Industry lobbies Congress to extend notification timeline after cybersecurity incidents

Key industry groups on Wednesday pushed to give organizations at least three days to report cybersecurity incidents to the federal government, effectively opposing Senate legislation that would give them 24 hours to report breaches. 

The industry concerns come amid bipartisan efforts in both the House and Senate to put forward legislation attempting to stem the tide of major cybersecurity incidents, such as the SolarWinds hack discovered in December. 

The breach of SolarWinds, carried out by Russian government-linked hackers, led to the compromise of nine federal agencies and 100 private sector groups, including cybersecurity group FireEye. The company’s decision to come forward and publicize the incident was not required by law but cited by many officials as a key reason the larger espionage effort was uncovered. 

“Cyberattacks are often complex and require sophisticated analysis to fully understand the full scope of compromise,” Ron Bushar, vice president and global government chief technology officer at FireEye Mandiant, testified as part of prepared remarks to the House Homeland Security cybersecurity subcommittee Wednesday. 

“Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives and redundant or contradictory information and prevent unnecessary data collection,” Bushar noted. 

The concerns were raised during a hearing on a new draft bill put forward by Rep. Yvette Clarke (D-N.Y.), chairwoman of the House Homeland Security cybersecurity subcommittee, and Rep. John Katko (R-N.Y.), ranking member of the full committee. 

Among many provisions, the draft bill would ban the Cybersecurity and Infrastructure Security Agency (CISA) from requiring that critical organizations report cybersecurity breaches earlier than 72 hours after such incidents occur.

In contrast, bipartisan legislation introduced in the Senate in July by almost all members of the Senate Intelligence Committee would give certain critical groups 24 hours to report a cybersecurity incident to CISA. 

“We recommend that any legislation allow for reasonable reporting timelines commensurate with incident severity levels, but of no less than 72 hours,” John Miller, senior vice president of Policy and General Counsel at the Information Technology Industry Council, testified Wednesday as part of prepared remarks during the hearing. 

“Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyberattack or is it merely a network outage,” Miller testified. “In the early hours following the discovery that something anomalous has occurred, our companies are focused on figuring out what has happened and developing a response plan.”

Other witnesses at the hearing also pushed for at least a 72-hour gap between the incident and any report being submitted. 

Heather Hogsett, the senior vice president of technology and risk strategy at the Bank Policy Institute’s Technology Policy Division, testified that this timeline “strikes the right balance to allow a firm sufficient time for investigation and implementation of response measures.”

“The initial stages of an incident response require all hands on deck, and front-line cyber defenders should be focused on investigation, response and remediation rather than completing compliance paperwork,” Hogsett said. 

Kimberly Denbow, managing director of security and operation at the American Gas Association, testified that the 72-hour timeline “minimizes the reporting of non-credible incidents, which can be excessive and resource-intensive with negligible value-add.”

The effort to push for a longer timeline comes weeks after the Senate bill was introduced with wide bipartisan support and following months of pressure from both intelligence agencies and industry to take action to help prevent further major cyber incidents, including through creating mandatory breach reporting. 

A spokesperson for Senate Intelligence Committee Chairman Mark Warner (D-Va.), one of the lead sponsors of the Senate bill, told The Hill on Wednesday that “we’ve had many productive meetings with stakeholders about the bill and continue to work through their feedback.”

“Senator Warner continues to believe that we need mandatory reporting and some incentives to ensure that everyone is sharing the information we all need to stop these cyberattacks and improve security for everyone,” the spokesperson said in a statement. 

A Senate aide described the House draft bill’s language on a reporting timeline as “ridiculous,” stressing that “if you wait 72 hours or longer, the incident could have already spread and done massive damage.”

Clarke on Wednesday noted that the bill was still open to changes. 

“I am pleased with the progress we’ve made on this legislation but want to be clear that our work is ongoing,” Clarke testified. “We remain open to additional questions and feedback because it is important to get this right.”