On November 12, AMWA and other water sector associations joined 47 other organizations and companies to ask Congress to leave potentially intrusive regulations out of a final cybersecurity bill that is under development.
Congress is in the process of forming a conference committee to work out the differences among cybersecurity bills passed this year by the House and Senate. The letter AMWA signed focuses on Section 407 of the Senate-passed bill, S. 754, the “Cybersecurity Information Sharing Act” (CISA). As approved by the Senate, Section 407 directs federal agencies to develop cybersecurity assessments and mitigation strategies for high-risk critical infrastructure entities defined by Executive Order 13636 as those where a cybersecurity incident could reasonably result in catastrophic regional or national effects. While the Department of Homeland Security (DHS) determined in 2013 that no water sector facilities meet this definition, nothing prohibits DHS from reclassifying individual members of the sector in the future.
As reflected in the joint letter, AMWA and the other signers are concerned that Section 407 could give federal agencies “free rein to assess certain businesses’ cybersecurity gaps and develop unilaterally mitigation strategies for each critical infrastructure entity without input from industry.”
Section 407 also directs federal agencies to determine whether the government should establish cybersecurity regulations for these high-risk critical infrastructure entities to reduce the likelihood of cyber incidents. In the case of the water sector, EPA would be required to report to Congress on the extent to which high-risk entities report cybersecurity incidents to the federal government and whether they should be mandated to report such information.
However, these provisions, as noted in the joint letter, “presume that mandatory reporting of significant cyber intrusions is necessary, which is not the view of the undersigned.” The letter further asserts that mandatory cyber intrusion reporting runs counter to the strong voluntary partnership of information sharing between the private sector and federal government that now exists.
A similar cybersecurity bill approved by the House of Representatives in April (H.R. 1560) did not include an equivalent to the Senate’s Section 407, giving members of the conference committee the option of leaving the provisions out of the final version of the legislation.