00:00Thank you. I yield. Thank you to our chairman. Now I recognize the gentlewoman from New York,
00:08the former chair, Ms. Clark. Thank you very much, Mr. Chairman, and I thank Ranking Member
00:15Swalwell for letting me wave on to today's subcommittee hearing, and thank you to our
00:20panelists of witnesses for joining us today. Before I begin my formal comments, I'd like to
00:30associate myself with the sentiments of Ranking Member Swalwell regarding Congressman Sylvester
00:35Turner. We are grateful for his service to the people of Houston, Texas, and to his family
00:42and loved ones, we extend our deepest condolences. May he rest in peace.
00:46When I introduced CERCIA back in 2021 with Ranking Member Thompson and Chairman Garbarino,
00:53I did so because I recognized the important need for increased visibility into the cyber
00:59incidents affecting critical infrastructure and the importance of a central hub for cyber incident
01:05reporting in the federal enterprise. I worked with many of the witnesses here today to get CERCIA
01:11across the finish line, and I appreciate their ongoing efforts to make sure that we get the
01:16final rule right. I also appreciate Mr. Swalwell's work encouraging CISA to effectively engage with
01:23the private sector on the rule. I agree with my colleagues and the witnesses before us that
01:28there are necessary improvements to the proposed rule, but the urgency of implementing CERCIA
01:34remains, and I hope the new administration will work quickly to modify the proposed rule
01:41and publish a final one without undue delay. I have two questions for our witnesses. First of all,
01:48to all of our witnesses, without a well-defined cyber incident reporting rule and harmonization
01:55process for CISA, we run the risk of agencies across government issuing a hodgepodge of
02:02duplicative cyber incident reporting requirements. How will scrambling to comply with multiple
02:09incident reporting requirements affect security? And then secondly, many stakeholders have weighed
02:15in that the proposed CERCIA rule defined covered entities and covered incidents too broadly,
02:23unnecessarily increasing the burden on the private sector and potentially overwhelming CISA
02:29with too many reports to analyze. Indeed, CERCIA instructed CISA to identify subsets of entities
02:36and incidents subject to reporting requirements to avoid that outcome.
02:44Give me your thoughts on that. We'll start with Mr. Aronson and then work our way across.
02:52So on the first question, I would just echo some of the things that Ms. Hoxhat said
02:57about the time that information security teams are spending on compliance. It's somewhere
03:04between 30 and 50 percent, and as you expand the hodgepodge, to use your word, of reporting
03:10requirements, it only gets more complicated. To your point about the broadness of CERCIA as it
03:16currently exists and the uncertainty that surrounds it, taken at its most sort of broad interpretation
03:23of what is a covered entity and what is a covered incident, we had one of our companies report that
03:29they thought they would have as many as 65,000 reports between 2022 and 2033. I think the number
03:37that CISA had said would be somewhere in the 200 to 220,000 total in that time frame. So it seems
03:43to be off by, if that's just one company taking at a really broad interpretation, seems to be off by
03:48an order of magnitude. This goes to the importance of getting the definitions and the details right
03:53so that we can get some signal from the noise and so that CISA can ingest the information in a
03:59meaningful way. Very well, Ms. Hoxhat. Sure, just to add to that, and thank you for the question.
04:04The challenge of responding to multiple requirements does have a direct impact on security
04:09because it is diverting the time and attention away from what we all want the cyber professionals to
04:13be doing, which is defending their networks, kicking out bad actors when there is an incident,
04:17and focusing on that. Instead, they have to divert time away to basically make sure they're complying
04:22with different legal obligations. With respect to the definitions and covered entities within
04:28CERCIA and the proposed rule, this committee was very thoughtful, and Scott just alluded to it,
04:34to make sure that the law would be crafted in a way that we get signal from the noise. You wanted
04:40the incidents that were going to be most impactful so that CISA could very quickly have the capability
04:45to take that information and turn it back around to share with other entities that could also be
04:50at risk. The very broad scope with which the proposed rule was put together would put a lot of
04:57noise out there and make that all the more challenging. For instance, the definition
05:02would potentially capture operational outages that have nothing to do with a cyber incident,
05:06and I don't think that that was really what you and the committee had intended in crafting that law.
05:12Very well, Mr. Meyer, my time's up. Yes, thank you, Congresswoman Clark. I think that we have
05:20to deal with the fact that the reporting requirements right now are extraordinarily
05:24fragmented, and the CERC itself, Cyber Incident Reporting Council, at the time in September 23,
05:32identified 45 different reporting regimes, 22 agencies, I believe. I can only imagine that
05:38number has increased since then. CISA has indicated that they expect 300,000 entities to be
05:45responding to these kind of requests. I can only imagine within the absence of clear definitions
05:50around the terms that you folks identified and staying close to the intent, in the absence of
05:57revising that and refining that and making it operationally practical for companies to respond,
06:05the system will get overwhelmed. The system in government will get overwhelmed, and the system
06:09in the operating environment will also get overwhelmed. The critical point here is that
06:14during a major cyber incident, when we are essentially in a triage mode, we can't take
06:22people and divert them from their frontline responsibilities to detect the problem,
06:28remediate it, and respond and recover. So we believe that this particular rule needs to be
06:35reconstructed to align with your intentions. And if it doesn't, we're going to be doing more,
06:41as I indicated, it'll create more harm than good. I agree with everyone on the panel. I said on the
06:47answer to the first question. On the second question, I'll just briefly say that on the
06:52idea of the definition covered entities, CISA decided to kind of narrow, try to narrow the
06:56scope by the size of the company, by going to the size of the companies, which I think does help
07:01in terms of removing some of the small, medium, small, medium-sized businesses that we might not
07:06want to report. But it doesn't get to the risk issue, right? So you're going to have a lot of
07:11large companies, very large companies that have a lot of incidents getting, echoing what we heard
07:18from others here, that are going to be reporting a lot that is not of the same value as if we did
07:26it based on some kind of risk feature. Very well. Thank you for your indulgence,
07:29Mr. Chairman. I yield back.
Comments