CISA would be principally responsible for providing
mitigations but does not require it to act expeditiously. The bill should clarify that a
covered entity would have the flexibility to use a third party for mitigations. Still,
CISA needs to share actionable mitigations with a covered entity as soon as possible.
(D) provide information on methods of securing the system or systems against
future breaches or intrusions.
(2) Requirement. The procedures required to be developed under paragraph (1) shall
include criteria for when rapid analysis, notification, or public dissemination is required.
(3) Authority. DHS/CISA, the AG, and the ODNI may each designate employees within
each respective agency who may search intelligence and law enforcement information for cyber
threat intelligence information with a national security or public safety purpose, based on
cybersecurity notifications received by the agency through the Cyber Intrusion Reporting
Capabilities, and consistent with the procedures developed under paragraph (1).
(b) Analytic production.
(1) In general. Not less frequently than once every 30 days, DHS/CISA, the AG, and the
ODNI shall produce a joint cyber threat intelligence report that characterizes the current cyber
threat picture facing federal agencies and covered entities [italics added].
(2) Requirements. Each report required to be produced under paragraph (1)—
(A) shall be in a form that may be made publicly available.
(B) may include a classified annex as necessary.
(C) shall, to the maximum extent practical, anonymize attribution information
from cybersecurity notifications received through the Cyber Intrusion Reporting
Capabilities [italics added].
(3) Authority to declassify. The ODNI may declassify any analytic products, or portions
thereof, produced under this section if such declassification is required to mitigate cyber threats
facing the U.S.
18
• The bill’s call for a joint cyber threat intelligence report supporting the critical
infrastructure community to help prevent, detect, and mitigate malicious cyber activity
is constructive. Yet it should be issued not less frequently than once per week to have
the desired utility that bill writers seek. “A month is a year in cybersecurity,” a
company told the Chamber. Indeed, the fact that the report is called for every 30 days
under the legislation should give bill writers pause about compelling covered entities to
report cyber intrusions within 24 to 72 hours. What’s more, in developing reports most
businesses couldn’t match the kinds of resources that national security agencies would
draw upon.
• One of the significant and ongoing challenges faced by private entities is the inability
to access actionable cybersecurity threat information, whether classified or
unclassified. The bill needs to be revised to include targeted improvements if the
incident reporting regime is to lead to tangible increases in business and government
cybersecurity.
o The legislation should oblige deeper intelligence community (IC) engagement with
covered entities. A business principal told the Chamber, “The bill’s underlying
premise is that companies need to be forced to share cyber information with the
government when, in fact, the opposite is true. Agencies are keeping industry at an
arm’s length, and yet they [government officials] call for forced data sharing.
That’s not most people’s definition of partnership.”
o Bill writers should incorporate sections 605 and 606 of H.R. 7856, the Intelligence
Authorization Act for Fiscal Year 2021, to this legislation.23 These sections, which
have not passed Congress, correspond closely with proposals put forward by the
Cyberspace Solarium Commission (i.e., recommendations 5.1.1 and 5.1.2) in 2020
and the Chamber in 2019 to deepen operational collaboration among key private
sector and government organizations. What’s confusing to the Chamber is that
Congress has not passed these relatively straightforward proposals to drive better
cybersecurity information sharing and analysis, and yet there’s a push for forced
reporting by businesses and agencies.
o The bill should expressly call for substantive sharing of classified information with
cleared industry personnel. The bill should “compel the IC to be partners with
covered entities,” a business organization said to the Chamber. “CISA should be
required to provide a secure, secret-level or higher internet connection to the ISACs
[information sharing and analysis centers] for the exchange of classified
information. Such a network currently exists outside of government.”
o The legislation should direct CISA and SRMAs to work with their respective sector
stakeholders to create objective, measurable, and observable indications and
warnings about adversary cyberattacks, campaigns, and so forth.
19
o The bill should expand CISA’s funding and capabilities. The agency would need to
meet a surge in demands from the public and private sectors due to its expanded
role regarding coordinated action, common situational awareness, and joint
analysis.
• Industry groups tell the Chamber that they want more clarity on business
anonymization related to analytic products or reports that would be developed by DHS,
the ODNI, and other agencies under this legislation. Put simply, products need to
ensure the anonymity of covered entities.
Notes
1 See the U.S. Chamber of Commerce’s Seven P’s Cybersecurity Policy Principles. The paper’s topics are summed
up in 7 words—potential, program, protection, preemption, partnership, price, and promotion—and cover how the
Chamber will assess legislation, advocate for balancing federal regulation with industry protection, consider the
costs of cybersecurity, seek mutually beneficial agreements with policymakers, and promote U.S. policies at home
and internationally.
https://www.uschamber.com/sites/default/files/uscc_7_ps_cyber_policy_cheat_sheet_final_v1.0.pdf
2 See David Turetsky et al., “Cybersecurity Information Sharing Success Stories,” Lawfare, July 15, 2020.
https://www.lawfareblog.com/cybersecurity-information-sharing-success-stories
3 Researchers who have studied cybersecurity information sharing caution policymakers against making it
mandatory. People’s behaviors related to information sharing, which probably comes as no surprise to many
practitioners and policymakers, are rooted in expectations about fairness, trust, and reciprocity.
[The authors] provide some first empirical evidence on the association of particular human behaviors with
SIS [security information sharing] among individuals in a private ISAC [information sharing and analysis
center] setting. The study also contributes to understanding the theoretical prediction that actual SIS may not
reach its societally optimal level by suggesting that human behavior may be at the core of this problem. At
the same time, we would caution regulators and researchers to infer that SIS should be mandated (i.e., that
individuals should be forced to share) as a consequence of this problem. Adjusting sanction levels for failure
to comply with mandatory SIS could be difficult, if not impossible. Moreover, regulation that attempts to
solve the “sharing dilemma” in SIS should try to fix causes, not symptoms.
Alain Mermoud et al., “To Share or Not to Share: A Behavioral Perspective on Human Participation In Security
Information Sharing,” Journal of Cybersecurity, Vol. 5, Issue 1, 2019, pages 2 and 9.
https://doi.org/10.1093/cybsec/tyz006
4 Some 25 Cyberspace Solarium Commission (CSC) recommendations were included in the FY 2021 National
Defense Authorization Act (NDAA). One provision that is worth flagging is section 1715 of the law, which calls for
a Joint Cyber Planning Office (JCPO) to be established at the Cybersecurity and Infrastructure Security Agency
(CISA). In keeping with the agency’s role as a governmental hub for cybersecurity planning and information
sharing, the JCPO is expected to develop public-private plans for cyber defense operations, including taking
coordinated actions to “protect, detect, respond to, and recover from cybersecurity risks or … defend against
coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”
In addition to CISA personnel, the JCPO will include representatives from the Department of Defense,
Cyber Command, the National Security Agency, the FBI, and the Department of Justice. Charged with promoting
greater cooperation and unity of effort within the federal agencies, the JCPO is called on to fashion plans for
defensive cyber operations in collaboration with the private sector. Business partnerships with CISA and Cyber
Command should be discretionary (i.e., companies decide whether it makes sense to work with the government),
20
but the Chamber wants to empower private entities to willingly partner with these agencies and others such as the
FBI to strengthen collective defense and stay a step ahead of foreign adversaries while remaining faithful to U.S.
and international law.
CSC, “NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission,”
January 2, 2021.
https://www.solarium.gov/press-and-news/ndaa-override-press-release
Section 1715, “Establishment in Department of Homeland Security of joint cyber planning office.” FY 2021 NDAA
(P.L. 116-283). See conference report to H.R. 6395, pp. 712–715.
https://www.congress.gov/bill/116th-congress/house-bill/6395
For more on the U.S. defend forward strategy, see the following items:
Testimony of Gen. Paul Nakasone, Senate Armed Services Committee hearing, “U.S. Special Operations Command
and U.S. Cyber Command,” March 25, 2021.
https://www.armed-services.senate.gov/hearings/21-03-25-united-states-special-operations-command-and-united-
states-cyber-command
Yale Cyber Leadership Form, “Defending Forward? Implications for Safety, Security, and Sovereignty in
Cyberspace,” March 4, 2021.
https://cyber.forum.yale.edu/agenda
Erica D. Borghard and Shawn W. Lonergan, “Public-Private Partnership in Cyberspace in an Era of Great-Power
Competition,” chapter 7, in Jacquelyn G. Schneider et al. Ten Years In: Implementing Strategic Approaches to
Cyberspace, 2020. Newport Papers, 45.
https://digital-commons.usnwc.edu/usnwc-newport-papers/45
Paul M. Nakasone and Michael Sulmeyer, “How to Compete in Cyberspace: U.S. Cyber Command’s New
Approach,” Foreign Affairs, August 25, 2020.
https://www.foreignaffairs.com/articles/united-states/2020-08-25/cybersecurity
5 42 U.S. Code § 5195c, Critical Infrastructures Protection. “[T]he term ‘critical infrastructure’ means systems and
assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets
would have a debilitating impact on security, national economic security, national public health or safety, or any
combination of those matters.”
https://www.law.cornell.edu/uscode/text/42/5195c
6 P.L. 107-56, § 1016(e), 115 STAT. 401.
https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf
7 https://www.cisa.gov/critical-infrastructure-sectors
8 Presidential Policy Directive 41, U.S. Cyber Incident Coordination, July 2016.
https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-
incident
9 https://www.cisa.gov/ais
https://www.cisa.gov/sites/default/files/publications/AIS%20Fact%20Sheet_2.pdf (fact sheet)
10 6 U.S. Code § 1505, Protection From Liability.
https://www.law.cornell.edu/uscode/text/6/1505
Also see pages 16–18 of Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive
Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (Non-Federal Entity
Guidance), last revised October 2020.
21
11 49 CFR part 1520, Protection of Sensitive Security Information.
https://www.law.cornell.edu/cfr/text/49/part-1520
12 The Consolidated Appropriations Act, 2016 (P.L. 114-113) included the Cybersecurity Information Sharing Act
of 2015 (CISA 2015).
https://www.congress.gov/114/plaws/publ113/PLAW-114publ113.pdf
https://www.federalregister.gov/documents/2016/06/15/2016-13742/cybersecurity-information-sharing-act-of-2015-
final-guidance-documents-notice-of-availability
https://www.cisa.gov/publication/cybersecurity-information-sharing-act-2015-procedures-and-guidance
13 Non-Federal Entity Guidance, “Removal of Personal Information not Directly Related to a Cybersecurity Threat,”
pages 7–9.
https://www.cisa.gov/sites/default/files/publications/Non-
Federal%20Entity%20Sharing%20Guidance%20under%20the%20Cybersecurity%20Information%20Sharing%20A
ct%20of%202015_1.pdf
14 The sector organization added, “The first proposal was made as an after-action priority defined by the SCC [sector
coordinating council] members for the first cross-modal cybersecurity exercise held by TSA in August 2015. When
no action was taken on implementation, the SCC renewed this proposal as an after-action priority following the
second cross-modal cybersecurity exercise held by TSA in November 2017. Officials with CISA participated in both
exercises and were aware of the proposed after-action priorities.
“A few years ago, members of the TSA-appointed Surface Transportation Security Advisory Committee (STSAC)
prioritized creating an early notification network for cyber threats, incidents, and security concerns in the
transportation sector. In February 2021, the STSAC unanimously approved recommendations to the TSA
administrator on enhancing surface transportation security and emergency preparedness, including an early
notification network for cybersecurity.”
15 Mayer Brown, “Critical Pipeline Cybersecurity Directive Released, June 2, 2021.
https://www.mayerbrown.com/en/perspectives-events/publications/2021/06/critical-pipeline-cybersecurity-directive-
released
16 Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, defines “rapidly report” to mean “within 72 hours of discovery of any
cyber incident.”
https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
17 The company added, “We mainly have non-U.S. laws in mind. That is, other countries may understandably have
national security and/or export control law and policy reasons not to allow their defense industrial base companies to
report details of incidents involving their systems to the U.S. government, yet there are many non-U.S. companies in
the DoD supply chain.
“Here’s a case in point: The UK MOD [Ministry of Defence] basically told its contractors that it has ‘sovereignty
concerns’ with DFARS 252.204-7012 and CMMC [Cybersecurity Maturity Model Certification framework]
requirements. Among other guidance, the UK MOD’s guidance [Compliance with Cyber Security Requirements
from Other Nations, June 2021] says that when faced with flow down of these clauses, these UK contractors should
push for the removal of operative clauses or the insertion of narratives that such language is not applicable. If one of
our closest allies has this guidance, imagine the pushback that other countries’ defense ministries would have.”
https://www.gov.uk/government/publications/industry-security-notices-isns/compliance-with-cyber-security-
requirements-from-other-nations
18 White House, Executive Order 14028, Improving the Nation’s Cybersecurity, May 12, 2021.
https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-
nations-cybersecurity
22
https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity
19 Hunton Andrews Kurth and the Chamber, Seeking Solutions: Aligning Data Breach Notification Rules Across
Borders, April 2019.
https://www.huntonprivacyblog.com/2019/04/04/hunton-partners-with-the-u-s-chamber-of-commerce-on-seeking-
solutions-aligning-data-breach-notification-rules-across-borders
20 “From our [company’s] perspective, section 2233(d)(1)(E) is very concerning and must be considered it in relation
to the definition of covered entities. The definition of covered entities includes incident response [IR] providers. It’s
not unreasonable for the bill writers to want to include IR providers, particularly given SolarWinds. IR companies
are of much value to U.S. adversaries and criminals. IR providers aren’t assumed to report intrusions on their own
networks. The problem is that the addition of subparagraph (E) makes clear that bill writers don’t just want IR
providers to report on intrusions on their own networks, they want reporting to include anything they are ‘aware’
of—whether or not it affects only their networks—which would by definition include their clients’ networks or
information systems.
“This provision reflects the bill’s authors telling DHS explicitly that they want this reporting considered. [Our
company] understands why the sponsors would want this information, but it would come at great cost. In addition to
being duplicative and a waste of time and resources for the IR company, reporting would be mandated at a moment
where time is of the essence. Ultimately, companies would think twice before hiring an IR company or bringing in
CISA to help. This outcome would make the U.S. less secure. Also, firms would know that the IR provider has this
legal obligation because the IR provider would have to start writing it into its contracts to override
privacy/confidentiality provisions.”
21 State Department Basic Authorities Act of 1956 (P.L. 84–885), amended. The term “transnational organized crime
group” means a group of persons that includes one or more citizens of a foreign country, exists for a period of time,
and acts in concert with the aim of engaging in transnational organized crime (page 32).
https://www.govinfo.gov/content/pkg/COMPS-1088/pdf/COMPS-1088.pdf
22 The company continued, “A recent use case to consider is Kaseya VSA exploit which occurred on July 2, 2021.
The Dutch Security Hotline notified Kaseya VSA of vulnerabilities it found via CVD guidelines on April 6, 2021.
Kaseya VSA began issuing patches right away on April 10. Unfortunately, a breach did occur on July 2, but the
opportunity was given to Kaseya VSA to release a patch for its users and resolve the vulnerabilities prior to the
larger ecosystem learning about it. Kaseya VSA also had mitigated most of the vulnerabilities identified after it was
notified, just not all of them. CVD guidelines and timing of disclosure sharing are critical in such instances when
wanting to remedy any vulnerabilities or protect systems to limit or prevent loss or damage as much as possible.”
23 https://www.congress.gov/bill/116th-congress/house-bill/7856
https://www.solarium.gov/report