Sunday, October 24, 2021

Review - HR 5440 Introduced – Cyber Incident Reporting

Last month, Rep Clarke (D,NY) introduced HR 5440, the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Similar to S 2875, this bill establishes the Cyber Incident Review Office in CISA and establishes requirements for cyber incident reporting. It amends the Homeland Security Act of 2002 by adding a new §2220A, Cyber Incident Review Office. No new funding is provided in the bill.

Moving Forward

Clarke and all three of her cosponsors {Rep Thompson (D,MS), Rep Katko (R,NY), and Rep Garbarino (R,NY)} are influential members of the House Homeland Security Committee to which this bill was assigned for consideration. This bill will move forward in Committee, but there will almost certainly be revisions made to the language of the bill before it is approved with strong bipartisan support.

I am not convinced that the strong support in Committee will allow this bill to move to the floor of the House. There will be some inter-committee posturing trying to see more influence on these cybersecurity reporting requirements being retained by existing regulatory agencies. This would ensure that the leadership of other committees would retain their influence on both such reporting and the regulatory responses to those reports. If this bill were to make it to the floor of the House, I suspect that it would receive bipartisan support.


I am suitably impressed with the effort that the Committee Staff took in their use of language and definitions to insure that cyberattacks on industrial control systems would be included in the regulations to be developed by CISA. There was one area, however, where that effort fell short. In the proposed §2220A(d)(5)(D) discussion of the content that would be required in the covered reports, bill requires in  clause (iv) that the report includes: “Where applicable, identification of the category or categories of information that was, or is reasonably believed to have been, accessed or acquired by an unauthorized person.” There is no corresponding requirement to report any specific information about operational technology or processes affected by the covered cyberattack. To correct this, I would suggest inserting a new clause (v):

“(v) Where applicable, identification of the operational control system, technology, or devices believed to have been accessed, modified or interrupted by an unauthorized person,”

While the language in this bill and S 2875 are not nearly identical, my comments about the weaknesses in the Senate bill also apply to this bill. To be effective these reporting regulations will have to include provisions for CISA to specifically identify covered facilities and directly notify them of that status and their reporting obligations prior to a cyber incident occurring. Otherwise, facilities will be able to argue that they were unaware that they were specifically considered to be a covered facility with reporting responsibilities under the rules.

I am not sure how CISA would go about accomplishing that task in anything approaching a comprehensive manner. This may be the best argument for letting this designation responsibility remain with other federal regulating agencies and allowing CISA to be the recipient of the required reports.

For more details about the provisions of this bill, see my article at CFSN Detailed Analysis - - subscription required.

No comments:

/* Use this with templates/template-twocol.html */