With an estimated 85 percent of the nation’s critical infrastructure controlled by private entities – and with many of those failing to practice basic cyber hygiene – witnesses told House lawmakers at a November 4 hearing that the time may be ripe for mandatory cyber incident reporting requirements for critical infrastructure operators.
Rep. Peter DeFazio, D-Ore., chairman of the House Transportation and Infrastructure Committee, noted a recent survey of the transit sector that found 39 percent of those surveyed did not have any staff dedicated to cybersecurity, and that 24 percent provided no cybersecurity training to their staff at all.
He went on to say at a committee hearing that the situation looks even worse in the water sector. A survey published in June found 42 percent of water and wastewater utilities surveyed said they conducted zero cybersecurity training for their staff, and more than 68 percent of them said they did not participate in any cybersecurity-related drills or exercises.
What’s more, he said, the FBI has estimated that only 15 percent of cybercrimes are actually reported.
“With the public safety and national economic security [of the] United States at stake, it may be time for voluntary steps by the private sector to give way to mandatory Federal reporting requirements,” Chairman DeFazio said. “We have an administration that’s moving in the right direction. We need to do more.”
Chairman DeFazio proposed two solutions that industry experts testifying at the hearing agreed could work. The first: require mandatory reporting of cyber incidents to the Federal government. And the second: require a designated cyber employee in any critical infrastructure organization.
“I’m very comfortable with mandatory reporting and I’m very comfortable with a designated cybersecurity official,” said Scott Belcher, president and CEO of SFB Consulting, testifying on behalf of Mineta Transportation Institute.
However, Belcher noted he works with many small transit organizations that do not have cybersecurity professionals and are “lucky to have IT professionals.”
“Nevertheless, this is an important issue that is part of something that they have to do. It’s part of an enterprise management issue and I think one of the things that we have to do as we look at managing organizations is to make cybersecurity just part of enterprise management,” Belcher said. “So, identifying somebody – whether it’s an employee or a consultant – that is there and can engage with TSA [Transportation Security Administration] on a 24-hour basis, I think is absolutely essential.”
Michael Stephens, general counsel and executive vice president at Tampa International Airport, agreed that mandatory requirements can work, but they need to be done in the right way.
“While reporting mandates are appropriate, we have to tailor those to make sure that they’re actionable,” Stephens said. “I do believe that if we have a mandatory minimum standards, baseline standards, for cyber resilience, a lot of those types of things that are falling through the cracks – reporting, identification, mitigation strategies – will start to be resolved. So, I think that both of those things are things that we need to do but we need to do them in the right way.”
John Sullivan, chief engineer at the Boston Water and Sewer Commission, testifying on behalf of the Water Information Sharing and Analysis Center (WaterISAC), also agreed that “mandatory can work.”
In the water industry, Sullivan said there have “definitely” been other intrusions similar to the cyberattack against an Oldsmar, Fla. water treatment facility reported earlier this year that government just doesn’t know about because there is no mandatory reporting.
“There definitely was other problems that had occurred that weren’t reported because they really didn’t need to be or they didn’t realize they were a cyber intrusion,” Sullivan said. “The water sector would definitely work with Congress to help identify what triggers an incident… WaterISAC struggles to get people to report to us what is going on out there so that we can share that information and others can learn from it.”