Share this page!

Eric Geller Profile picture
Twitter logo
1 Sep, 26 tweets, 5 min read
The House Homeland Security Committee is about to start a hearing with industry representatives testifying about its draft cyber incident reporting bill.

homeland.house.gov/activities/hea…
As I've noted, the latest draft of the House bill pares back some of the language to accommodate industry concerns. For example, it now says CISA can't require reporting any sooner than 72 hours after an incident.
Industry witnesses will implicitly criticize the Senate bill.

BPI: 24-hr reporting deadline "would distract from critical work" & lead to "premature and likely erroneous" reports homeland.house.gov/imo/media/doc/…

ITI: Limit requirement to "verified" breaches homeland.house.gov/imo/media/doc/…
House Homeland cyber subcmte chair Yvette Clarke, opening the hearing, says she's heard concerns about compliance challenges for small CI firms.

"We do not expect all [CI companies] to be subject to this reporting requirement. Rather, we expect it to apply only to a subset.”
But Clarke adds, "I would certainly be happy to explore whether we need to add language directing CISA to provide additional compliance assistance to small businesses that are determined to be covered entities."
Subcommittee RM Andrew Garbarino: “I've been pleased to see our majority counterparts engage our members in productive conversations on this topic, and I hope we can continue the constructive dialogue here today.”
Since I rather abruptly mentioned the Senate bill in this tweet, here's the announcement of that bill for those who aren't familiar with it: warner.senate.gov/public/index.c…

It's stacked with powerful sponsors, but what we're seeing today is that industry prefers the House bill.
FireEye's Ron Bushar says any reporting requirement should allow for agility and adjustment, given how quickly the cyber threat landscape can change.

Companies should have a "reasonable" amount of time to assess an attack before having to report it, he says.
Bushar also warns against punitive provisions of incident reporting bills, such as subpoena authority when companies don't report hacks.

Subpoenas and other compulsory measures, he says, don't make sense when dealing with what are essentially crime victims.
Heather Hogsett from BPI praises the bill for its scope, its 72-hour minimum for a reporting deadline, its incorporation of privacy protections for shared information, the req to harmonize rules with existing regulations, and the req for govt to share more data w/ industry.
ITI's John Miller recommends: "feasible" timelines (≥72 hrs), confidentiality protections (says may need to update 2015 CISA law), harmonize w/ existing regs, "appropriate" reporting thresholds (limit to verified incidents), and limit reporting to impacted entities, not vendors.
On harmonization with existing regulations, Miller recommends encouraging CISA to collect incident information through existing channels and partnerships (e.g. FBI, SEC) whenever possible, rather than creating new reporting channels and processes.
USTelecom's Robert Mayer encourages the committee to let federal and industry experts collaborate on reporting thresholds rather than setting them in legislation, since it's "a highly technical exercise."

He also recommends provisions to prevent shared information from leaking.
AGA's Kimberly Denbow recommends the bill require outreach to sector coordinating councils in developing regulations; ensure regular review of list of covered companies; ensure CISA has enough expert personnel to work w/ industry; and narrow exceptions to ban on info disclosure.
Clarke asks Bushar what info CISA needs from industry.

He cites examples such as IOCs, malware samples, info on targeted users and systems, and info on stolen data.
Clarke asks Bushar what info industry needs from CISA.

It's much the same as what CISA needs from industry, he says. Industry can combine CISA's insights with its own to better understand adversary behavior.
Garbarino asks what should be defined in legislation vs. rulemaking.

Denbow and Mayer says that most details should be left to CISA/industry consultations during the rulemaking process.
Witnesses are emphasizing the need for narrow rules about what info to share.

Hogsett says can't deluge CISA w/ info that it can't process.

Mayer says need to avoid “fog of more,” where short deadline prompts companies to quickly share too much info that makes analysis hard.
Jim Langevin: If companies only have to report confirmed breaches, how will we be better positioned to mitigate something like SolarWinds?

Mayer: If you have something on the scale of SW, “you’re going to know it when you see it.” And USG will likely already be aware of it.
Bushar says companies won’t wait until they have a complete picture of an attack, but they do need time to confirm that a breach has happened.
Langevin says "a bit concerned about the gap I see" b/w how much CISA needs and how much it would get if companies only had to report confirmed breaches.

He says companies might not report staging activity that precedes a ransomware campaign, hampering CISA's response.
Sheila Jackson Lee: How important is it to have bidirectional information sharing?

Bushar: "Critical."

Denbow: "We feel like when we share with the government, it becomes a landfill of information, with nothing valuable coming back out to us in a timely fashion."
It seems like most of the subcommittee isn't attending this hearing. We appear to have just finished the first round of questioning, and the only people who spoke were the subcommittee leaders, full committee chair Bennie Thompson, and three members.
Bushar tells Clarke that security firms like FireEye shouldn't be required to report incidents that they discover on their customers' networks.

He says it would betray the customer's trust and discourage companies from seeking security services.

Senate bill requires this.
The hearing has adjourned.

The industry testimony on the House bill showed that there will be plenty of resistance to the Senate bill if it moves forward. The question now is, will the Senate bill's sponsors accommodate industry concerns or double down on their approach?
My story on today's House hearing:

"Industry support for House cyber incident reporting bill suggests trouble ahead for Senate version" subscriber.politicopro.com/article/2021/0…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Geller

Eric Geller Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @ericgeller

Eric Geller Profile picture
2 Sep
Scoop: Senate HSGAC is working on a bill that combines the House's industry-friendly cyber incident reporting legislation w/ a bunch of programs to tackle ransomware.

Raises Qs about what happens to Warner/Rubio/Collins bill, which industry doesn't like.

subscriber.politicopro.com/article/2021/0…
The big stuff in the HSGAC bill:

* The House Homeland incident reporting legislation, with some tweaks and additions
* "Due diligence requirement" for companies facing ransom demands
* Ransomware task force
* "Ransomware vulnerability warning pilot program"
Due diligence req:

Before paying a ransom, a company would have to determine whether it could recover from the attack “through other means,” including by seeing if experts have published a decryption tool that works for them.

It would have to report to CISA on this process.
Read 17 tweets
Eric Geller Profile picture
2 Sep
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, is about to speak at the White House press briefing.
Neuberger: "We want to take a moment to encourage organizations to be on guard for malicious cyber activity in advance of the holiday weekend. To be clear, we have no specific threat information or information regarding attacks this weekend, but what we do have is history."
Neuberger notes that history shows that hackers often target companies over holiday weekends, when security operations centers may be understaffed or otherwise unprepared.
Read 13 tweets
Eric Geller Profile picture
25 Aug
Embargo has lifted on WH cyber meeting announcements.

* Microsoft: offering $150m worth of security help to govt agencies

* Google: donating $100m to help orgs that secure open-source software

* Amazon: free security tokens for AWS users

* IBM: cyber training for 150k people ImageImageImageImage
Other announcements from these companies:

* Google promising to connect 100k Americans w/ its free IT certificate programs & boost 10m Americans' digital literacy

* Amazon publishing its employee cyber training curricula

* IBM partnering w/ HBCUs on career development
IBM's CEO also called for public companies to formally report on their cybersecurity practices in the same way that many of them currently report on their environmental footprints and social responsibility programs.
Read 8 tweets
Eric Geller Profile picture
25 Aug
"Pool spray" photo op before Biden's cyber meeting with corporate and education leaders is about to start:
Here's what to expect from the meeting, which is really a series of meetings:
Biden: “We've seen time and again how the technologies we rely on, from our cell phones to pipelines to the electric grid, can become targets of hackers and criminals. But at the same time, our skilled cybersecurity workforce is not growing fast enough keep pace.”
Read 6 tweets
Eric Geller Profile picture
25 Aug
Two dozen CEOs and education leaders are meeting with Biden and his natsec team today to discuss ways to improve U.S. cybersecurity.

Expect announcements on critical infrastructure security and workforce development.

We've got a preview here: subscriber.politicopro.com/newsletter/202…
Meeting will start at 2pm and have three phases:

1. Opening discussion with POTUS
2. Three breakout sessions led by senior officials (see next tweet)
3. Concluding discussion led by National Cyber Director Chris Inglis and NSC's Anne Neuberger
Breakouts:

1. Critical infrastructure resilience, led by @SecMayorkas & @SecGranholm, w/ energy, water & financial cos.

2. Building "enduring" cybersecurity, led by @SecRaimondo & @SBAIsabel, w/ tech & insurance cos.

3. Cyber workforce, led by Inglis, w/ education leaders.
Read 4 tweets
Eric Geller Profile picture
19 Aug
sounds like a real scumbag!
aNaLyTiCs
💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩💩 ImageImage
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @ericgeller has new unrolls!

Check out other threads from @ericgeller!

Read all threads by @ericgeller

:(