Welcome to The Cybersecurity 202! This must be a particularly French way to protest.
Below: Apple’s sorry about long waits on bug reports and California is the latest state to offer mail voting by default.
Companies fear overbearing cybersecurity regulations
The tech industry association ITI laid out a softer vision yesterday of how companies should have to report cyberattacks to the federal government.
Its goal: to rein in a bipartisan congressional effort to require companies to alert the government when they’re hacked, which would amount to one of the most significant increases in cybersecurity requirements for industry in years.
The various pieces of legislation share a primary goal: To give the Cybersecurity and Infrastructure Security Agency (CISA), which would receive the reports, better insights about a wave of blistering cyberattacks that have hit critical industry sectors and U.S. government agencies in recent months. CISA would share information from those reports back to industry to help better protect them against future hacks.
There are two versions of the bills and at least one more in the works. They vary widely, however, in the sorts of cyber incidents companies would have to report to CISA and how quickly the reports would have to come in.
ITI laid down a marker yesterday for less onorous requirements. The group, which represents Amazon, Google and a slew of other top companies, is pushing for:
- Only reporting incidents in which companies have verified hackers breached their networks.
- Giving at least a 72-hour window before those reports must come in.
The list of recommendations is a frontal assault on the first Senate bill, which was sponsored by Intelligence Committee Chairman Mark Warner (D-Va.) and the committee’s top Republican, Marco Rubio (Fla.), among others. That bill called for reports within 24 hours and would require companies to make such reports even if they aren’t sure hackers actually penetrated their…