During Tuesday’s House Homeland Security Committee hearing, Rep. Yvette Clarke (D-NY) questioned experts about cyber security breach incidents and how to improve U.S. cyber security strength.
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Fuel your success with Forbes. Gain unlimited access to premium journalism, including breaking news, groundbreaking in-depth reported stories, daily digests and more. Plus, members get a front-row seat at members-only events with leading thinkers and doers, access to premium video that can help you get ahead, an ad-light experience, early access to select products including NFT drops and more:
https://account.forbes.com/membership/?utm_source=youtube&utm_medium=display&utm_campaign=growth_non-sub_paid_subscribe_ytdescript
Stay Connected
Forbes on Facebook: http://fb.com/forbes
Forbes Video on Twitter: http://www.twitter.com/forbes
Forbes Video on Instagram: http://instagram.com/forbes
More From Forbes: http://forbes.com
Category
🗞
NewsTranscript
00:00Thank you. I yield. Thank you to our chairman. Now I recognize the gentlewoman from New York,
00:08the former chair, Ms. Clark. Thank you very much, Mr. Chairman, and I thank Ranking Member
00:15Swalwell for letting me wave on to today's subcommittee hearing, and thank you to our
00:20panelists of witnesses for joining us today. Before I begin my formal comments, I'd like to
00:30associate myself with the sentiments of Ranking Member Swalwell regarding Congressman Sylvester
00:35Turner. We are grateful for his service to the people of Houston, Texas, and to his family
00:42and loved ones, we extend our deepest condolences. May he rest in peace.
00:46When I introduced CERCIA back in 2021 with Ranking Member Thompson and Chairman Garbarino,
00:53I did so because I recognized the important need for increased visibility into the cyber
00:59incidents affecting critical infrastructure and the importance of a central hub for cyber incident
01:05reporting in the federal enterprise. I worked with many of the witnesses here today to get CERCIA
01:11across the finish line, and I appreciate their ongoing efforts to make sure that we get the
01:16final rule right. I also appreciate Mr. Swalwell's work encouraging CISA to effectively engage with
01:23the private sector on the rule. I agree with my colleagues and the witnesses before us that
01:28there are necessary improvements to the proposed rule, but the urgency of implementing CERCIA
01:34remains, and I hope the new administration will work quickly to modify the proposed rule
01:41and publish a final one without undue delay. I have two questions for our witnesses. First of all,
01:48to all of our witnesses, without a well-defined cyber incident reporting rule and harmonization
01:55process for CISA, we run the risk of agencies across government issuing a hodgepodge of
02:02duplicative cyber incident reporting requirements. How will scrambling to comply with multiple
02:09incident reporting requirements affect security? And then secondly, many stakeholders have weighed
02:15in that the proposed CERCIA rule defined covered entities and covered incidents too broadly,
02:23unnecessarily increasing the burden on the private sector and potentially overwhelming CISA
02:29with too many reports to analyze. Indeed, CERCIA instructed CISA to identify subsets of entities
02:36and incidents subject to reporting requirements to avoid that outcome.
02:44Give me your thoughts on that. We'll start with Mr. Aronson and then work our way across.
02:52So on the first question, I would just echo some of the things that Ms. Hoxhat said
02:57about the time that information security teams are spending on compliance. It's somewhere
03:04between 30 and 50 percent, and as you expand the hodgepodge, to use your word, of reporting
03:10requirements, it only gets more complicated. To your point about the broadness of CERCIA as it
03:16currently exists and the uncertainty that surrounds it, taken at its most sort of broad interpretation
03:23of what is a covered entity and what is a covered incident, we had one of our companies report that
03:29they thought they would have as many as 65,000 reports between 2022 and 2033. I think the number
03:37that CISA had said would be somewhere in the 200 to 220,000 total in that time frame. So it seems
03:43to be off by, if that's just one company taking at a really broad interpretation, seems to be off by
03:48an order of magnitude. This goes to the importance of getting the definitions and the details right
03:53so that we can get some signal from the noise and so that CISA can ingest the information in a
03:59meaningful way. Very well, Ms. Hoxhat. Sure, just to add to that, and thank you for the question.
04:04The challenge of responding to multiple requirements does have a direct impact on security
04:09because it is diverting the time and attention away from what we all want the cyber professionals to
04:13be doing, which is defending their networks, kicking out bad actors when there is an incident,
04:17and focusing on that. Instead, they have to divert time away to basically make sure they're complying
04:22with different legal obligations. With respect to the definitions and covered entities within
04:28CERCIA and the proposed rule, this committee was very thoughtful, and Scott just alluded to it,
04:34to make sure that the law would be crafted in a way that we get signal from the noise. You wanted
04:40the incidents that were going to be most impactful so that CISA could very quickly have the capability
04:45to take that information and turn it back around to share with other entities that could also be
04:50at risk. The very broad scope with which the proposed rule was put together would put a lot of
04:57noise out there and make that all the more challenging. For instance, the definition
05:02would potentially capture operational outages that have nothing to do with a cyber incident,
05:06and I don't think that that was really what you and the committee had intended in crafting that law.
05:12Very well, Mr. Meyer, my time's up. Yes, thank you, Congresswoman Clark. I think that we have
05:20to deal with the fact that the reporting requirements right now are extraordinarily
05:24fragmented, and the CERC itself, Cyber Incident Reporting Council, at the time in September 23,
05:32identified 45 different reporting regimes, 22 agencies, I believe. I can only imagine that
05:38number has increased since then. CISA has indicated that they expect 300,000 entities to be
05:45responding to these kind of requests. I can only imagine within the absence of clear definitions
05:50around the terms that you folks identified and staying close to the intent, in the absence of
05:57revising that and refining that and making it operationally practical for companies to respond,
06:05the system will get overwhelmed. The system in government will get overwhelmed, and the system
06:09in the operating environment will also get overwhelmed. The critical point here is that
06:14during a major cyber incident, when we are essentially in a triage mode, we can't take
06:22people and divert them from their frontline responsibilities to detect the problem,
06:28remediate it, and respond and recover. So we believe that this particular rule needs to be
06:35reconstructed to align with your intentions. And if it doesn't, we're going to be doing more,
06:41as I indicated, it'll create more harm than good. I agree with everyone on the panel. I said on the
06:47answer to the first question. On the second question, I'll just briefly say that on the
06:52idea of the definition covered entities, CISA decided to kind of narrow, try to narrow the
06:56scope by the size of the company, by going to the size of the companies, which I think does help
07:01in terms of removing some of the small, medium, small, medium-sized businesses that we might not
07:06want to report. But it doesn't get to the risk issue, right? So you're going to have a lot of
07:11large companies, very large companies that have a lot of incidents getting, echoing what we heard
07:18from others here, that are going to be reporting a lot that is not of the same value as if we did
07:26it based on some kind of risk feature. Very well. Thank you for your indulgence,
07:29Mr. Chairman. I yield back.