Regulators and legislators toyed with the addition of an incident reporting mandate for organizations in the event of a cyberattack. But industry experts and members of Congress disagree about what form the rules should take.
One issue with a federal reporting rule is how organizations will adhere to the requirements. While the government frequently relies on checklists, security is not one-size-fits-all. Legislation could remove some of the complexity of overlapping standards as the Cybersecurity and Infrastructure Security Agency's (CISA) role and authority becomes more robust.
From a "public utility perspective, federal directives give us general direction," said Bryon Black, IT manager at South Coast Water District based in California. Water utilities have directives from federal, state and local levels, which contributes to confusion around what is regulatory versus best practice.
Black wants to see a standardized, unified information sharing and response mechanism for all sectors, which falls in line with proposed incident reporting bills and remains under the purview of CISA.
But the National Defense Authorization Act (NDAA) for FY2022 passed the House without an incident reporting rule. CISA declined to comment on the exclusion from the national defense bill.
Congress and federal agencies now have more time to receive feedback from all sectors, and should consider the nuances of each sector: geography, distributed architectures, independent governance, IT modernization, and so forth, said Kenneth Frische, director of cybersecurity and risk services for 1898 & Co.
"These factors directly affect the definition and character of an incident as well as the ability to identify and report it," he said. "Having the director of CISA work with these sectors to define reasonable reporting requirements is a good idea." But after agencies and sectors agree on requirements, enforcement will need to follow.
If CISA's CyberSentry program lends itself to scalability and flexibility and if the national cybersecurity exercise program, outlined by the NDAA, works as intended, they "could bring significant technology and information to select private sector industries," and reform incident response planning in "previously unattainable" ways, said Ross Rustici, managing director at TurnStone. These two initiatives could set CISA up to improve its enforcement of information sharing requirements if and when an incident reporting bill is passed.
Senators Gary Peters, D-Mich., and Rob Portman R-Ohio, members of the Senate Homeland Security and Governmental Affairs Committee, are at the forefront of introducing aggressive cyber legislation, and the NDAA FY2022 initially included their incident reporting bill.
The senators wanted the previous seven-day reporting period reduced to three days for victims to report an incident to CISA. If an entity failed to report an incident within 72 hours, and CISA had reason to believe an incident or ransom payment occured, CISA could request information from the victim entity.
Peters and Portman wanted to build on the subpoena power the NDAA FY2021 gave CISA, and allow the agency to pursue a subpoena if the information request went unfulfilled.
These incident reporting provisions were removed from the FY2022 NDAA.
"I believe [CISA] can meet the moment, but there are of course a few prerequisites to consider," namely budget stability and growth, said Brad Medairy, EVP at Booz Allen Hamilton.
CISA is not a regulatory agency, and Director Jen Easterly doesn't want to make it one either.
"At the end of the day, this is about raising the baseline of the ecosystem. What we don't want to do is overburden a company under duress," Easterly said to Mandiant CEO Kevin Mandia, during the Mandiant Cyber Defense Summit in October. The agency doesn't want "reporting erroneous noise," out of fear, she said. "We need signals, not noise."
"We need signals, not noise," which is why a rulemaking period would exist if incident reporting legislation were to pass, she said. During that period, CISA would work "consultatively with industry to make sure that we get this right."
Mandia was "very confident" in the passing of a notification law. And Easterly said she belives "Congress recognizes the importance of ensuring that we are able to get information as quickly as possible, so we can do something with it not only to render assistance to victims" but share information widely to potential victims," she said. "And so I am a fan of anything that allows us to do that."