The debate on requiring cyber incident reporting for organizations is one that has continued for years.
On one hand, requiring organizations to report incidents can improve everyone's ability to detect and defend against cyberattacks. On the other hand, executives will be required to make information public that could result in backlash for the organization.
While it will continue to be a hotly contested debate in the private sector, the United States House and Senate recently passed a bill that will require critical infrastructure owners and operators to report cyber incidents to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovering the incident. Organizations will have 24 hours to report a ransomware payment.
CISA Director Jen Easterly released the following statement after the bill passed:
"As the nation's cyber defense agency, CISA applauds the passage of cyber incident reporting legislation. Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks.
CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation's networks and critical infrastructure.
Put plainly, this legislation is a game-changer. Today marks a critical step forward in the collective cybersecurity of our nation.
We are also grateful to Congress for the unprecedented level of funding provided for CISA in the Fiscal Year 2022 Omnibus. This investment represents a recognition of the importance of our mission and the confidence of the Congress in our ability to defend our nation’s networks and critical infrastructure."
While the new legislation will have an immediate impact on critical infrastructure organizations, it will take some time for the private sector to realize the benefits.
As these organizations realize they have experienced some kind of incident and report to CISA, CISA will be taking notes and relaying everything they learn to all types of organizations.
Jasmine Henry, Field Security Director at JupiterOne, discusses the benefits of this act:
"The idea of clear responsibility to promptly report cyber incidents is positive. I also view potential downstream impacts as a positive, since the government will be required to release anonymized data on reported critical infrastructure incidents that create threat landscape visibility for everyone.
A 72-hour deadline for incident reporting is an extraordinarily fast timeline for many organizations in any sector, especially given the current state of incident preparedness. Complex investigations take time and there is a significant shortage of skilled employees who can lead response and recovery.
While none of us can predict the future, it is clear that a capacity for learning from incidents is an increasingly vital business function. Critical infrastructure, as well as organizations in other industries, should be aggressive about building an internal capacity for continuous detection, investigation, and response. The future of cyber preparedness is real-time, not investigations which occur days or months after an incident."
Davis McCarthy, Principal Security Researcher at Valtix, echoes a similar sentiment:
"Data published by CISA has increasingly found its way into the daily security operations for the enterprise. The presumed data generated by the new Cyber Incident Reporting for the Critical Infrastructure Act will only improve how CISA advises the public on mitigating emerging threats. More threat intelligence means whole industries can harden against a threat actor's tactics, reducing the effectiveness of their campaign. More and more ransomware operators are advertising payment for corporate user accounts—when the threat actors raise the bar like this, collaboration is an easy win for the defenders."
The legislation now heads to the desk of President Joe Biden, who is expected to approve and sign it.