Following SolarWinds & Colonial Hacks, security officials Introduced draft legislation on cyber incident reporting. Learn how it may affect your organization
This summer was marked by the attempts to secure critical infrastructure from cyber intrusions, as many federal and IT security specialists report. More specifically, senators and members of federal committees worked on developing legislation in the area of incident reporting. As a result, two long-gestating draft bills were introduced – the Cyber Incident Notification Act of 2021 and the Cyber Incident Reporting for Critical Infrastructure Act of 2021.
Both bills seek to address some of the important issues arising from recent cyberattacks that affected U.S. critical infrastructure. Both aim to replace the voluntary model of incident reporting with a mandatory reporting regimen. Below we lay out the specific characteristics of the draft bills and the main expectations from the future legislation.
In June 2021, bipartisan lawmakers formally introduced a draft bill officially cited as a Cyber Incident Notification Act of 2021. The bill would require federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions to a Cyber Incident Review Office (CISA) within 24 hours of their discovery.
On August 27, 2021, the U.S. House Homeland Security Committee released a similar draft bill known as the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill would amend the Homeland Security Act of 2002 and establish the Cyber Incident Review Office (CIR Office) within the CISA, and obligate critical infrastructure owners and operators to report cybersecurity incidents to this office.
The legislation for mandatory incident reporting was nurturing for quite a while. However, the recent severe hacker attacks on the US critical infrastructure companies escalated governmental activity in this area.
The much-talked-of incidents, in this regard, are the hack of IT management firm SolarWinds that occurred in December 2020 and the ransomware attack on the Colonial Pipeline company on May 6, 2021. The first incident compromised hundreds of private companies; the second caused fuel shortages along the Atlantic seaboard. No wonder these cybersecurity events became “wake-up calls” for strengthening preparedness to new cyber security issues.
Notably, the bills may also be considered as a federal response to the president’s recent Executive Order on Improving the Nation’s Cybersecurity published on May 12, 2021. The order aimed to mandate national cybersecurity changes by focusing on the critical infrastructure owners and federal supply chain. It also suggested the development of a mandatory reporting mechanism for severe cyber incidents.
Organizations that have already reviewed the draft bills may have more questions than answers because some of the bills’ requirements are vague. For instance, many organizations might wonder if they would belong to the category of the covered organizations, what incidents they would need to report, or what is the reporting procedure and timeline?
To specify the requirements and procedures regarding cybersecurity reporting, the Director of the Department of Homeland Security must publish an interim rule. The specifications will cover, among others, defining which owners and operators of critical infrastructure are “covered entities” and the types of “cybersecurity incidents” that would trigger reporting obligations.
The bills commonly target federal agencies, government contractors, and critical infrastructure owners and operators. The targeted organizations are commonly referred to as the covered organizations; however, the full definition of the covered organizations has not been defined yet. It is known that the definition must include “at a minimum, federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.” Thus, most of the organizations are now awaiting clarifications on their status in future incident reporting legislation.
The definition of the reportable incidents is also vague and requires more precise definitions. According to the Cyber Incident Notification Act of 2021, security incidents that warrant notifications are those that:
The Cyber Incident Reporting for Critical Infrastructure Act of 2021 has a broader definition of “cybersecurity incidents” that are expected to be reportable. Mainly, a reportable cybersecurity incident shall, at a minimum, include one of the following:
As such, critical infrastructure owners and operators and other covered organizations must be highly attentive to any suspicious activity in their systems.
As the Cyber Incident Notification Act states, covered organizations would report cyber incidents and intrusions to CISA. The requirement is pretty straightforward; however, the same cannot be said for the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The second bill aims to establish a special CIR office which, alongside the function of receiving the reports, would have the following responsibilities:
While organizations are still waiting on incident reporting specifications, some minimum reporting requirements are represented in the Cyber Incident Notification Act. Thus, it is expected that the incident reports will include:
In addition to the above mentioned, organizations would be expected to provide any other information that could reasonably help identify the cyber actor. This information includes but is not limited to Internet Protocol (IP) addresses, domain name service (DNS) information, and samples of malicious software.
All in all, organizations should follow official updates regarding future incident reporting legislation. The most expected updates include the DHS Director’s interim rule, CISA specifications, and the updated NIST standard on incident reporting. The last would consist of guidance on mandatory incident information sharing and is expected to be published later this year (2021).
The failure to report a security incident could attract a financial penalty of up to 0.5% of the organization’s gross revenue or remove organizations from federal contracting schedules. The Cyber Incident Notification Act gives CISA 48 hours to request information about the security incident and respond to the organizations’ reports.
The Cyber Incident Reporting for Critical Infrastructure Act does not include any specific fines for failing to report cyber incidents. However, it states that unreported cybersecurity incidents will result in an official subpoena to discover if the cyber incident belongs to the covered cyber security incidents.
To encourage organizations to report cybersecurity incidents, the bills include liability protections for breached entities. This measure would protect prudent organizations against potential lawsuits that could arise from disclosing security incidents. It would also allow submitting personal data anonymously when reporting breaches under the Cybersecurity Information Sharing Act of 2015.
For more detailed information about cyber incident reporting, consult the Planet 9 team. We’ll be happy to assist: