Industry groups want more time to report cybersecurity incidents

Key industry groups on Wednesday pushed to give organizations at least three days to report cybersecurity incidents to the federal government, effectively opposing Senate legislation that would give them 24 hours to report breaches.

The industry concerns come amid bipartisan efforts in both the House and Senate to put forward legislation attempting to stem the tide of major cybersecurity incidents, such as the SolarWinds hack discovered in December.

Context: The breach of SolarWinds, carried out by Russian government-linked hackers, led to the compromise of nine federal agencies and 100 private sector groups, including cybersecurity group FireEye. The company’s decision to come forward and publicize the incident was not required by law, but cited by many officials as a key reason the larger espionage effort was uncovered.

“Cyberattacks are often complex and require sophisticated analysis to fully understand the full scope of compromise,” Ron Bushar, vice president and Global Government Chief Technology Officer at FireEye Mandiant, testified as part of prepared remarks to the House Homeland Security Committee’s cybersecurity subcommittee Wednesday.

“Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives, and redundant or contradictory information and prevent unnecessary data collection,” Bushar noted.

Competing efforts: The concerns were raised during a hearing on a new draft bill put forward by Rep. Yvette Clarke (D-N.Y.), chair of the House Homeland Security Committee’s cybersecurity subcommittee, and Rep. John Katko (R-N.Y.), ranking member of the full committee.

Among many provisions, the draft bill would ban the Cybersecurity and Infrastructure Security Agency (CISA) from requiring critical organizations from reporting cybersecurity breaches until at least 72 hours after the incident occurs.

In contrast, bipartisan legislation introduced in the Senate in July by almost all members of the Senate Intelligence Committee would give certain critical groups 24 hours to report a cybersecurity incident to CISA.