- Timely reporting of cyberattacks and other incidents such as ransomware is a critical part of having effective national cybersecurity.
- As part of the March omnibus appropriations law, Congress required operators of critical infrastructure to report significant cyberattacks to the federal government within 72 hours of learning about the attack.
- The Cybersecurity and Infrastructure Security Agency faces bureaucratic obstacles in implementing the law; Congress can provide oversight to ensure it is implemented as written.
Cybersecurity threats continue to be one of the top national security and economic risks facing the country. In the last year and a half, there have been attacks on America’s gas supply, our meat supply, and various other companies, courts, and government agencies.
The Cyber Threat Landscape
A critical component of effective national cybersecurity is timely reporting of incidents, including ransomware attacks. The quicker an incident is reported to authorities and the public, the quicker other potential victims can determine if they also have been attacked and take steps to mitigate the effect or increase their defenses.
Over the years some private sector victims of breaches and other attacks like ransomware have chosen to share that information with the federal government. Sometimes they have gone to the FBI, other times to the Secret Service or another federal agency, depending on pre-existing relationships and ad-hoc networks. Many companies have chosen not to report breaches, for a variety of legitimate reasons. Companies face significant disincentives to disclose significant cybersecurity incidents publicly – including the potential effect on stock prices and damage to their reputation – and few incentives to disclose.
To help organize this chaotic situation, Congress designated the Cybersecurity and Infrastructure Security Agency as the primary point of contact for victims of cybersecurity attacks to voluntarily and confidentially share that information with the federal government. CISA then works to share “timely and actionable information” with the rest of the government and other organizations.
CISA has increased its level of cybersecurity expertise and improved its approach to working with the private sector. But a voluntary system and a patchwork of other existing requirements – including for finance, health care, and defense contractors – still leaves a significant portion of incidents unreported. One FBI cybersecurity official speaking to Bloomberg in February estimated the government only learns about 20% to 25% of intrusions at U.S. business and academic institutions.
congress adds some defenses
In March, Congress passed legislation requiring operators of critical infrastructure to report significant cyberattacks to CISA within 72 hours of learning about the attack. It also required them to report a ransomware payment within 24 hours. The language, included in the omnibus package, is based on bipartisan legislation developed by Senators Rob Portman and Gary Peters.
CISA Director Jen Easterly hailed the legislation as a “game-changer” and said the information it generates would “fill critical information gaps” and give CISA the “data and visibility” needed “to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks.”
Following a February hearing on the subject in the Homeland Security and Governmental Affairs Committee, Senator Portman said the legislation will “significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government – particularly in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support of Ukraine.” President Biden has warned U.S. companies and critical infrastructure operators that Russian cyber capabilities are “consequential” and that attacks are coming. On April 20, CISA issued a joint statement with cybersecurity authorities from U.S. allies to “warn organizations that Russia’s invasion of Ukraine could expose organizations both within and beyond the region to increased malicious cyber activity.”
The transition from a culture of voluntary association and partnerships to one of mandated reporting and more of a regulatory role is a significant one for CISA, and the legislation allowed time for the agency to make this shift. CISA has 24 months to publish initial proposed rules and then another 18 months to finalize the regulations. The agency will need to define what qualifies as a “significant” incident, clarify what information must be reported, and determine whether operators will be subject to different requirements based on their industry and risk, or whether there will be one set of requirements across all critical infrastructure sectors.
CISA appears to be facing bureaucratic turf wars from federal agencies and officials looking to protect their previous roles in cybersecurity. Federal Communications Commission Chair Jessica Rosenworcel recently convened a meeting of regulatory agencies with oversight of all sectors of the U.S. economy. She said in a speech that the group’s “chief objective now is to harmonize how private sector industries implement essential cybersecurity controls and how independent and executive branch regulatory agencies can ensure their work advances those efforts.” The Securities and Exchange Commission also recently proposed rules “to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.”
These actions from the FCC and SEC could muddy the waters for businesses and other organizations trying to comply with competing federal reporting requirements. CISA will need support and oversight to ensure the law is implemented as Congress intended. This can include senators demanding regular updates from CISA on the status of its implementation of the law and conducting hearings to ensure the agency is able to accomplish the mission Congress assigned it.