Cyberattack Reporting Policies Need to Be ‘Carefully Crafted’: ITI
New global “policy regimes” embracing cybersecurity incident reporting are a “potentially appropriate tool to provide greater visibility” into cyberattacks -- if “carefully crafted,” said the Information Technology Industry Council Monday. It urged policymakers to heed new recommendations “on limiting incident…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
reporting to confirmed or verified incidents.” ITI asked security authorities to craft policies that “allow for at least a 72-hour reporting window after an entity has verified an incident” and to limit incident reporting “to confirmed or verified incidents.” Effective reporting regimes also need to “establish or maintain appropriate liability protections and ensure information provided is exempt from public disclosure,” said ITI. It seeks measures that “ensure confidentiality and appropriate protections around sensitive information shared with or by competent authorities within the government, including against regulatory use.” Senate Homeland Security Committee Chairman Gary Peters, D-Mich., hopes soon to introduce bipartisan legislation that would require critical infrastructure owners and operators to report “significant” cyberattacks (see 2109230065).