It appears that the United States may soon have a requirement for critical cyber infrastructure owners and operators to report “cyber incidents.” Amazingly, for many of these companies, such as those in the information technology and transportation sectors, there is currently no legal requirement to inform the U.S. government when they have been penetrated or breached successfully or been subject to a serious attempt. Recently, the House of Representatives included in its annual defense policy package a bill that would require selected critical cyber infrastructure owners and operators to report some cyber incidents to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). CISA would then distribute this information throughout the U.S. government and critical cyber sectors. It is quite likely the Senate will add its own cyber incident bill to its version of the National Defense Authorization Act (NDAA). Two Senate bills would institute basically the same structure and requirements, but there is a key difference fueling a dispute among the sponsors: how quickly must these reports be made?
The Cyber Incident Notification Act, which comes out of the Senate Select Committee on Intelligence, would require reporting to CISA 24 hours after an actual or potential intrusion is confirmed. The Cyber Incident Reporting Act, which comes out of the Senate Committee on Homeland Security and Governmental Affairs, would set the timeline for reporting at 72 hours. This is a matter of critical importance, for the sooner CISA receives this information, the sooner it can inform other entities so they can begin scouring their networks for similar attacks. Given the attack vectors used in the hacks uncovered earlier this year (i.e., such as the supply chain hacks executed via SolarWinds, Microsoft Exchange, and Accellion), time is of the essence in these situations.
When Congress and other policymakers conducted post-mortems after the SolarWinds, Microsoft Exchange, and Accellion supply chain hacks, there was understandable worry that many private sector entities could be compromised, discover the compromise, and have no legal obligation to inform the U.S. government. This is not true across the critical cyber sectors; certain contractors with the Department of Defense (DOD) and many electric and nuclear utility companies have legal obligations to report some types of cyber incidents. Nonetheless, most of what is deemed critical cyber infrastructure does not, and this poses a grave problem for the cybersecurity of the United States. And so, the notion that entities running critical cyber infrastructure should be required to report a compromise or breach has gained momentum in Congress.
72-Hour Incident Reporting Legislation in the House
The Cyber Incident Reporting for Critical Infrastructure Act of 2021 (H.R.5440) was added recently to the NDAA for Fiscal Year 2022 (H.R.4350) during debate in the House, and the package was sent to the Senate by a 316-113 vote.
The House bill would establish a new office at CISA that would receive cyber incident notifications that owners and operators of critical infrastructure would be required to submit. The bipartisan legislation was introduced late in the summer by the Chair and Ranking Member of the House Committee on Homeland Security (Representatives Bennie Thompson (D-MS) and John Katko (R-NY)), along with the Chair and Ranking Member of the Committee’s Subcommittee on Cybersecurity, Infrastructure, and Innovation (Representatives Yvette Clark (D-NY) and Andrew Gabarino (R-NY)). The bill requires CISA to conduct a rulemaking process to set the salient parameters of the new reporting program, but in doing so, “in no case may [CISA] require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.”
At a September 1 hearing, the Subcommittee on Cybersecurity, Infrastructure, and Innovation heard from industry witnesses who argued for a longer timeline in making mandated reports. For example, FireEye Mandiant Vice President and Government CTO Ronald Bushar asserted in his written testimony:
Victims require support from external firms to fully analyze a breach and will likely be dealing with other business impacts and crisis management activities. Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives, redundant or contradictory information and prevent unnecessary data collection.
Similarly, the Bank Policy Institute’s (BPI) Heather Hogsett specifically endorsed the 72-hour window:
The bill’s reporting requirement of no earlier than 72 hours after confirmation an incident has occurred, strikes an important balance between allowing an affected entity to implement immediate response measures while ensuring CISA receives timely, useful and accurate information.
Hogsett went on to argue “[o]ther approaches that would require reporting within 24 hours would distract from critical work in the early stages of a response and result in reports that were premature and likely erroneous.”
24-Hour and 72-Hour Incident Reporting Legislation in the Senate
Senate Intelligence Committee Chair Mark Warner (D-VA), Ranking Member Marco Rubio (R-FL), and Senator Susan Collins (R-ME) introduced the Cyber Incident Notification Act of 2021 (S.2407) in late July. The bill sets generally a 24-hour deadline for covered critical cyber infrastructure owners and operators “after the confirmation of a cybersecurity intrusion or potential cybersecurity intrusion.” If an otherwise covered entity is subject to a law, regulation, or contract requiring notification of cyber incidents in less than 24 hours, the bill stipulates that timeline shall control. The concept of requiring the reporting of cyber incidents is is not new, and a bill co-sponsored by Sen. Collins in 2010 would have instituted a mandatory reporting requirement albeit without a 24-hour deadline.
The 24-hour timeline has been blessed by the head of the agency that would receive these reports, CISA Director Jen Easterly. At a September 23 hearing, Easterly said in her written testimony, “cyber incident reporting must be timely, ideally within 24 hours of detection.” It also bears some note that she used the word “detection” and not confirmation as some of these bills do. She apparently would like covered entities to report when they detect an incident, which is earlier in the lifecycle of a breach than confirmation. It seems unlikely a final bill would grant Easterly’s request.
Easterly’s position may well reflect the Biden administration’s current thinking. Given the review process testimony must go through under Office of Management and Budget Circular A-19, Easterly’s position has been reviewed at the highest levels of DHS and in the White House and, at the very least, implicitly approved. This may reflect a preference rather than a hardline position by the administration, but it is certainly a reflection of Easterly and her team’s considered view. It is likely, however, that the White House would accept a bill that requires reporting within 72 hours rather than insist on 24 hours at the risk of no legislation.
Senate Committee on Homeland Security and Governmental Affairs Chair Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) introduced their long-awaited Cyber Incident Reporting Act (S.2875) in late September, which was marked up on October 6. As introduced, the bill sets a 72-hour timeline for cyber incident reporting. Specifically, it provides: “A covered entity shall report a covered cyber incident to [CISA] not later than 72 hours after the covered entity reasonably believes that a covered cyber incident has occurred.” This provision appears not to have been changed in mark up (see, here and here.)
Incidentally, it bears mention that the Peters-Portman bill requires many entities that make ransomware payments to report these payments to CISA within 24 hours:
An entity, including a covered entity and except for an individual or a small business, that makes a ransom payment as the result of a ransomware attack against the entity shall report the payment to [CISA] not later than 24 hours after the ransom payment has been made.
Ransomware is a growing threat to U.S. critical infrastructure, and the malware that allows for the seizing and ransoming of systems can be easily transmitted.
In any event, the Senate Homeland Security and Governmental Affairs Committee has broken with the Senate Intelligence Committee to side with the House bill on the timeframe within which cyber incidents must be reported. Consequently, this political dynamic may tip in favor of a 72-hour window in a final bill.
Other Reporting Timeline Precedents
It should be noted there is precedent for a 72-hour window, as DOD’s timeline for some contractors to report cyber incidents is 72 hours. The European Union’s General Data Protection Regulation (GDPR) also sets a 72-hour deadline after discovery for reporting personal data breaches.
On the other hand, CISA’s Federal Incident Notification Guidelines require a far shorter one-hour notification period for federal agencies:
Agencies must report information security incidents, where the confidentiality, integrity, or availability of a federal information system of a civilian Executive Branch agency is potentially compromised, to the CISA/US-CERT with the required data elements, as well as any other available information, within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department.
Additionally, some U.S. bulk electric power systems must report serious incidents within an hour under federal regulation. Likewise, the U.S. Nuclear Regulatory Commission requires reports within an hour of successful attacks, four hours for attempted serious attacks, and eight hours for indications of pre-attacks. Similarly, the Joint Chiefs of Staff requires reporting within one hour of the loss or suspected loss of personally identifiable information (PII). In its first directive this year after the Colonial ransomware attack, DHS’ Transportation Security Administration (TSA) set a deadline of 12 hours after incidents have been discovered for pipeline operators to report to the agency.
A timeframe shorter than 72 hours is being contemplated across the Atlantic for cyber incidents. The EU is considering the enactment of a new Directive on Security of Network and Information Systems (NIS 2 Directive) that would set the initial report deadline for private sector entities notifying EU governments at 24 hours: “without undue delay and in any event within 24 hours after having become aware of the incident, an initial notification, which, where applicable, shall indicate whether the incident is presumably caused by unlawful or malicious action.” However, there are provisions that would allow EU member nations and their Computer Security Incident Response Team (CSIRT) to “deviate” from this timeline, which would allow for some flexibility.
Finally, it bears mention that law enforcement agencies, such as the FBI, do not advise people to wait to report crimes or problems on private property until the situation is in hand. Rather, they want information as soon as possible even at the risk of erroneous information.
Where will the NDAA land? It seems possible to arrive at a compromise like the EU’s NIS 2 that would require an initial report within 24 hours with a more complete report due at a later date. Such a compromise would give the U.S. government information as soon as possible on cyber incidents that could easily spread, while ensuring covered operators have an opportunity to undertake their own responsive measures before providing their full accounting in a follow-on report.