Amid a rush to thwart cyberattacks from foreign spies and criminal hacking groups, President Biden on Tuesday signed into law a requirement for key businesses to report to the government when they have been hacked.
The idea, which languished for a decade on Capitol Hill amid industry pushback, could correct a fundamental problem the U.S. government faces as it fights cybercriminals: No one knows how many companies get hit.
Yet the language of the law leaves unclear what it will require from security teams at businesses and federal civilian agencies, as well as which companies will be affected. That means a lot of the impact will depend on how U.S. officials interpret the legislation. For instance, if the officials take a hard line, the law could prove burdensome for companies in the crucial early hours after discovering a breach, and flood the government with more information than it can handle. But if the officials adopt a loose approach, it could leave security officials with poor visibility of cyber threats and limited information to share with companies about how they should defend themselves.
Extracting useful data
“Reporting breaches or meaningful security events to the government would be hugely beneficial,” says
chief information security officer at credit-reporting firm
The big question, he says, is whether the government can analyze and share that information “in a beneficial way for us organizations.”
A string of damaging cyberattacks in recent years and, more recently, fears of possible Russia-linked hacks stemming from the war in Ukraine, added to the sense of urgency among U.S. lawmakers and other government officials about getting such legislation to President Biden’s desk this week as part of a broader spending package. “Put plainly, this legislation is a game-changer,” says Jen Easterly, director of the body that will oversee the reporting regime, the Cybersecurity and Infrastructure Security Agency, or CISA, an arm of the Department of Homeland Security.
“We need to know the battlefield,” says Sen.
(D., Mich.), co-author of the Senate version of the bill with Sen.
(R., Ohio). “We need to know where the bad guys are, what they’re doing, who their targets are, so that we can respond accordingly.”
Congress passed the legislation, which is part of the Strengthening American Cybersecurity Act, after a monthslong lobbying push last year to narrow such bills. Businesses protested earlier proposals that they disclose incidents within 24 hours or face potentially steep penalties. Under the new law, companies that operate critical infrastructure—banks, electric utilities and other organizations key to daily life—will be required to share information with CISA about certain incidents within 72 hours. CISA will analyze and anonymize the data to distribute it throughout the federal government and private sector to help prevent similar attacks elsewhere. Covered organizations will also have to report ransomware payments to CISA within 24 hours of making them. Federal civilian agencies will report incidents to CISA and “major incidents” to Congress or security officials.
Though the new law will allow CISA to subpoena companies and organizations for information, and refer uncooperative entities to the Justice Department for civil actions, the statute doesn’t give CISA power to fine companies for noncompliance. Companies also will have protections from legal liability and regulatory actions—as well as Freedom of Information laws—after reporting information that could potentially reveal lax security practices.
At the same time, the law will give CISA broad leeway to craft regulations that will dictate how many companies need to comply and what information they will have to report.
Open-ended definitions in the law are by design, Sen. Peters says. “We expect that to be worked out by the experts through the rule-making process.”
SHARE YOUR THOUGHTS
How do you protect your crypto assets? Join the conversation below.
But for companies, that is also where things get more complicated.
“I don’t think the legislation has made anything clear,” says Patrick Gaul, executive director of the National Technology Security Coalition, a trade group that advocates on corporate security issues.
Mr. Gaul and other lobbyists point to three aspects of the prospective reporting regime that remain unclear and will depend on how CISA interprets them: which organizations are covered, which incidents are covered and when the 72-hour reporting window begins.
In defining covered entities, the law directs CISA to consider consequences to “national security, economic security, or public health and safety” if the company or organization were to be disrupted or compromised. Likelihood of a cyberattack also will be a factor, as well as whether damage “will likely enable the disruption of the reliable operation of critical infrastructure.”
Covered incidents, meanwhile, will include those that lead to “substantial loss of confidentiality, integrity, or availability of such information system or network.” Additional factors, such as “sophistication or novelty” of attack and number of people affected also will be taken into account.
As the law is written, such terms—likely, substantial, sophistication—will be open to CISA’s interpretation during the rule-making process. So, too, will the point at which the 72-hour timeline begins: when “the covered entity reasonably believes that the covered cyber incident has occurred.”
Diagnosing the severity of cyber incidents within hours of spotting suspicious activity can be difficult, says Rinki Sethi, former chief information security officer of
Adding to the complexity, cybersecurity experts warn that incidents that can seem small at first can have widespread impacts. The stance that companies under attack usually take, Ms. Sethi says, is, “We know something has happened. We don’t know the details yet.”
Organizations such as the U.S. Chamber of Commerce say the way the law is written holds the potential for information overload.
“They have a huge tiger by the tail, and they deserve credit for tackling it,“ says Christopher Roberti, senior vice president for cyber, intelligence and supply-chain security policy at the Chamber of Commerce. Still, he says, “what we don’t want to have is a requirement that floods the government with tons of chaff instead of wheat.”
Some industry groups have opposed reporting requirements based on fears that divulging information about hacks could invite lawsuits and regulatory scrutiny. But a Russia-linked espionage campaign that was revealed in 2020 gave new momentum for mandatory reporting. The cybersecurity firm
—known at the time as FireEye Inc.—voluntarily reported a breach of its systems, leading to an investigation that found federal agencies and U.S. companies had been accessed by hackers through a compromised software update from
CISA, created four years ago to protect critical infrastructure, has since tried to entice cloud providers and telecom companies, which have wide-ranging visibility of the digital world, to share information about cyber threats voluntarily through a partnership called the Joint Cyber Defense Collaborative. Lobbyists have warned that such relationships could be poisoned if too-strict reporting rules were enacted.
“We want to be careful not to have CISA as a regulator,” says Sen. Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. “CISA needs to be there as a partner, and one that businesses will actively seek out to get their help, because of the resources that they’re going to provide.”
CISA declined to comment for this article.
‘Good stuff versus noise’
Some corporate lobbyists hope that a federal mandate will be preferable to an emerging patchwork of reporting regulations, such as Transportation and Security Administration rules for pipelines and railways. Those TSA mandates to report to regulators come in addition to state-level laws requiring companies to make public data breaches that affect consumer information.
The success of the law will ultimately depend on how the government uses reported information to defend against future cyberattacks, says
chief executive of Mandiant. “It will require, over time, for folks at CISA, as they take in all this reporting, to get their sea legs under them to be able to potentially filter things into high-fidelity, confident, good stuff versus noise,” says Mr. Mandia, whose firm was acquired by
Google this month. “Until they do that, they’re telling everybody to do it themselves.”
The law calls for CISA to perform “rapid, confidential” sharing of data with other federal agencies and the private sector, but it stops short of giving CISA a deadline. Justice Department and Federal Bureau of Investigation officials warn that any delay in obtaining information from CISA could hinder their investigations and have called for liability protections that encourage victims to report breaches directly to law enforcement.
Mr. Farshchi, of Equifax, says it would be difficult to set a concrete time frame for when such intelligence would be useful to companies protecting their own computer systems. “Well, since we don’t typically get it, anytime would be cool,” he says.
How We Got Here
Notable cybersecurity incidents and new policies leading up to the hack-reporting law
- Dec. 8: Cybersecurity firm FireEye Inc. (now known as Mandiant Inc.) reports breach by unidentified nation-state hackers. An investigation finds that Russia-linked hackers accessed several federal agencies and dozens of U.S. companies through a compromised software update from SolarWinds Corp.
- Feb. 10: The White House announces the appointment of Anne Neuberger as the first deputy national security adviser for cyber and emerging technologies.
- March 2: Microsoft Corp. warns of a Chinese espionage operation targeting a previously unknown flaw in some versions of its Exchange email software. The flaw puts thousands of global customers at risk of cyberattacks.
- May 7: Colonial Pipeline Co.takes its systems offline after a ransomware attack, disrupting the East Coast’s largest conduit for gasoline and diesel fuel for six days. The company will pay hackers $4.4 million in cryptocurrency to alleviate the damage.
- May 25: The Department of Homeland Security says it will require pipeline operators to report hacks as part of two security directives intended to bolster their cyber defenses. The regulations are the first of their kind outside of the electric-utility sector.
- July 12: Chris Inglis is sworn in as the first national cyber director, a Senate-confirmed position tasked with coordinating the government’s cyber strategy.
- July 21: Senators introduce a bill to require many companies with critical infrastructure to report hacks within 24 hours or else face fines.
- July 28: President Biden directs federal agencies to develop voluntary cybersecurity standards for 16 critical infrastructure sectors, a move seen as a potential prelude to mandatory requirements.
- Sept. 21: The Treasury Department sanctions a Russian-owned cryptocurrency exchange often used by criminal ransomware groups to launder funds, the first such blacklisting.
- Dec. 2: Homeland Security announces regulations that will require nearly all U.S. freight and passenger rail systems to report certain cybersecurity incidents.
- Dec. 9: A flaw in obscure but widely used software known as Log4j sparks a global race to patch a bug that U.S. officials say could affect hundreds of millions of devices.
- Feb. 3: The Biden administration forms a public-private Cyber Safety Review Board, based loosely on the National Transportation Safety Board, to probe cyber incidents.
- March 2: The Senate passes a bill that would require many critical-infrastructure companies to report hacks within 72 hours. Congress folds the legislation into a broader spending package that President Biden will sign into law on March 15.
Mr. Uberti is a Wall Street Journal reporter in New York. He can be reached at email@example.com.
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8