Critical infrastructure companies may soon be subject to tighter cyber incident reporting requirements, as new cybersecurity legislation has passed the Senate and will now go before the House.
Among other terms, the new law would require critical infrastructure owners and civilian federal agencies to report “substantial” cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Additionally, any ransomware payments made would have to be reported within 24 hours.
Cybersecurity legislation approved by Senate
Though the push for stricter cyber incident reporting dates back to 2021, primarily to attacks on critical infrastructure such as the Colonial Pipeline and JBS incidents, some senators cited the ongoing conflict in Ukraine as a reason for prioritizing uptake of the cybersecurity legislation. There appears to be at least some belief in the halls of Congress that cyber attacks from the Russian government may be inbound, even though the United States has yet to play any real role in the war.
The Strengthening American Cybersecurity Act combines language from three prior bills that advocate a risk-based approach to cybersecurity. The bill has bipartisan support in both the Senate and House and appears to have improved chances of passing given the current geopolitical conditions; an earlier attempt was scuttled by GOP opposition several months ago.
In addition to the new cyber incident reporting windows, the bill would create an update to the Federal Information Security Management Act (FISMA) that would streamline processes involving federal agencies and the civilian offices they work with. FISMA was created in 2002 and last updated in 2014, prior to the trend of large-scale ransomware attacks being specifically aimed at critical infrastructure, hospitals and other vital services (as well as both federal and local government agencies). The bill would make CISA the point coordination agency for cyber incident reporting and security rollout across the federal government, and creates a number of programs meant to improve communication between agencies.
The final big piece of the new cybersecurity legislation is a beefing up of FedRAMP, the cloud security certification program for civilian agencies. These guidelines would become law and would be applicable to the software supply chains of cloud service providers.
James McQuiggan, Security Awareness Advocate for KnowBe4, shared some thoughts on how realistic the new cyber incident reporting requirements would be for the average impacted organization: “While this will present some challenges to private organizations, it is worth noting that U.S. and Canadian electricity organizations already have to report within 24 hours of an incident as required by the NERC CIP (North American Electric Reliability Committee Critical Infrastructure Protection) standards. However, what is yet to be determined is the specific incidents that organizations will need to report, the timeframe required, in other words, the time from when the organizations classify an event as an incident, and which types of incidents. Regarding ransomware attacks, will it be based on a dollar amount or system impacted amount? CISA has to develop these requirements, but it will require organizations to shift their incident handling procedures to address the new laws set forth.”
New concern about cyber incident reporting sparked by Russia’s invasion of Ukraine
Though there is more support for the cybersecurity legislation due to the Ukraine situation, the House is the true test. There is still a feeling among some members of Congress that the bill might have to be attached to something else to make it through. This was the approach taken with the last attempt, when similar cyber incident reporting terms were added to a defense spending bill.
Tim Erlin, VP of Strategy at Tripwire, sees this as a natural development: “It’s no surprise with recent incidents and an increased threat of cyberattacks that this bill has gained bipartisan support. The requirements included, which go beyond just reporting incidents, are largely common sense measures to protect organizations. Still, the scope of this legislation is limited to civilian federal agencies and critical infrastructure. The vast majority of commercial organizations won’t be directly impacted. Making progress on cybersecurity has been a clear objective for the administration, and the passage of this legislation in the Senate is evidence of that progress.”
The move would also continue the expansion of CISA’s power. Only just founded in late 2018, CISA is increasingly becoming the lead federal agency on cyber issues and the first line of defense against threats. It has even edged toward a regulatory role, via expansion of its power by the Biden administration in the wake of the high-profile 2021 attacks, but Director Jen Easterly has said that she does not want to see the agency’s mission shift to that of a regulator. One of the recent big changes for the agency has been the power to actively hunt for threats on federal networks, making it the point group on active defense in addition to bringing together federal agencies and standardizing their reporting and security processes.
However, not everyone in the federal government is thrilled with the ascension of CISA. There was some pushback to the new cybersecurity legislation from senior officials at the Department of Justice (DOJ), who expressed concern that the FBI was being cut out of the process. Officials argue that cyber incident reporting requirements should also loop in the nation’s primary domestic law enforcement agency. FBI Director Christopher Wray also criticized some particulars of the cybersecurity legislation and characterized it as making the public “less safe”, saying that it would make it harder to identify victims in cases where multiple companies are targeted by the same actor and that it would also slow aid to victims. Some of the senators that supported the cyber incident reporting bill said that the FBI and DOJ had been consulted throughout the legislative process and that their concerns were addressed in the final copy.
This jockeying over cybersecurity legislation comes as the prospect of cyber war looms, even if the US is not directly involved in the Ukraine conflict. Russia has expressed a willingness to retaliate against countries that provide material support, and it is still not clear exactly where that line is. A ransomware attack that hit a major Toyota parts supplier (forcing the company to halt all operations) has not been attributed, but there has been some speculation that it was a form of retaliation due to Japan’s participation in sanctions that drove Russia out of the SWIFT banking system.