For internal review and discussion only

For internal review and discussion only

Initial Analysis | U.S. Chamber of Commerce

Draft Cyber Incident Notification Act of 2021 (ALB21A18)

Sponsored by Sens. Mark Warner, Marco Rubio, and Susan Collins

July 14, 2021

Background

• The U.S. Chamber of Commerce received the draft Cyber Incident Notification Act of

2021 from congressional staff in June 2021. We applaud them and the bill’s sponsors

for releasing it for public comment.1

• The Chamber wants to pass workable cyber incident reporting legislation that would

lead to tangible improvements in U.S. cybersecurity for the business community and

government. Any legislation in this area needs to meet the interests of industry

organizations, which are the front lines of cyber conflict, and their agency partners.

• We have developed this initial analysis to advance discussions with Congress,

agencies, and other relevant stakeholders. We urge lawmakers and staff to solicit

feedback from multiple private sector parties and not rush writing the bill.

• This paper largely addresses provisions in the legislation. Nonetheless, several

underlying policy themes—including notable successes in cyber threat sharing,2 the

marked shift in the Cybersecurity and Infrastructure Security Agency’s role from a

risk adviser to a regulator,3 and inducements to enhanced operational cybersecurity

collaboration (e.g., defend forward)4—should be factored into the bill’s crafting.

Sec 1. Short Title (Page 2)

This act may be cited as the Cyber Incident Notification Act of 2021.

Sec. 2 Cybersecurity Intrusion Reporting Capabilities (Page 2)

(a) In general, this legislation would amend title XXII of the Homeland Security Act of 2002

(6 U.S.C. 651 et seq.) by adding the following provisions to create subtitle C.

Subtitle C—Cybersecurity Intrusion Reporting Capabilities

Sec. 2231 Definitions (Page 2)

(1) Definitions from section 2201. The definitions in section 2201 would be required to

apply to this subtitle, except as otherwise indicated.

• The Chamber’s feedback on the proposed definitions is provided throughout the bill.

2

(2) Agency. The term “agency” means the Cybersecurity and Infrastructure Security

Agency (CISA).

(3) Appropriate congressional committees. In this section, the term “appropriate

congressional committees” means the (A) Senate Homeland Security and Governmental

Affairs Committee, (B) Senate Intelligence Committee, (C) Senate Judiciary Committee,

(D) House Homeland Security Committee, (E) House Intelligence Committee, and (F)

House Judiciary Committee.

(4) Covered entity. The term “covered entity” has the meaning given the term under the

rules required to be promulgated under section 2233(d).

• The bill should take care not to overreach. As written, the legislation’s definition of a

“covered entity” would be overly inclusive of industry parties.

• The Chamber strongly recommends a step-by-step approach to covering private

organizations. The definition of covered entity should be risk based and limited to

private entities that the government is both able and willing to assist (at the request of

the covered entity) before, during, and/or after a significant cyber incident.

• Cyber incident reporting must not be an end in of itself, which bill writers don’t want.

The Chamber wants workable legislation that leads to industry groups telling us that

they are receiving actionable information and assistance from CISA, law enforcement,

and other national security agencies.

(5) Critical infrastructure. The term “critical infrastructure” has the meaning given under

section 1016(e) of the Critical Infrastructure Protection Act of 2001 (42 U.S.C.

5195c(e)).5

• The bill would use the definition for “critical infrastructure” established in the

USA PATRIOT Act (P.L. 107-56), which refers to “systems and assets, whether

physical or virtual, so vital to the United States that the incapacity or destruction of

such systems and assets would have a debilitating impact on security, national

economic security, national public health or safety, or any combination of those

matters.”6

• However, the scope of covered entities—presumably a subset of critical

infrastructure—could still be too broad from a risk-management perspective. Thus, the

definition of covered entities should not include every private entity that could fall

within the 16 critical infrastructure sectors.7

• For the legislation to have a chance at effectiveness, lawmakers should (1) set criteria

in the bill that creates a narrow list of covered entities. Then the legislation should (2)

instruct the Department of Homeland Security (DHS)/CISA to further trim the list of

3

covered entities as part of a proposed rulemaking. In short, both the bill and the

proposed rulemaking should emphasize a focused assemblage of covered entities.

(6) Cyber intrusion reporting capabilities. The term “Cyber Intrusion Reporting

Capabilities” (CIRCs) means the cybersecurity intrusion reporting capabilities established under

section 2232.

• See the Chamber’s comments on CIRCs under subsection 2232(b).

(7) Cybersecurity notification. The term “cybersecurity notification” means a notification

of a cybersecurity intrusion as defined in accordance with section 2233.

• Bill writers should not authorize CISA and other specified agencies to define

“cybersecurity notification” organically, which the legislation suggests. The definition

of a cybersecurity notification should explicitly exclude a “potential” cybersecurity

intrusion. A company told the Chamber that “reporting ‘potential’ intrusions means we

would have to report every time our AV [antivirus] alerts or quarantines ‘threats.’

These events occur hundreds of times a day and would be totally useless to [the

government].” The company added, “The time we spend reporting these events using

the government’s templates and answering officials’ questions would take people and

resources away from defending our networks.”

• To enhance the efficiency of a reporting program, a defined cybersecurity notification

should be triggered only when there exists a reasonable likelihood of a significant

incident or harm to U.S. economic and national security. Also, a significant cyber

incident would demand unity of effort within the government and especially close

coordination between the public and private sectors.8

• As drafted, the bill would make comparatively low-level cybersecurity intrusions a

compulsory, nonstop reporting activity. One firm said to the Chamber, “We

recommend dropping the language as proposed and, instead, focus on events that are

‘material’ to the covered entities. As drafted, the language would require companies to

speculate whether an isolated event on their systems has broader national or

international implications. This arrangement would create a level of subjectivity and

result in varying levels of compliance among covered entities.

• Any definition of a cybersecurity notification created under the bill should be as simple

as possible, including allowing a business principal to make a phone call to CISA or

law enforcement (e.g., the FBI).

(8) Director. The term “director” means the director of CISA.

4

(9) Federal agency. The term “federal agency” has the meaning given the term “agency”

in section 3502 of title 44, U.S. Code.

(10) Federal contractor. The term “federal contractor” (A) means a contractor or

subcontractor (at any tier) of the U.S. government and (B) does not include a contractor or

subcontractor that only holds (i) service contracts to provide housekeeping or custodial services

or (ii) contracts to provide products or services unrelated to information technology below the

micro-purchase threshold (as defined in section 2.101 of title 48, Code of Federal Regulations).

(11) Information technology. The term “information technology” (IT) has the meaning

given the term in section 11101 of title 40, U.S. Code.

(12) Ransomware. The term “ransomware” means any type of malicious software that

prevents the legitimate owner or operator of an information system or network from accessing

computer files, systems, or networks and demands the payment of a ransom for the return of such

access.

Sec. 2232 Establishment of Cybersecurity Intrusion Reporting Capabilities (Page 5)

(a) Designation. Subsection (a) would require CISA to be the “designated agency” within the

federal government to receive cybersecurity notifications from other agencies and covered

entities.

• There is the prevailing view among cybersecurity stakeholders that CISA should be the

main agency to receive cybersecurity notifications from covered entities. Yet we

believe that businesses should be able to notify the FBI and the Secret Service and

satisfy the bill’s reporting requirements. Time and time again, industry has heard

government officials say, “A call to one agency is a call to all agencies. You [business]

tell us on the frontend, and we [agencies] will handle things on the backend.”

• One business questioned the resources available to CISA, given the obligations it

would be shouldering. “What funding is Congress advancing to ensure that CISA has

the resources it needs to take on this new task? Also, such a massive incident reporting

program would require significant resources to make it work well and congressional

oversight of the agencies implementing it.”

(b) Establishment. Subsection (b) would require CISA to establish CIRCs within 180 days

following the enactment of this legislation to facilitate the submission of timely, secure, and

confidential cybersecurity notifications to CISA from agencies and covered entities.

5

• The bill authorizes new CIRCs that would be distinct from CISA’s Automated

Indicator Sharing (AIS) program, which enables organizations to share and receive

machine-readable cyber threat indicators (CTIs) and defensive measures (DMs) in real

time to monitor and defend their networks against known threats.9 The Chamber hears

from many organizations that CIRCs could complement the AIS program in theory—

but in practice there would be much conflict, including a battle for resources within

CISA.

• A business informed the Chamber that CIRCs would massively strain CISA’s ability to

absorb cybersecurity information and push actionable threat data to its partners, which

many cyber practitioners characterize as less than optimal today.

• A CISA-led mandatory cyber intrusion reporting program could severely damage

cooperative public-private partnerships that have taken individuals and institutions

years to build and sustain. The bill, in many respects, seems indifferent to such

concerns.

(c) Reevaluation of security. Subsection (c) would require CISA to reevaluate the security of

CIRCs at least once every 2 years.

(d) Requirements. Subsection (d) would require the CIRCs to enable CISA to (1) accept

classified submissions and notifications and (2) accept a cybersecurity notification from any

entity, regardless of whether the entity is a covered entity.

(e) Limitations on the use of information. Subsection (e) states that any cybersecurity notification

submitted to CISA through the CIRCs (1) shall be exempt from disclosure under section 552 of

title 5 of the U.S. Code (commonly referred to as the Freedom of Information Act), in

accordance with subsection (b)(3)(B) of section 552, and any state or local provision of law

requiring disclosure of information or records. Also, cybersecurity notifications (2) may not be

(A) admitted as evidence in any civil or criminal action or (B) subject to a subpoena unless the

subpoena is issued by Congress for congressional oversight.

• Subsection 2232(e), which pertains to limitations on governmental uses of information

that it receives through CIRCs, should be revised to track with the limits in the

Cybersecurity Information Sharing Act of 2015 (CISA 2015).

• To illustrate, in addition to the liability protection, CISA 2015 provides the following

protections for sharing CTIs and DMs with any federal entity:

o Exemption from federal antitrust laws (not in the draft bill).

o Exemption from federal and state disclosure laws (seemingly in the draft bill).

o Exemption from certain state and federal regulatory uses (not in the draft bill).

o No waiver of privilege (e.g., trade secret protection) for shared material (not in the

draft bill).

6

o Treatment as commercial, financial, and proprietary information (not in the draft

bill).

o Ex parte communications waiver (not in the draft bill).10

• The bill should expressly shield reported information from being shared with

regulatory agencies for regulatory purposes.

• The bill needs to address how CISA would protect the data from compromise. A

business organization said to the Chamber, “The bill would require the establishment

of cyber reporting capabilities and defines data preservation requirements, but it does

not require the development of data protection requirements. Federal agencies have

been compromised by advanced threat actors just as often as private entities. CISA

needs to develop data protection requirements to ensure that critical notification data is

not compromised and weaponized.”

• The business organization added, “Intrusion reports should be treated as SSI [sensitive

security information] and subject to the disclosure protections and penalties of 49 CFR

Part 1520.11 This would help protect investigations from unintentionally or

intentionally leaked information, in addition to the liability/privacy protections

proposed in the draft. Also, information submitted should be exempt from use in

third-party enforcement actions.”

(f) Privacy. Subsection (f) would require CISA to adopt privacy and protection procedures based

on the comparable privacy and protection procedures developed for information received and

shared pursuant to CISA 2015 (6 U.S.C. 1501 et seq.).12 Also, such protections and procedures

would apply to information submitted to CISA through CIRCs that is known at the time of

sharing to contain personal information of a specific individual or information that identifies a

specific individual that is not directly related to a cybersecurity threat.

• The legislation would require CISA to adopt privacy and protection procedures

“comparable” to ones found in CISA 2015. In the rare instances where an individual’s

personal information is embedded within CTIs or DMs, CISA 2015 calls for public and

private entities to remove such personal information unrelated to a cyber threat when

voluntarily sharing CTIs and DMs.13

• Given the draft’s aggressive notification requirements, the government, not the private

sector, should be required to minimize or remove personally identifiable information

that it obtains from the private sector.

(g) Annual reports.

7

(1) Director reporting requirement. CISA would be required to submit a report, in

classified form if necessary, to the appropriate congressional committees on the number of

notifications received through CIRCs not later than 1 year after the date on which CIRCs are

established and once each year thereafter. A report would be required to include a description of

the associated mitigations taken during the 1-year period preceding the report.

(2) Secretary reporting requirement. DHS would be required to submit a report to the

appropriate congressional committees on (A) the categories of covered entities, noting additions

or removals of categories, that are required to submit cybersecurity notifications; and (B) the

types of cybersecurity intrusions and other information required to be submitted as a

cybersecurity notification, including noting any changes from the previous submission not later

than 1 year after the date on which CIRCs are established and once each year thereafter.

• Reports submitted to Congress should ensure the anonymity of covered entities

(e.g., an enterprise owner/operator).

Sec. 2233 Required Notifications (Page 8)

(a) Notifications.

(1) In general, except as provided in paragraph (2), the federal agency or covered entity

that discovered the cybersecurity intrusion or potential cybersecurity intrusion would be required

to submit a cybersecurity notification to CISA through CIRCs not later than 24 hours after the

confirmation of a cybersecurity intrusion or potential cybersecurity intrusion [strikethroughs and

italics added].

• A business group said to the Chamber that the bill should be revised to “remove terms

such as ‘potential,’ ‘has the potential,’ and ‘likely to be’ because these requirements

are imprecise and would lead to unproductive notifications. Critical response and

reporting activity should not be based on speculation that’s rooted in the law.”

• One sector organization described its reactions to the legislation: “The bill

misunderstands the proposals and initiatives undertaken by organizations across sectors

to work more effectively with the government on cyber incident reporting and

information sharing. In short, a legislative mandate to compel reporting is unnecessary.

It would be more productive to require DHS/CISA and sector agencies to establish

reporting networks and ensure timely analyses of reports for patterns, trends, and

indicators of concern.

“For example, the Transportation Sector Coordinating Council (SCC) has repeatedly

proposed14 creating an early notification network for significant cybersecurity concerns

managed by TSA [the Transportation Security Administration] with CISA (formerly

the DHS Office of Infrastructure Protection). … Ironically, TSA’s May 2021

cybersecurity pipeline directive mandates reporting “cybersecurity incidents” for the

8

purpose of enabling analysis for patterns, trends, and indicators of concern.15 The

repeated proposals for action made by the Transportation SCC, dating back some six

years now, and more recently by the STSAC [Surface Transportation Security

Advisory Committee], have sought this same outcome—without adequate action by the

key agencies.”

(2) Exception. If a federal agency or covered entity is required to submit a cybersecurity

notification under paragraph (1) is subject to another federal law, regulation, policy, or

government contract requiring notification of a cybersecurity intrusion or potential cybersecurity

intrusion to a federal agency within less than 24 hours, the notification deadline required in the

applicable law, regulation, or policy would also be required to apply to the notification required

under this section [strikethrough added].

• A company told the Chamber, “The bill does not address potential conflicts for

contractors with existing reporting requirements to the government, such as the

Defense Federal Acquisition Regulations (DFARS) requirement to report a cyber

incident to the Department of Defense (DoD) within 72 hours,16 or potential conflicts

with international laws, which may restrict non-U.S. contractors from sharing sensitive

cyber incident/threat information with the U.S. government.”17

• Similarly, “Some federal contractors,” a business said, “should be permitted to report

to the customer agency versus having to report to CISA. The bill could be a major

issue for the customers in the military and intelligence communities.”

• One business organization urged bill writers to “thoughtfully pump the breaks” in

relation to the administration’s May 2021 cybersecurity executive order (EO).18

“Currently, the bill would establish separate incident reporting requirements on

covered entities that are very similar to the ones in section 2 of the EO. Section 2 of the

EO requires OMB [the Office of Management and Budget], in consultation with other

agencies, to propose changes to the FARs [Federal Acquisition Regulations] and

DFARS relating to incident reporting by IT and OT [operational technology] service

providers. The bill would require that DHS/CISA, in coordination with other federal

authorities, promulgate interim final rules on topics overlapping or conflicting with the

draft legislation.”

The business organization concluded, “The bill is not doing what we thought it would

do in terms of clarifying EO section 2 via statute. Rather, it would add more confusion

to the growing pile of regulations.”

(b) Required updates. A federal agency or covered entity that submits a cybersecurity

notification under subsection (a) would be required to submit updated cybersecurity threat

information to CISA through CIRCs not later than 72 hours after the discovery of new

information. Such reporting on new information would be mandated until the date on which the

cybersecurity incident is mitigated or any follow-up investigation is completed [italics added].

9

• The bill’s proposed respective 24- and 72-hour required notifications should be

reconsidered.

• 24 hours. The initial 24-hour requirement would not give covered entities enough time

to investigate and determine the nature and scope of a cyber intrusion before reporting

would be due to CISA. The Chamber has supported reasonable timing requirements

(e.g., data breaches) that reflect an appropriate and flexible timing standard

government notification. Reasonable timing reflects the practical challenges—and

risks—of imposing unnecessarily aggressive deadlines while setting an acceptable

window for notifying authorities.19

• The rush to report is not without some risk, a firm said to the Chamber. “Viewing this

from an operational standpoint, we would want to ensure that affected entities may

report an incident after the initial mitigation and response have been carried out,

software patches have been installed, and an internal evaluation of the incident has

been conducted.”

• A company told the Chamber that “organizations need sufficient time to develop

adequate facts to determine the likelihood of actual risk of harm. Even cyber incidents

that are ultimately ruled minor in nature may absorb hundreds of personnel work hours

to correctly assess. Hasty notifications would likely lead to incorrect data being

reported in the fog of an incident.”

• 72 hours. The timetable for required updates within 72 hours is equally problematic.

The bill would require a covered entity that submits a cybersecurity notification to also

“submit updated cybersecurity threat information to [CISA] not later than 72 hours

after the discovery of new information” until the incident is mitigated or an

investigation is completed. The legislation is unclear about what a “mitigated” incident

means.

• As with the 24-hour notification stipulation, the tight 72-hour reporting time frame

would likely interfere with the proper analysis of new data. A business group informed

the Chamber that “this proposed regime would almost certainly flood CISA with

information that is neither digestible nor actionable.”

• Similarly, another organization noted, “This system of time-based reporting

requirements is confusing at best. Reporting, whether by an agreed process or mandate,

should be keyed to when the cybersecurity leads for an affected organization have

identified activity deemed significant because of the risk caused by a potential breach,

compromise, or operational disruption. Time standards would generate reports—

though many would be on activity that is neither significant nor based on useful

information.

10

• A firm conveyed to the Chamber, “The update requirements that covered entities are

required to submit not later than 72 hours after the discovery of new information are

also problematic as the time period is too short and the term ‘new information’ is too

broad. The requirements should encompass some type of a materiality standard.”

• The term “new information” should be narrowly defined in the bill to align with a

material change in or important details being discovered specifically associated with

the incident.

• The 24- and 72-hour notification regimes would task many private parties with

building and maintaining expensive reporting infrastructures—all for relatively little

gain to industry and government that the Chamber can discern. Typical of much

industry feedback, a business asked, “Would the new reports come back to the private

sector with anything of value? Or would they simply fall into a black hole?”

(c) Required contents. The notification and required updates submitted under subsections (a) and

(b) would be required to minimally include any information required to be included according to

the rules promulgated under subsection (d).

(d) Required rulemaking.

(1) DHS/CISA, in coordination with the Office of the Director of National Intelligence

(ODNI), OMB, DoD, and the federal chief information officer (CIO), would be called on to

promulgate interim fina1 rules (IFRs) no later than 60 days after the date of enactment of this

legislation. Also, the bill would waive prior public notice yet allow comments after the effective

date. The IFRs would be required to—

• The bill would require CISA to take the lead in writing IFRs, without prior notice and

comment, within 60 days of enactment. Bill writers should step back from this line of

thinking and call to CISA to first provide notice that it intends to promulgate a rule(s)

in the Federal Register. Elements of the bill—ranging from the comparatively

controversial to the trivial—should not be determined by CISA without substantial

input from industry stakeholders.

(A) define “covered entity” for the purpose of identifying entities subject to the

cybersecurity notification requirements and that would need to minimally include federal

contractors, owners or operators of critical infrastructure, and nongovernmental entities

that provide cybersecurity incident response services [italics added];

• The inclusion of “nongovernmental entities that provide cybersecurity incident

response [IR] services” drew much pushback from business entities.

• One organization said to the Chamber that the “preliminary definitions of covered

entities are very broad and should be honed ... to avoid unintended scope creep and

11

recognize the confidentiality obligations of those defined as covered entities. Many

organizations provide cyber incident response services (e.g., forensics firms,

remediation service providers, law firms, and insurers.) It is likely that the legislation’s

authors intend to cover only forensics firms, and if this is the case, the definition

should be amended.”

• Another group mentioned, “Requiring ‘cybersecurity IR services’ to report incidents

seems like an end around [a client], which would require third parties to disclose not

only incidents affecting their internal systems but client incidents too.”

• One firm said to the Chamber, “Sec. 2233(d)(A) reads to include third-party

cybersecurity firms and could create unhelpful outcomes. A company may be hesitant

to reach out to a firm. The subsection creates a weird dynamic where firms are policing

their customers. It would make more sense to just require the owners and operators to

report, not the firms they hire. For example, under current data breach law, the

company reports, not the entity providing cybersecurity IR services.”

(B) define “cybersecurity intrusion” and “potential cybersecurity intrusion” to

determine when a cybersecurity notification would be required of a federal agency or

covered entity [strikethrough added];

(C) define “cybersecurity threat information” to describe the threat information

that would be featured in a cybersecurity notification;

(D) define “confirmation of a cybersecurity incident or potential cybersecurity

incident” to determine when a notification obligation is triggered [strikethrough added];

and

(E) address whether a federal agency or covered entity would be compelled to

provide a cybersecurity notification for a cybersecurity intrusion of which the federal

agency or covered entity is aware, but does not directly impact the networks or

information systems owned or operated by the federal agency or covered entity.

• If the bill includes nongovernmental entities that provide cybersecurity IR services in

the definition of covered entities, subsection (d)(1)(E) needs to be revised. It should

explicitly limit IR notifications to activity on their own networks, not anything else that

they are aware of (i.e., intrusions impacting their clients’ networks and systems).20 The

subsection should be revised in the following way:

(E) [that] address whether a federal agency or limit a covered entity’s would be

compelled to provide a required cybersecurity notification to include only for a

cybersecurity intrusion of which the federal agency or covered entity is aware and

which, but does not directly impacts the networks or information systems owned or

operated by the federal agency or covered entity.

12

• Speaking for many in the private sector, a business federation told the Chamber that

“under no circumstances should legislation pit the interests of cybersecurity support

firms against their customers in critical infrastructure sectors. A reporting mandate for

these firms would do just that, undermining the confidence of their customers in their

integrity and causing longer term damage to business prospects.”

(2) Requirements for definitions. The definitions required to be promulgated under

paragraph (1)(B) would need to include a cybersecurity intrusion that—

(A) involves or is assessed to involve a nation state;

(B) involves or is assessed to involve an advanced persistent threat cyber actor;

(C) involves or is assessed to involve a transnational organized crime group (as

defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C.

2708));21

(D) results (or has the potential to result) in demonstrable harm to the national

security interests, foreign relations, or economy of the U.S. or to the public confidence,

civil liberties, or public health and safety of people in the U.S. [strikethrough added];

(E) is or is likely to be of significant national consequence [strikethrough added];

(F) is identified by covered entities but affects, or has the potential to affect,

agency systems [strikethrough added]; or

(G) involves ransomware.

• The Chamber believes that covered entities would have substantial uncertainty about

the definitions tied to determining a cyber intrusion. One association noted, “In most

cases, an entity observing or encountering activity that indicates a cyber threat,

incident, or significant security concern would not have any insight on the required

definitional elements for reporting set out in this section.”

• The terms in subsection (d)(2) should be defined within the legislation and not left to

the rulemaking process. This way key cybersecurity wording can be crafted in the bill

by public and private stakeholders and further refined in a proposed rulemaking.

(3) Required information for cybersecurity threat information. For purposes of the rules

required to be promulgated under paragraph (1)(B), the cybersecurity threat information required

to be included in a cybersecurity notification shall include at a minimum—

(A) a description of the cybersecurity intrusion, including identification of the

affected systems and networks that were, or are reasonably believed to have been,

13

accessed by a cyber actor, and the estimated dates of when such an intrusion is believed

to have occurred;

(B) a description of the vulnerabilities leveraged, and tactics, techniques, and

procedures used by the cyber actors to conduct the intrusion;

• A company wrote to the Chamber that “this legislative language may insinuate

violating coordinated vulnerability disclosure (CVD) guidelines. The aim of CVD is to

improve the security of systems by sharing knowledge of vulnerabilities in a timely

and confidential manner to the owner/vendor of the system and mitigate further active

abuse by third parties.”22

(C) any information that could reasonably help identify the cyber actor, such as

internet protocol addresses, domain name service information, or samples of malicious

software.

(D) contact information, such as a telephone number or electronic mail address,

that a federal agency may use to contact the covered entity, either directly or through an

authorized agent of the covered entity; and

(E) actions taken to mitigate the intrusion.

(e) Required coordination with sector risk management agencies. DHS/CISA, in coordination

with the head of each sector risk management agency (SRMA) and other federal agencies, as

determined by CISA, shall—

(1) establish a set of reporting criteria for SRMAs and other federal agencies as identified

by CISA to submit cybersecurity notifications regarding cybersecurity incidents affecting

covered entities in their respective sectors or covered entities regulated by such federal agencies

to CISA through CIRCs.

(2) take steps to harmonize the criteria described in paragraph (1) with the regulatory

reporting requirements in effect on the date of enactment of this subtitle [italics added].

• The draft would require SRMAs to submit cybersecurity notifications to CISA.

“However,” a business group told the Chamber that “CISA is not required to provide

covered entities’ cyber incident reporting notifications to their corresponding SRMAs.

Otherwise, an owner/operator would need to notify CISA and several agencies about a

single cybersecurity incident.”

• The business group urged that “CISA be required to share [anonymized] intrusion

reports, in a timely manner, with relevant SRMAs and FEMA ESF-14 [Emergency

Support Function #14, Cross-Sector Business and Infrastructure] sector-specific

agencies. As appropriate, and in consultation with the operator, CISA should also be

14

required to share such reports with appropriate law enforcement agencies, including

FBI. Such communication would build upon the existing PPD 41 [Presidential Policy

Directive 41] framework.”

• The “take steps to harmonize …” language in subsection (e)(2) is positive but does not

sufficiently address the expected conflicts with existing data protection/data

security/cybersecurity reporting rules at the federal level. The bill should explicitly

preempt other agencies’ data protection/data security/cybersecurity reporting

requirements.”

• A business organization said to the Chamber, “One report to one government

component should suffice to meet either agreed security actions or legislative or

regulatory mandates. The reporting should be made either to CISA or the appropriate

[SRMA(s)]. This federal government component should then be charged with ensuring

further dissemination to other interested agencies.”

• The legislation should be amended to require CISA and SRMAs to write and publicize

procedures for stakeholders to submit requests for information/assistance and proposals

to enhance cybersecurity. CISA and SRMAs should also be required to report to

Congress annually on requests and proposals that they receive from stakeholders and

the actions taken on them.

(f) Protection from liability. No cause of action shall lie or be maintained in any court by any

person or entity, other than the federal government pursuant to subsection (g) or any applicable

law, against any covered entity due to the submission of a cybersecurity notification to CISA

through the Cyber Intrusion Reporting System, in conformance with this subtitle and the rules

promulgated under subsection (d), and any such action shall be promptly dismissed.

• The liability protection in the bill should be strengthened. The liability protection

provision in the bill is constructive, but it needs to include both the “submission” and

any information contained in a notification. The liability protection needs to encompass

the act of notifying the government and the data in a notification.

• The term Cyber Intrusion Reporting System appears for the first time on page 14 of the

bill and should be clarified in relation to the term Cyber Intrusion Reporting

Capabilities.

(g) Enforcement.

(1) Covered entities with federal government contracts. If a covered entity violates the

requirements of this subtitle, including the rules promulgated under this subtitle, the covered

entity shall be subject to penalties determined by the General Services Administration (GSA),

which may include removal from the federal contracting schedules.

15

• According to the bill, covered entities (e.g., defense industrial base firms) “shall be

subject” to penalties determined by the GSA—including the potential removal from

federal contracting schedules, which is an extreme step. GSA could take punitive steps

against a covered entity/federal contractor without an understandable framework for

such decision making.

(2) Covered entities without federal government contracts. If a covered entity violates the

requirements of this subtitle, including the rules promulgated under this subtitle, the covered

entity shall be subject to financial penalties equal to 0.5% per day of the entity’s gross revenue

from the prior year [italics added].

• The bill would impose financial penalties equal to 0.5% per day of a covered entity’s

gross revenue from the prior year for a violation of any of its provisions. The financial

penalties provision should be stuck from the bill. Such penalties, which one business

described as “draconian … compared with how our adversaries are punished—or,

rather, not punished,” are unnecessary and unjust and would exacerbate overreporting.

• A common perspective the Chamber hears from industry is that the “enforcement

mechanism is flawed. It would not produce quality reporting, but excessive fines, along

with contentious disputes over the date on which a covered ‘cyber intrusion’ should

have been detected and became reportable. The enforcement provision would compel

covered organizations to report reams of insignificant cyber activity—as the most

effective means of avoiding the prospect of fines—when quality reports on significant

cyber threats, incidents, and security concerns are needed most.”

• Tentative perspective: Financial sanctions should only be applied in an instance where

a covered entity deliberately violates the notification requirements of the bill. As

currently drafted, the bill would provide CISA with no discretion to enforce lower or

nonfinancial penalties. It includes no mechanism for redress of a fine. Rather than say

“equal to 0.5% per day” of the entity’s gross revenue, the language should be modified

to say “up to 0.5% per day” of the entity’s gross revenue or a lesser threshold to

provide CISA with greater discretion. Additionally, CISA should be required to

establish a redress process outside of the judicial system for private entities to contest

or reduce financial sanctions.

(3) Federal agencies. If a federal agency violates the requirements of this subtitle, the

violation shall be referred to the inspector general for the agency and shall be treated as a matter

of urgent concern.

(h) Exemption. All information collection activities under sections 2232 and 2233 of this subtitle

shall be exempt from the requirements of sections 3506(c), 3507, 3508, and 3509 of title 44, U.S.

Code (commonly known as the Paperwork Reduction Act).

16

(i) Rule of construction. Nothing in this subtitle shall be construed to supersede any reporting

requirements under subchapter I of chapter 35 of title 44, U.S. Code.

Sec. 2234 Preservation of Information (Page 15)

(a) In general. Not later than 60 days after the date of enactment of this subtitle, DHS/CISA, in

coordination with the OMB, shall promulgate rules for data preservation standards and

requirements for federal agencies and covered entities to assist with cybersecurity intrusion

response and associated investigatory activities.

(b) Minimum requirements. The rules for data preservation promulgated under subsection (a)

shall require, at a minimum, that a federal agency or covered entity that submits a cybersecurity

notification under this subtitle shall preserve all of the data designated for preservation under

such rules [italics added].

• The data preservation requirements would be deferred under the bill to a rulemaking

process(es). The requirements could be quite onerous unless some reasonable

parameters for data retention by industry are not established in legislation. Additional

topics, such as whether the government must maintain sensitive cybersecurity data in

an encrypted format, need more discussion

• An industry organization remarked to the Chamber, “There are significant information

capture issues existing in older technology and large expenses of adding longer-term

logging/storage capacity. Further, operators must comply with data preservation

requirements mandated by existing cybersecurity authorities (e.g., NERC [the North

American Electric Reliability Corporation] and NRC [the Nuclear Regulatory

Commission]), creating potentially duplicative requirements and introducing new

risks.”

• The preservation rulemaking(s) called for under subsection (b) should address

reasonable exceptions and limitations concerning data volume, retention and deletion

periods, forms (e.g., email), and so forth.

Sec. 2235. Analysis of Cybersecurity Notifications (Page 16)

(a) Analysis.

(1) In general. DHS/CISA, the Attorney General (AG), and the ODNI, shall jointly

develop procedures for ensuring any cybersecurity notification submitted to the System is

promptly and appropriately analyzed to—

(A) determine the impact of the breach or intrusion on the national economy and

national security.

(B) identify the potential source or sources of the breach or intrusion.

17

(C) recommend actions to mitigate the impact of the breach or intrusion.

• Subsection (a)(1)(C) suggests that CISA would be principally responsible for providing

mitigations but does not require it to act expeditiously. The bill should clarify that a

covered entity would have the flexibility to use a third party for mitigations. Still,

CISA needs to share actionable mitigations with a covered entity as soon as possible.

(D) provide information on methods of securing the system or systems against

future breaches or intrusions.

(2) Requirement. The procedures required to be developed under paragraph (1) shall

include criteria for when rapid analysis, notification, or public dissemination is required.

(3) Authority. DHS/CISA, the AG, and the ODNI may each designate employees within

each respective agency who may search intelligence and law enforcement information for cyber

threat intelligence information with a national security or public safety purpose, based on

cybersecurity notifications received by the agency through the Cyber Intrusion Reporting

Capabilities, and consistent with the procedures developed under paragraph (1).

(b) Analytic production.

(1) In general. Not less frequently than once every 30 days, DHS/CISA, the AG, and the

ODNI shall produce a joint cyber threat intelligence report that characterizes the current cyber

threat picture facing federal agencies and covered entities [italics added].

(2) Requirements. Each report required to be produced under paragraph (1)—

(A) shall be in a form that may be made publicly available.

(B) may include a classified annex as necessary.

(C) shall, to the maximum extent practical, anonymize attribution information

from cybersecurity notifications received through the Cyber Intrusion Reporting

Capabilities [italics added].

(3) Authority to declassify. The ODNI may declassify any analytic products, or portions

thereof, produced under this section if such declassification is required to mitigate cyber threats

facing the U.S.

18

• The bill’s call for a joint cyber threat intelligence report supporting the critical

infrastructure community to help prevent, detect, and mitigate malicious cyber activity

is constructive. Yet it should be issued not less frequently than once per week to have

the desired utility that bill writers seek. “A month is a year in cybersecurity,” a

company told the Chamber. Indeed, the fact that the report is called for every 30 days

under the legislation should give bill writers pause about compelling covered entities to

report cyber intrusions within 24 to 72 hours. What’s more, in developing reports most

businesses couldn’t match the kinds of resources that national security agencies would

draw upon.

• One of the significant and ongoing challenges faced by private entities is the inability

to access actionable cybersecurity threat information, whether classified or

unclassified. The bill needs to be revised to include targeted improvements if the

incident reporting regime is to lead to tangible increases in business and government

cybersecurity.

o The legislation should oblige deeper intelligence community (IC) engagement with

covered entities. A business principal told the Chamber, “The bill’s underlying

premise is that companies need to be forced to share cyber information with the

government when, in fact, the opposite is true. Agencies are keeping industry at an

arm’s length, and yet they [government officials] call for forced data sharing.

That’s not most people’s definition of partnership.”

o Bill writers should incorporate sections 605 and 606 of H.R. 7856, the Intelligence

Authorization Act for Fiscal Year 2021, to this legislation.23 These sections, which

have not passed Congress, correspond closely with proposals put forward by the

Cyberspace Solarium Commission (i.e., recommendations 5.1.1 and 5.1.2) in 2020

and the Chamber in 2019 to deepen operational collaboration among key private

sector and government organizations. What’s confusing to the Chamber is that

Congress has not passed these relatively straightforward proposals to drive better

cybersecurity information sharing and analysis, and yet there’s a push for forced

reporting by businesses and agencies.

o The bill should expressly call for substantive sharing of classified information with

cleared industry personnel. The bill should “compel the IC to be partners with

covered entities,” a business organization said to the Chamber. “CISA should be

required to provide a secure, secret-level or higher internet connection to the ISACs

[information sharing and analysis centers] for the exchange of classified

information. Such a network currently exists outside of government.”

o The legislation should direct CISA and SRMAs to work with their respective sector

stakeholders to create objective, measurable, and observable indications and

warnings about adversary cyberattacks, campaigns, and so forth.

19

o The bill should expand CISA’s funding and capabilities. The agency would need to

meet a surge in demands from the public and private sectors due to its expanded

role regarding coordinated action, common situational awareness, and joint

analysis.

• Industry groups tell the Chamber that they want more clarity on business

anonymization related to analytic products or reports that would be developed by DHS,

the ODNI, and other agencies under this legislation. Put simply, products need to

ensure the anonymity of covered entities.

Notes

1 See the U.S. Chamber of Commerce’s Seven P’s Cybersecurity Policy Principles. The paper’s topics are summed

up in 7 words—potential, program, protection, preemption, partnership, price, and promotion—and cover how the

Chamber will assess legislation, advocate for balancing federal regulation with industry protection, consider the

costs of cybersecurity, seek mutually beneficial agreements with policymakers, and promote U.S. policies at home

and internationally.

https://www.uschamber.com/sites/default/files/uscc_7_ps_cyber_policy_cheat_sheet_final_v1.0.pdf

2 See David Turetsky et al., “Cybersecurity Information Sharing Success Stories,” Lawfare, July 15, 2020.

https://www.lawfareblog.com/cybersecurity-information-sharing-success-stories

3 Researchers who have studied cybersecurity information sharing caution policymakers against making it

mandatory. People’s behaviors related to information sharing, which probably comes as no surprise to many

practitioners and policymakers, are rooted in expectations about fairness, trust, and reciprocity.

[The authors] provide some first empirical evidence on the association of particular human behaviors with

SIS [security information sharing] among individuals in a private ISAC [information sharing and analysis

center] setting. The study also contributes to understanding the theoretical prediction that actual SIS may not

reach its societally optimal level by suggesting that human behavior may be at the core of this problem. At

the same time, we would caution regulators and researchers to infer that SIS should be mandated (i.e., that

individuals should be forced to share) as a consequence of this problem. Adjusting sanction levels for failure

to comply with mandatory SIS could be difficult, if not impossible. Moreover, regulation that attempts to

solve the “sharing dilemma” in SIS should try to fix causes, not symptoms.

Alain Mermoud et al., “To Share or Not to Share: A Behavioral Perspective on Human Participation In Security

Information Sharing,” Journal of Cybersecurity, Vol. 5, Issue 1, 2019, pages 2 and 9.

https://doi.org/10.1093/cybsec/tyz006

4 Some 25 Cyberspace Solarium Commission (CSC) recommendations were included in the FY 2021 National

Defense Authorization Act (NDAA). One provision that is worth flagging is section 1715 of the law, which calls for

a Joint Cyber Planning Office (JCPO) to be established at the Cybersecurity and Infrastructure Security Agency

(CISA). In keeping with the agency’s role as a governmental hub for cybersecurity planning and information

sharing, the JCPO is expected to develop public-private plans for cyber defense operations, including taking

coordinated actions to “protect, detect, respond to, and recover from cybersecurity risks or … defend against

coordinated, malicious cyber operations that pose a potential risk to critical infrastructure or national interests.”

In addition to CISA personnel, the JCPO will include representatives from the Department of Defense,

Cyber Command, the National Security Agency, the FBI, and the Department of Justice. Charged with promoting

greater cooperation and unity of effort within the federal agencies, the JCPO is called on to fashion plans for

defensive cyber operations in collaboration with the private sector. Business partnerships with CISA and Cyber

Command should be discretionary (i.e., companies decide whether it makes sense to work with the government),

20

but the Chamber wants to empower private entities to willingly partner with these agencies and others such as the

FBI to strengthen collective defense and stay a step ahead of foreign adversaries while remaining faithful to U.S.

and international law.

CSC, “NDAA Enacts 25 Recommendations from the Bipartisan Cyberspace Solarium Commission,”

January 2, 2021.

https://www.solarium.gov/press-and-news/ndaa-override-press-release

Section 1715, “Establishment in Department of Homeland Security of joint cyber planning office.” FY 2021 NDAA

(P.L. 116-283). See conference report to H.R. 6395, pp. 712–715.

https://www.congress.gov/bill/116th-congress/house-bill/6395

For more on the U.S. defend forward strategy, see the following items:

Testimony of Gen. Paul Nakasone, Senate Armed Services Committee hearing, “U.S. Special Operations Command

and U.S. Cyber Command,” March 25, 2021.

https://www.armed-services.senate.gov/hearings/21-03-25-united-states-special-operations-command-and-united-

states-cyber-command

Yale Cyber Leadership Form, “Defending Forward? Implications for Safety, Security, and Sovereignty in

Cyberspace,” March 4, 2021.

https://cyber.forum.yale.edu/agenda

Erica D. Borghard and Shawn W. Lonergan, “Public-Private Partnership in Cyberspace in an Era of Great-Power

Competition,” chapter 7, in Jacquelyn G. Schneider et al. Ten Years In: Implementing Strategic Approaches to

Cyberspace, 2020. Newport Papers, 45.

https://digital-commons.usnwc.edu/usnwc-newport-papers/45

Paul M. Nakasone and Michael Sulmeyer, “How to Compete in Cyberspace: U.S. Cyber Command’s New

Approach,” Foreign Affairs, August 25, 2020.

https://www.foreignaffairs.com/articles/united-states/2020-08-25/cybersecurity

5 42 U.S. Code § 5195c, Critical Infrastructures Protection. “[T]he term ‘critical infrastructure’ means systems and

assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets

would have a debilitating impact on security, national economic security, national public health or safety, or any

combination of those matters.”

https://www.law.cornell.edu/uscode/text/42/5195c

6 P.L. 107-56, § 1016(e), 115 STAT. 401.

https://www.govinfo.gov/content/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

7 https://www.cisa.gov/critical-infrastructure-sectors

8 Presidential Policy Directive 41, U.S. Cyber Incident Coordination, July 2016.

https://obamawhitehouse.archives.gov/the-press-office/2016/07/26/presidential-policy-directive-united-states-cyber-

incident

9 https://www.cisa.gov/ais

https://www.cisa.gov/sites/default/files/publications/AIS%20Fact%20Sheet_2.pdf (fact sheet)

10 6 U.S. Code § 1505, Protection From Liability.

https://www.law.cornell.edu/uscode/text/6/1505

Also see pages 16–18 of Guidance to Assist Non-Federal Entities to Share Cyber Threat Indicators and Defensive

Measures with Federal Entities under the Cybersecurity Information Sharing Act of 2015 (Non-Federal Entity

Guidance), last revised October 2020.

21

11 49 CFR part 1520, Protection of Sensitive Security Information.

https://www.law.cornell.edu/cfr/text/49/part-1520

12 The Consolidated Appropriations Act, 2016 (P.L. 114-113) included the Cybersecurity Information Sharing Act

of 2015 (CISA 2015).

https://www.congress.gov/114/plaws/publ113/PLAW-114publ113.pdf

https://www.federalregister.gov/documents/2016/06/15/2016-13742/cybersecurity-information-sharing-act-of-2015-

final-guidance-documents-notice-of-availability

https://www.cisa.gov/publication/cybersecurity-information-sharing-act-2015-procedures-and-guidance

13 Non-Federal Entity Guidance, “Removal of Personal Information not Directly Related to a Cybersecurity Threat,”

pages 7–9.

https://www.cisa.gov/sites/default/files/publications/Non-

Federal%20Entity%20Sharing%20Guidance%20under%20the%20Cybersecurity%20Information%20Sharing%20A

ct%20of%202015_1.pdf

14 The sector organization added, “The first proposal was made as an after-action priority defined by the SCC [sector

coordinating council] members for the first cross-modal cybersecurity exercise held by TSA in August 2015. When

no action was taken on implementation, the SCC renewed this proposal as an after-action priority following the

second cross-modal cybersecurity exercise held by TSA in November 2017. Officials with CISA participated in both

exercises and were aware of the proposed after-action priorities.

“A few years ago, members of the TSA-appointed Surface Transportation Security Advisory Committee (STSAC)

prioritized creating an early notification network for cyber threats, incidents, and security concerns in the

transportation sector. In February 2021, the STSAC unanimously approved recommendations to the TSA

administrator on enhancing surface transportation security and emergency preparedness, including an early

notification network for cybersecurity.”

15 Mayer Brown, “Critical Pipeline Cybersecurity Directive Released, June 2, 2021.

https://www.mayerbrown.com/en/perspectives-events/publications/2021/06/critical-pipeline-cybersecurity-directive-

released

16 Defense Federal Acquisition Regulation Supplement Clause 252.204-7012, Safeguarding Covered Defense

Information and Cyber Incident Reporting, defines “rapidly report” to mean “within 72 hours of discovery of any

cyber incident.”

https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

17 The company added, “We mainly have non-U.S. laws in mind. That is, other countries may understandably have

national security and/or export control law and policy reasons not to allow their defense industrial base companies to

report details of incidents involving their systems to the U.S. government, yet there are many non-U.S. companies in

the DoD supply chain.

“Here’s a case in point: The UK MOD [Ministry of Defence] basically told its contractors that it has ‘sovereignty

concerns’ with DFARS 252.204-7012 and CMMC [Cybersecurity Maturity Model Certification framework]

requirements. Among other guidance, the UK MOD’s guidance [Compliance with Cyber Security Requirements

from Other Nations, June 2021] says that when faced with flow down of these clauses, these UK contractors should

push for the removal of operative clauses or the insertion of narratives that such language is not applicable. If one of

our closest allies has this guidance, imagine the pushback that other countries’ defense ministries would have.”

https://www.gov.uk/government/publications/industry-security-notices-isns/compliance-with-cyber-security-

requirements-from-other-nations

18 White House, Executive Order 14028, Improving the Nation’s Cybersecurity, May 12, 2021.

https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-

nations-cybersecurity

22

https://www.federalregister.gov/documents/2021/05/17/2021-10460/improving-the-nations-cybersecurity

19 Hunton Andrews Kurth and the Chamber, Seeking Solutions: Aligning Data Breach Notification Rules Across

Borders, April 2019.

https://www.huntonprivacyblog.com/2019/04/04/hunton-partners-with-the-u-s-chamber-of-commerce-on-seeking-

solutions-aligning-data-breach-notification-rules-across-borders

20 “From our [company’s] perspective, section 2233(d)(1)(E) is very concerning and must be considered it in relation

to the definition of covered entities. The definition of covered entities includes incident response [IR] providers. It’s

not unreasonable for the bill writers to want to include IR providers, particularly given SolarWinds. IR companies

are of much value to U.S. adversaries and criminals. IR providers aren’t assumed to report intrusions on their own

networks. The problem is that the addition of subparagraph (E) makes clear that bill writers don’t just want IR

providers to report on intrusions on their own networks, they want reporting to include anything they are ‘aware’

of—whether or not it affects only their networks—which would by definition include their clients’ networks or

information systems.

“This provision reflects the bill’s authors telling DHS explicitly that they want this reporting considered. [Our

company] understands why the sponsors would want this information, but it would come at great cost. In addition to

being duplicative and a waste of time and resources for the IR company, reporting would be mandated at a moment

where time is of the essence. Ultimately, companies would think twice before hiring an IR company or bringing in

CISA to help. This outcome would make the U.S. less secure. Also, firms would know that the IR provider has this

legal obligation because the IR provider would have to start writing it into its contracts to override

privacy/confidentiality provisions.”

21 State Department Basic Authorities Act of 1956 (P.L. 84–885), amended. The term “transnational organized crime

group” means a group of persons that includes one or more citizens of a foreign country, exists for a period of time,

and acts in concert with the aim of engaging in transnational organized crime (page 32).

https://www.govinfo.gov/content/pkg/COMPS-1088/pdf/COMPS-1088.pdf

22 The company continued, “A recent use case to consider is Kaseya VSA exploit which occurred on July 2, 2021.

The Dutch Security Hotline notified Kaseya VSA of vulnerabilities it found via CVD guidelines on April 6, 2021.

Kaseya VSA began issuing patches right away on April 10. Unfortunately, a breach did occur on July 2, but the

opportunity was given to Kaseya VSA to release a patch for its users and resolve the vulnerabilities prior to the

larger ecosystem learning about it. Kaseya VSA also had mitigated most of the vulnerabilities identified after it was

notified, just not all of them. CVD guidelines and timing of disclosure sharing are critical in such instances when

wanting to remedy any vulnerabilities or protect systems to limit or prevent loss or damage as much as possible.”

23 https://www.congress.gov/bill/116th-congress/house-bill/7856

https://www.solarium.gov/report