The new U.S. House of Representatives bill breaks new ground in action and intent. It has received widespread praise across lawmakers and industry participants across the US and will serve as a template for similar legislation across countries. Sectrio had spoken about the gap between the number of reported cyberattacks and the volume of data leaked by hackers across the Dark Web and other forums in the last edition of our Threat landscape report. This anomaly indicates the under-reporting of cyberattacks by businesses for various reasons.
The new bill will mandate infrastructure companies to report a breach within 72 hours of its detection. After years of relying on a mechanism of voluntary declaration, the new bill now makes it mandatory for such companies to share information with Cybersecurity and Infrastructure Security Agency.
Let us look at some other critical aspects of this bill
- Proposes the establishment of a Cyber Incident Review Office or the CIR Office inside the Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS)
- The CIR office will enable the timely sharing of information among critical infrastructure owners and operators and the wider intelligence community
- It brings about a mandatory reporting framework that identifies how and what to report in the aftermath of a cyberattack.
- CISA is the agency mandated to receive reports on breaches. This has been a major source of concern in the past with many companies handing over breach reports to the Federal Bureau of Investigation with the hope that the report will eventually reach the nodal agency that needs to hear about the breach
- CISA will get 9 months to prepare the ground for reporting cyber attacks including which companies need to report such attacks, what kind of attacks should be reported, and the format for reporting
- CISA will keep the information shared by the companies confidential. However, the CIR office will be free to publish quarterly unclassified reports that describe aggregated, anonymized observations and recommendations based on the cyber incident reports filed by companies
- Companies get 72 hours to file their reports
- The office of CIR will also work towards identifying opportunities to leverage the data provided to it to strengthen cybersecurity research by academic institutions and organizations in the private sector. This office will also review significant incidents and propose ways to prevent them from occurring in the future
The bill also mandates a broad definition of a cybersecurity event to cover more cyberattacks. Under the bill for a cybersecurity incident to be categorized as a cybersecurity incident, at the least one of the following parameters must be met:
- Unauthorized information system or network access that results in loss of confidentiality, availability or integrity of information systems/networks or has an impact on the safety and resiliency of various operational systems and processes.
- Disruption of industrial operations or business due to a DDoS or a ransomware attack, or due to the exploitation of a zero-day vulnerability in information systems or networks
- Unauthorized access or disruption of business or industrial operations due to loss of service enabled by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or through a supply chain attack.
As per provisions of the bill, if a ‘covered entity’ does not report a cybersecurity incident, the Director of DHS has the power to issue a civil subpoena to the entity. The Director can also conduct an ‘examination’ “to enhance the Agency’s situational awareness of cybersecurity threats across critical infrastructure sectors, in a manner consistent with privacy and civil liberties protections under applicable law”.