The long, bumpy road to cyber incident reporting legislation — and the one still ahead
President Joe Biden last week signed into law some of the most celebrated cybersecurity legislation Congress has passed yet — but it didn’t end up looking like what everyone wanted, and there’s a long way to go from his signature to a final regulation.
The law requires critical infrastructure owners and operators to report to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours when they’ve suffered a major hack. It requires those same owners and operators to report a ransomware payment within 24 hours.
It crossed the president’s desk after nearly two years of work, triggered by the late-2020 revelations about the SolarWinds hack that led to other companies and federal agencies suffering compromises. The earliest proposal, from Senate Intelligence Chair Mark Warner, D-Va., was more aggressive in how quickly companies needed to report major incidents — 24 hours — as well as who had to comply and what happened to companies if they failed to do so.
Still, the final product is almost universally hailed as a success by security experts and even industry groups who had opposed the stricter elements of the Warner legislation.
“We have to make some sort of progress, right? No one’s ever going to agree completely,” said Jay Kaplan, CEO and co-founder of security company Synack and a former Defense Department and National Security Agency official. “And you’ve got to start somewhere, and then you react and you change over time once you start seeing how it rolls out.”
The nearest comparison to the legislation is a 2015 law that provided liability protections to companies who shared cyberthreat information with DHS, then-hailed as the biggest cybersecurity legislation Congress had passed but widely viewed as disappointing since. That law sprung from a larger package that Congress failed to enact in 2011.
“When we did the legislative push in 2011 — and we all have battle scars from that — even though it was regulation-light, it was still perceived by industry to be hardcore and that’s why they went after it with some very long knives and very sharp spears,” said Megan Stifel, who served as cyber policy director at the Justice Department’s National Security Division at the time. “So we’re now in a place where what we need to do is work with industry.”
Parts of the law are unpopular in a key corner of the Biden administration. Justice Department officials expressed concern that they won’t receive incident reports at the same time CISA does. They also said the way the law is written might hinder rapid cybercrime investigations and law enforcement actions.
And many of the specifics about how the law will work in practice have yet to be decided, such as the definition of a “significant incident” that triggers the mandate for a company to disclose it to CISA. Those issues might not be settled until late 2024, under the timeline the bill sets for DHS to fully implement the law.
“We should have been doing this six years ago,” said Paul Rosenzweig, the principal of Red Branch Consulting, a senior fellow in tech, law and security at American University and a former senior DHS official. “We are where are. I’m glad we finally have something on the books, and we’ll have to see how it works out.”
The final version of the legislation, chiefly sponsored by Senate Homeland Security and Governmental Affairs Committee Chair Gary Peters, D-Mich., requires relevant companies and agencies to report incidents to CISA within 72 hours after they “reasonably believe” to have been hit by one.
Stifel, now chief strategy officer for the Institute for Security and Technology, said that timeframe was likely to “piss off the incident response community” who want information as quickly as possible to stop the spread of an attack. And Kaplan said that after a company knows it’s been hit, “at that point, I see no reason why it can’t be faster.”
Others fear that 72 hours might still be too quick a timeline. It’s “a little bit unrealistic” for companies to have all the information CISA wants within 72 hours, said Kellen Dwyer, a former senior DOJ official and currently the co-leader of Alston & Bird’s national security and digital crimes practice. That includes information about the tactics used by the attackers, details about the impact on the target, the vulnerabilities exploited in the attack, date ranges of the attack and much more. Companies may provide preliminary responses and follow up later, he said.
Industry groups testified before Congress last year in support of a 72-hour window for reporting, and they were ultimately happy with how that issue shook out. Some contended that an earlier deadline would lead to them flooding CISA with information that hadn’t been vetted well enough and might therefore end up being useless.
A Peters aide said the thinking on a 72-hour timeframe was to give victims time to deal with the difficulty of mitigating the damage done by the cyberattack without adding additional burdens.
“I thought it was more important to get this through than to have that specific 24-hour timeframe,” said Suzanne Spaulding, a former top DHS cyber official who watched the bill’s progress as a member of the Cyberspace Solarium Commission. “There are clearly pros and cons to having a 24-hour timeframe. So my sense is that that’s a fine resolution.”
Warner’s version of the bill would have imposed fines on companies that didn’t comply with disclosure requirements. The final version grants CISA subpoena authority to require disclosure from companies about a suspected cyber incident. “An example would be when hackers publicize a data breach before a company has had a chance to disclose it.” CISA Director Jen Easterly originally argued for fines over subpoena authority.
“My personal view is that is not an agile enough mechanism to allow us to get the information that we need to share it as rapidly as possible to prevent other potential victims from threat actors,” Easterly said of subpoenas in September.
CISA might have a hard time even figuring out whom to subpoena in such cases. But the mere existence of subpoena power, even if CISA rarely uses it, could give the agency leverage.
“I think it will be a challenge but I am a big believer that things eventually do come out,” said Spaulding, now senior adviser for homeland security at the Center for Strategic and International Studies. “If you’ve established a law that imposes a requirement, and norm begins to develop around that. I think you get more insider reporting, get more whistleblowers, because there’s a clear standard and violation of that standard.”
The Peters aide said Congress wanted to make sure CISA maintained a partnership with the private sector, fearing that fines could damage the relationship. In the worst-case scenario, CISA could push civil lawsuits for companies that fail to comply with subpoenas and possibly contempt of court charges.
In the weeks before the bill was signed, U.S. Deputy Attorney General Lisa Monaco told Politico that the bill, as drafted, “leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.” FBI Director Christopher Wray echoed that comment, saying that the bill’s provisions would slow down FBI’s ability to respond to cyberattacks.
At issue is a provision in the bill that precludes the use of any incident information from being used in “any trial, hearing, or other proceeding in or before any court” at the federal or local level. That, paired with a provision that grants liability to companies who report incidents to DHS, could change the way some companies approach reporting cyber incidents to the federal government, according to some observers.
“If it came to pass, it would certainly hamper FBI’s work,” said Dwyer, the former prosecutor and DOJ official. FBI agents and targeted organizations benefit from a prompt federal response to cyber incidents, DOJ officials have said in multiple public statements dating to last summer’s ransomware attack on Colonial Pipeline. In that case the federal government was able to seize $2.3 million in cryptocurrency from the hackers behind the attack after getting approval from a federal judge in California.
“If those channels of information were cut off, that would be a significant concern for the bureau,” Dwyer said. He added that companies may still choose to go to the FBI for a variety of reasons, including to learn intelligence on the attackers and the public relations value of being able to say they contacted the FBI.
Dwyer said it’s not clear that the problem could be fixed in the rulemaking process “at least without being very creative,” so a legislative fix might be in order.
In a statement provided to CyberScoop, a DOJ spokesperson said “we appreciate our partners at CISA working with us on implementation of this new law to ensure incident reports are shared with the FBI and law enforcement immediately, and we look forward to continued work with Congress to ensure that law enforcement has the tools it needs to protect victims, recover ransoms, and bring cybercriminals to justice.”
The Peters aide said there were no legislative plans to revisit the issue. Peters defended his approach Wednesday.
“CISA will share information appropriately with other federal agencies, which certainly will include the FBI and Department of Justice,” he said an Information Technology Industry Council event.
Warner’s earlier legislation was more expansive on who would have to report incidents to CISA, including more entities like federal contractors and cyber incident response firms. In the end, lawmakers settled on just critical infrastructure owners and operators.
The bill left other questions to DHS to decide. The department will settle them during a rulemaking process that would begin with the agency proposing a rule within 24 months and finalizing it no later than 18 months after that.
One is the precise definition of a “significant cyber incident.” The legislation says that DHS must determine what qualifies as an incident “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.”
Spaulding said that will be a very important part of the regulation.
“If you are covering a smaller set of entities where a breach would presumably present a very high risk to the nation, you might want to be notified even of things that might otherwise be considered somewhat less significant,” she said. “Whereas if you’re really covering a wide swath of critical infrastructure, you could imagine different requirements, depending on your risk category.”
Many both inside and outside of industry are eager to see how DHS resolves any potential conflict with other federal agencies’ cyber incident reporting requirements, which have proliferated since the SolarWinds breach. A banking industry source and oil and natural gas source identified that as one of the key aspects of the rulemaking process.
Megan Brown, a partner at Wiley Rein and a former senior DOJ official, said her firm is already fielding questions about potentially conflicting disclosure requirements, and said DHS’s job in working this all out is “going to be a big lift.” She added that the “laundry list” of information required as part of the disclosures could force companies to add lawyers and other staff to ensure accuracy.
“If you have a bunch of lawyers chewing on the accuracy of a disclosure, or a report, that’s not an efficient use of resources and it may not help the government get what it wants,” said Brown, a senior fellow at George Mason University’s National Security Institute. “They’re kind of like the dog that caught the car, and now they’ve got to figure this out.”
Such questions might not be settled for some time. To some, that’s a problem. To others, it’s appropriate.
“Issuing cybersecurity incident reporting rules should not take 3.5 years,” Jonathan Mayer, an assistant professor at Princeton University and former tech adviser to then-Sen. Kamala Harris, wrote to CyberScoop. Timely action is key, he said, “both for national security and because the rulemaking might pause further legislation.” That said, “Congress is imposing deadlines and not waiting periods — CISA has been thinking about these issues for years, and it has the incentives and capacity to move faster.”
Said a spokesperson for the American Gas Association: “A two-year window for a notice of proposed rulemaking and an 18 month window afterward for a final rule properly recognizes the complexity of incident reporting from incident recognition, to the act of sharing and the legal protections that surround it, to utilizing threat data for everyone’s benefit.”
The Peters aide explained the thinking from the Hill.
“This is the first comprehensive requirement for all sectors of critical infrastructure to report incidents and ransomware payments,” the aide said. “It’s going to take a while to write this rule for a policy of historical magnitude,” and give private sector groups time have weigh in on it.
Kiersten Todt, chief of staff at CISA, said the agency got an early start on handling the reporting requirements even before the bill was signed into law. For example, the agency set up a reporting email, firstname.lastname@example.org.
“We’re not going to wait for the rulemaking to not move forward,” Todt said at an event hosted Tuesday by security company NeoSystems. “The point is that we’re ready. We’re working with the FBI and our partners to move forward.”