In May, I wrote a blog post asking the question, “Are DHS pipeline violation reporting warrants just the start?” This is what I said:
âThis pipeline reporting directive is just the start of mandatory reporting and other actions. In addition, future requirements will be not be limited to pipeline (or even energy / transmission) companies; rather, all Critical infrastructure protection owners and operators should be aware that your turn may come. “
Fast forward to the end of September, and a bipartisan group of U.S. senators introduced a bill requiring certain critical groups to report cybersecurity incidents.
Here is an excerpt from an article by The hill:
âSenate Intelligence Committee leaders and other bipartisan lawmakers formally introduced legislation Wednesday requiring federal contractors and critical infrastructure groups to report attempted breaches after months of escalating cyber attacks.
“The Cyber ââIncident Notification Act would require federal agencies, government contractors, and groups deemed essential to national security – such as hospitals, utilities, financial services, and IT groups – to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. hours.
âThe bill would provide accountability protections for groups that report violations, as well as anonymizing the personal information of companies involved in incidents to encourage reporting. “
CNN reported “Senators Introduce Cyber ââBill to Mandate Reporting of Ransomware and Critical Infrastructure Attacks”:
âIf enacted, the bill will create the first national requirement for critical infrastructure entities to report when their systems have been breached.
Homeland Security and Government Affairs President Gary Peters, Democrat of Michigan, and Sen. Rob Portman, Republican of Ohio, introduced the bill less than a week after several members of the administration Biden expressed public support during testimony in Congress for such demands.
âThe legislation would require owners and operators of critical infrastructure to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they experience cyber attacks. Nonprofits, businesses with more than 50 employees, and state and local governments would be required to notify the federal government within 24 hours if they pay a ransom. â¦ “
Route fifty reported:
âSimilar cyber-notification measures were included in the National Defense Authorization Act, which the House approved last week. The measure would create a new Cyber ââIncident Review Office and require CISA to establish requirements and procedures for owners and operators of covered critical infrastructure to report cybersecurity incidents.
âWhile the consensus is that more information on cyber attacks needs to be shared, lawmakers are still struggling to find the best way to make cyber incident reporting mandatory to ensure that the CISA obtains useful and timely information. “
Details of the invoice can be found here. Here are two sections that deserve a lot of attention and consideration:
â(G) PROTECTION AGAINST LIABILITY. â No cause of action may be invoked or maintained in court by any person or entity, other than the Federal Government in accordance with paragraph (h) or any applicable law, against any covered entity due to the submission by that person or entity of a cybersecurity notification to the Agency through the Computer Intrusion Reporting System, in accordance with this Subtitle and the rules promulgated under the Subtitle section (d), and any such action should be promptly rejected.
âH) EXECUTION. (1) IN GENERAL. â If, on the basis of any information, the Director determines that a covered entity has violated or is in violation of the requirements of this subheading, including the rules promulgated ALB21B95 K29 SLC under this sub- As such, the director may impose a civil penalty not exceeding 0.5% of the entity’s gross sales for the previous year for each day that the violation continued or is continuing. “
There is no doubt that penalties of 0.5% of gross revenue will attract the attention of owners and operators of critical infrastructure. Nevertheless, it seems a little harsh to penalize the victim companies in this way.
As I included in this May blog post from Mike Russo PMP, CISSP, CISA, CFE, CGEIT, Director of Information Security and Privacy, CISO / CPO, Retired from Florida State University: âThis will be difficult for businesses. States have similar laws, and my experience tells me that most companies tend to only report when someone spills the bean or when it’s catastrophic. I hope the federal authorities will actually define the cybersecurity incidents they wish to report. They could end up with thousands a day, if any. It can be very confusing for businesses. Good luck.”
Nevertheless, it seems likely that the mandatory declaration will soon be adopted. Government agencies are expected to prepare for this new normal within the next year, with detailed procedures to come.