As discussed in our previous blog post, the Cybersecurity and Infrastructure Security Agency (CISA) is proposing a significant new rule to bolster the nation’s cyber defenses through mandatory incident reporting. While designed to enhance CISA’s ability to monitor and respond to cyber threats, the rule has ignited a contentious debate. The concerns raised highlight the delicate balance between strengthening national security and avoiding undue burdens on businesses.
Broad Concerns and Overreporting Fears
A key concern across various industries is that the rule’s broad scope could capture over 300,000 entities, many not traditionally considered critical infrastructure. This could lead to overreporting, overwhelming CISA with low-value data, and potentially diverting resources from addressing significant threats. Critics, including Sen. Gary Peters, advocate for a more targeted approach, focusing on incidents with genuine national security implications.
Furthermore, the existing patchwork of over 50 federal breach reporting rules across various agencies raises concerns about redundancy and increased compliance burdens for businesses. The proposed rule could add another layer of complexity without necessarily enhancing cybersecurity outcomes.
Manufacturing Sector’s Alarm Bells
The National Association of Manufacturers (NAM) is particularly worried about the rule’s potential impact on its members. The NAM argues that the broad definition of “covered entities” could ensnare numerous manufacturers operating outside traditional critical infrastructure, burdening them with complex and costly reporting requirements they may not be equipped to handle. The NAM also criticizes the expansive definition of reportable incidents, advocating for a more targeted approach focused on incidents that genuinely impact critical infrastructure and national security.
Healthcare’s Unique Challenges
Healthcare and hospital groups raise unique concerns due to their sector’s interconnected nature. They argue for the inclusion of insurers and third-party vendors under the rule, as the exclusion of key entities like health IT providers and labs could lead to significant disruptions if they are targeted by cyberattacks. The strict 24- and 72-hour reporting deadlines are also a concern, as they could divert resources from patient care during a crisis and impose financial burdens on under-resourced hospitals and providers. These groups have requested financial support and technical assistance to help comply with new requirements without compromising patient care.
Finding a Middle Ground
To address these concerns, several recommendations have been proposed:
- Reconsider the Scope – Focus on those entities and reportable incidents with significant impact on critical infrastructure and national security.
- Streamline Reporting – Develop a unified reporting mechanism that harmonizes with existing regulations.
- Provide Support – Offer technical and financial assistance to smaller entities.
- Clarify Definitions – Clearly define key terms to prevent overreporting and ensure consistent interpretation.
- Flexibility – Tailor reporting requirements to specific industry needs, such as healthcare’s need for immediate incident response.
Balancing Security and Practicality
The debate surrounding CISA’s proposed rule underscores the challenge of balancing robust cybersecurity measures with practical, feasible compliance for businesses. Open dialogue and collaboration between CISA and industry stakeholders are crucial to finding a middle ground that strengthens national security without imposing undue burdens. By addressing industry concerns and refining the rule, CISA can create a framework that effectively protects critical infrastructure while fostering a collaborative approach to cybersecurity.
For more information and other updates regarding privacy law developments, subscribe to Bradley’s privacy blog Online and On Point or reach out to one of our authors.