On August 27, 2021, the U.S. House Homeland Security Committee released a draft bill that would, among other things, establish a Cyber Incident Review Office (CIR Office) within the Cybersecurity and Infrastructure Security Agency (CISA), which is part of the U.S. Department of Homeland Security (DHS), and require critical infrastructure owners and operators to report cybersecurity incidents to the CIR Office. The bill would be known as the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” (the Act) and would build on recent Executive Orders and directives aimed at the U.S. critical infrastructure (including pipelines).

The new CIR Office would have several responsibilities, including to:

  • receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by covered entities and assess the effectiveness of security controls and identify techniques, tactics and procedures adversaries use to overcome such controls;
  • facilitate the timely sharing between relevant critical infrastructure owners and operators and, as appropriate, the intelligence community;
  • conduct reviews of “significant cyber incidents” and identify ways to prevent or mitigate similar incidents in the future;
  • publish quarterly unclassified, public reports that describe aggregated, anonymized observations and recommendations base on cyber incident reports; and
  • proactively identify opportunities to leverage data on cybersecurity incident to enable and strengthen cybersecurity research by academic institutions and private sector organizations.

Under the bill, the Director of DHS must publish an interim rule in the Federal Register within 9 months setting forth the cybersecurity reporting requirements and procedures in accordance with the Act, including defining which owners and operators of critical infrastructure are “covered entities” and the types of “cybersecurity incidents” that would trigger notification obligations to the CIR Office.  The bill suggests a broad definition of a “cybersecurity incident” that would be reportable:

(B) MINIMUM THRESHOLDS.—For a cybersecurity incident to be considered a covered cybersecurity incident a cybersecurity incident shall, at a minimum, include at least one of the  following:

(i) Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety  and resiliency of operational systems and processes.

(ii) Disruption of business or industrial operations due to a distributed denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against—

(I) an information system or  network; or

(II) an operational technology system or process.

(iii) Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or  supply chain attack.

Importantly, under the bill, “in no case may the Director require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.”  The interim rule published by the Director of DHS also must establish the contents and means of submitting reports to the CIR Office by covered entities as well as timelines for covered entities to submit updates to reports if new or different information becomes available.

If a covered entity experiences a cybersecurity incident but does not report it, the bill would give the Director the authority to issue a civil subpoena to the company.  If the subpoena does not result in sufficient information to the Director, the bill provides an additional remedy:

If, based on the information provided in response to a subpoena issued pursuant to paragraph (3), the Director determines that the cybersecurity incident at issue is a significant cyber incident, or is part of a group of related cybersecurity incidents that together satisfy the definition of a significant cyber incident, and a more thorough examination of the details surrounding such incident is warranted in order to carry out activities described in subsection (c), the Director may direct the Office to conduct an examination of  such incident in order to enhance the Agency’s situational awareness of cybersecurity threats across critical infrastructure sectors, in a manner consistent with privacy and civil liberties protections under applicable law.

Under the bill, a “significant cyber incident” means a cyber incident, or a group of related cyber incidents, that the Director determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.

Covered entities that report cybersecurity incidents to the CIR Office would receive the protections against liability afforded under the Cybersecurity Information Sharing Act of 2015, and prohibit use of the information shared with the CIR Office from being used by government agencies for enforcement actions.

The House Subcommittee hearing on the bill is scheduled to begin at noon on Wednesday, September 1, 2021.  Scheduled speakers include representatives from IT security, banking, and the American Gas Association.  More information is available here.