“This pipeline reporting directive is just the beginning of mandated reporting and other actions. Also, future requirements will not be limited to pipeline (or even energy/transportation) companies; rather, all critical infrastructure protection owners and operators should be aware that your turn may be coming.”
Fast-forward to late September, and a bipartisan group of U.S. Senators have introduced a bill requiring some critical groups to report cybersecurity incidents.
Here’s an excerpt of an article from The Hill:
“Leaders of the Senate Intelligence Committee and other bipartisan lawmakers on Wednesday formally introduced legislation requiring federal contractors and critical infrastructure groups to report attempted breaches following months of escalating cyberattacks.
“The Cyber Incident Notification Act would require federal agencies, government contractors and groups considered critical to national security — such as hospitals, utilities, financial services and information technology groups — to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.
“The bill would grant liability protections to groups that report breaches, along with anonymizing personal information of the companies involved in the incidents in order to encourage reporting.”
CNN reported “Senators introduce cyber bill to mandate reporting on ransomware and critical infrastructure attacks”:
“If enacted, the bill will create the first national requirement for critical infrastructure entities to report when their systems have been breached.
“Homeland Security and Governmental Affairs Chairman Gary Peters, Democrat of Michigan, and ranking member Sen. Rob Portman, Republican of Ohio, introduced the bill less than a week after several members of the Biden administration expressed public support during congressional testimony for such requirements.
“The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they are experiencing cyberattacks. Nonprofits, businesses with more than 50 employees, and state and local governments would be required to notify the federal government within 24 hours if they make ransom payments. …”
Route Fifty reported:
“Similar cyber notification measures were included in the National Defense Authorization Act, which the House approved last week. The measure would create a new Cyber Incident Review Office and direct CISA to establish requirements and procedures for covered critical infrastructure owners and operators to report cybersecurity incidents.
“While the consensus is that more information about cyberattacks needs to be shared, lawmakers are still working to find the best way to mandate cyber incident reports to ensure CISA gets helpful and timely information.”
BILL DETAILS
The details of the bill can be found here. Here are two sections worth a lot of attention and consideration:
“(g) PROTECTION FROM LIABILITY.—No cause of action shall lie or be maintained in any court by any person or entity, other than the Federal Government pursuant to subsection (h) or any applicable law, against any covered entity due to the submission by that person or entity of a cybersecurity notification to the Agency through the Cyber Intrusion Reporting System, in conformance with this subtitle and the rules promulgated under subsection (d), and any such action shall be promptly dismissed.
“(h) ENFORCEMENT. (1) IN GENERAL.—If, on the basis of any information, the Director determines that a covered entity has violated, or is in violation of, the requirements of this subtitle, including rules promulgated ALB21B95 K29 S.L.C. under this subtitle, the Director may assess a civil penalty not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.”
FINAL THOUGHTS
There is no doubt that penalties of 0.5 percent of gross revenue will get the attention of critical infrastructure owners and operators. Nevertheless, it seems a bit harsh to penalize the victim companies in this way.
As I included in that May blog from Mike Russo PMP, CISSP, CISA, CFE, CGEIT, director of information security and privacy, CISO/CPO, retired at Florida State University: “This will be a tough one for companies. States have similar laws, and my experience tells me that companies for the most part tend to only report when someone spills the beans or when it's catastrophic. I hope the Feds actually define what cybersecurity incidents they want reported. They could end up with thousands a day to none at all. This could be very confusing to companies. Good luck.”
Still, it seems likely that mandatory reporting will be enacted soon. Government agencies should get ready for this new normal in the next year, with detailed procedures likely coming.
