Communications Litigation Today was a Warren News publication.
‘Limit Overreporting’

Telecom and Tech Groups: CISA Should Narrow New Cyber Rules

The Cybersecurity and Infrastructure Security Agency should narrow the scope of its proposed cyber incident reporting rules to ease the regulatory burden on industries already facing a multitude of state and federal mandates, USTelecom, NTCA and Microsoft said in comments that were due Wednesday in docket CISA-2022-0010 (see 2403270070).

CISA extended the comment period through Wednesday for its proposed rules under the 2022 Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA). A final rule is expected in 2025 and would likely go into effect in 2026, based on the Congressional Research Service’s assessment.

According to USTelecom, one communications sector company estimates it would need to report around 6,000 cyberattacks each month under CISA’s proposed thresholds. The U.S. Chamber of Commerce also cited those numbers. Individuals and organizations report around 800,000 cyberattacks annually across all sectors in the U.S.

CISA should narrow the scope of its definition for “substantial cyber incident” in its final rule, USTelecom and NTCA wrote in comments filed jointly with financial services and electricity sector associations. The group cited comments that Rep. Yvette Clarke, D-N.Y., lead sponsor of CIRCIA legislation, made during a recent House hearing. Clarke said the new law's intent is to create “appropriately tailored” rules that “limit overreporting,” not to “subject everyone or every incident to reporting.”

The associations recommended CISA limit the definition for substantial cyber incident to those "directly impacting the operational capabilities of the critical infrastructure entity, as determined by the owners and operators, and only where such operational capabilities fall within congressional intent.”

Similarly Microsoft recommended CISA tighten definitions for “covered entity” and “covered cyber incident.” The company said CISA should clearly state the rules apply to a covered entity’s “critical infrastructure capacity” only. The rule’s current definitions sweep in “activity that is outside the bounds of CISA’s jurisdiction to regulate,” Microsoft said. The company has been under fire for its cybersecurity practices (see 2406130069).

TechNet offered comments similar to those from Microsoft. The definition for covered entity shouldn’t “encompass broad sectors of the economy at outsized cost with minimal benefits for cybersecurity resilience,” said TechNet. “Specifically, we believe entities should only be subject to mandatory reporting for their critical functions.”

CTA expressed concern that the proposal takes an overly broad approach to covered entities and incidents, potentially “sweeping in consumer-focused technology and companies that, although important for our economy, are not critical infrastructure within the meaning of CIRCIA.” As such, CTA urged CISA to “target the most significant cyber incidents impacting truly critical infrastructure.”

WTA recommended CISA sign an interagency agreement with the FCC to harmonize cyber incident reporting. WTA members and other rural local exchange carriers likely will be covered entities under the new rule, the association said. Groups will need to file reports with CISA, FCC, FBI, FTC, U.S. Secret Service and various government bodies at the state and local level, WTA said: “The required multiple incident reports will entail substantial and inefficient complexities because they will involve different formats and information, and will be required to be filed in different places according to different deadlines.” CISA should work with the other agencies to establish uniform cyber incident reporting requirements so companies can operate more efficiently, said WTA.

The National Association of Secretaries of State previously recommended CISA allow state and local governments to voluntarily comply with the new rules (see 2406070043). It claimed the new mandates could disincentivize the current voluntary agreement between states and CISA. A group of state chief information officers in comments this week urged that CISA develop a process where states receive incident reports in a “timely manner.” It’s “vital that states are included in incident response activities and quickly made aware of threats to local governments and their own networks,” wrote Doug Robinson, National Association of State Chief Information Officers executive director.