As the Cybersecurity and Infrastructure Security Agency (CISA) continues to grapple with the early stages of a rulemaking process for recently enacted cyber incident reporting legislation, CISA Director Jen Easterly said it will be crucial to develop trust with the private sector so that the law is seen as “value-added” and not a burden.
While it will be tough to say exactly what a successful implementation looks like until the rulemaking process is finished, in the meantime it is important to build up that necessary level of trust, Easterly said.
“The most important thing that we can do…. to get that incident reporting legislation, so that we see that as value added to the ecosystem and not a burden, is to ensure that we’re developing that trust among our partners,” Easterly said June 8 at the RSA Conference San Francisco. “As I’ve said several times, trust is hard to build and really easy to lose.”
Easterly said that moves like establishing the Joint Cyber Defense Collaborative (JCDC) are a step in the right direction, but it’s important to move past simple partnerships and towards what she called “true collaboration.”
In order to get closer to true collaboration, Easterly said CISA will be bringing in and calling for help from the private sector along the way for the rulemaking process.
“We won’t know [what success looks like] until we’re actually able to put a final rule in place,” Easterly said. “And that’s why we’re going to be working over the next two years in a consultative process, working with the private sector.”
“And then quite frankly – really important here – harmonizing the regulations that are already in place, or the regulations that are going into place, and making sure that we, again, are not overly burdening the private sector,” she added.
As to the latter point, witnesses before the Senate Homeland Security and Governmental Affairs Committee this week called for just such harmonization among regulations and pathways for reporting to the Federal government.
CISA Executive Director Brandon Wales said he sees an “aggressive pace” on the rulemaking process. However, the process is still expected to take multiple years to fully complete.
Easterly said the agency should be putting out a request for information (RFI) to the industry as well, to aid in the rulemaking process. She stressed again the desire to not burden either the government or private sector with unnecessary stress during a cyber incident.
“Getting that common operating picture is, in part, predicated on getting reporting right,” she said. “We have this new legislation on cyber incident reporting that is actually incredibly important to enable us to understand the full bounds of the landscape.”
“Part of it is the data we’re bringing together, but also part of it is the importance of getting the incident reporting regime right, and we’re starting to work with all of the private sector,” she added. “We’re going to put out an RFI … to get that right. Because we want to make sure that we are not burdening CISA with noise and we are not burdening the private sector with providing us noise when they’re trying to deal with an incident under duress.”