Critical infrastructure must report cyber incidents, ransomware payments to feds — in a few years

President Biden signed legislation last week that for the first time in internet history will require operators of U.S. critical infrastructure (CI) to report “significant” cyber incidents and any ransomware payments to the federal government. And that, according to at least some of the interested parties, is both a very big deal and a very good deal.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA) — to which CI operators would have to report those incidents — posted on Twitter that she was “thrilled” and called the bill “a game-changer & a critical step forward for our Nation’s cybersecurity.”

Chris Painter, a former State Department cyber coordinator who also worked at the FBI and National Security Council, tweeted that he first worked on incident reporting legislation 20 years ago at the Department of Justice (DoJ) and “was frustrated for many years when it always stalled. Finally it passed! This is a much-needed foundational element for stronger cybersecurity.”

Mike Flynn. senior director of government affairs and counsel at the Information Technology Industry Council (ITI), said in a statement that “we welcome lawmakers’ efforts to enhance cybersecurity incident reporting, which can play an important role in informing actions to respond to incidents and to contain or prevent further impacts.”

And at one level the Cyber Incident Reporting for Critical Infrastructure Act of 2022 — adopted as part of the sprawling, 2,741-page, $1.5 trillion omnibus spending bill — will indeed be a game-changer. As noted, this is the first time that federal law will require private sector entities to report certain cyberattacks and all ransomware payments. There have been information-sharing initiatives in the past, but they have been voluntary. This one isn’t. And it covers 16 CI sectors that range from food and agriculture to information technology, energy, healthcare, water supply, finance, nuclear, and transportation.

Cyber incidents considered significant will have to be reported to CISA within 72 hours, and any ransomware payment within 24 hours. The goal is to combine the assets of government and the private sector to confront and mitigate those incidents quickly and spread the word to other CI operators that might be vulnerable to a similar attack.

Flynn, in an interview, said “government is coming from a good place here,” evidenced by significant bipartisan support at a time when the parties in Congress rarely agree.

“This is about helping entities with things that only government knows, but without this kind of incident reporting government won’t know everything that’s going on out there,” he said.

A matter of years

So will that truly make it a cybersecurity game-changer? As the saying goes, that remains to be seen.

First, because it could be 42 months — three and a half years — before it takes effect. That’s the time allotted for CISA’s rule-making process, although the ITI said there is speculation that the agency will move more quickly than the two years the law grants for it to publish a notice of proposed rulemaking. After that, there is an 18-month window for comments before a final rule is issued. Still, even if CISA takes only half the time allotted for the initial notice, it will take years, not months, to take effect, while cyberattacks evolve over days and weeks.

Second, not everybody on the federal level is a fan of the new law, since it calls for the incident reporting to be done directly to CISA, but not to the FBI. While the bill does require CISA to share those reports with other agencies within 24 hours, both the DoJ and FBI say that’s not soon enough.

Deputy Attorney General Lisa Monaco, in a statement to Politico, said “this bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.”

And FBI Director Christopher Wray, in recent testimony before the House Intelligence Committee, said it’s crucial that the agency hear about those attacks in real time. “We have agents out in the field who are responding, often within an hour or so, to a business that’s been hit. That’s happening thousands of times a year, so we need to make sure that information flow is protected,” he said, adding that, “this is not in lieu of CISA — we want them to report to CISA and the more information CISA gets, the better.”

But those comments got immediate blowback from the offices of the bill’s Senate cosponsors, Gary Peters, D-Mich., and Rob Portman, R-Ohio, who said the FBI and DoJ had been consulted for months and the language of the bill had been changed to address their concerns.

Portman’s spokesperson Kylie Nolan told The Hill that the legislation “will make the United States significantly more secure, and any suggestion to the contrary is grossly misleading and does the public a disservice. DoJ and FBI’s concerns are out of sync with the rest of the country including, it seems, the Biden administration that they work for.”

Attack or accident?

Third, at least one expert said the legislation doesn’t cover all the bases. Joe Weiss, managing director at Applied Control Solutions and an expert on CI control systems, wrote on his Unfettered Blog that “expeditious reporting of control system cyber incidents is obviously important in preparing and responding to widespread possible cyberattacks,” but that attacks on control systems “are not always easily identifiable as such. They can be mistaken for accidents or malfunctions, and they might not be recognized at all.”

Weiss wrote that control systems are “composed of OT [operational technology] networks and control system field devices such as process sensors, actuators, drives, and analyzers.”

But those field devices “have neither cybersecurity nor cybersecurity forensic capabilities and therefore have no capability to meet the intent of the reporting requirements,” he wrote.

Finally, some experts warn that there are entire CI industries that haven’t been highly regulated in the past and at present don’t have the capability to meet the reporting requirements.

Kristina Surfus, managing director of government affairs at the National Association of Clean Water Agencies told Bloomberg Law that tens of thousands of water system operations are fragmented across the country. “The majority of these systems are small, rural, and under-resourced. Those are the ones I think will probably struggle the most,” she said.

But, as noted, those operators will have at least two, perhaps three, years to prepare. Emile Monette, director of government contracts and value chain security with Synopsys, said that much advance notice is “plenty of time for even the smallest of CI owners/operators to build in the costs of compliance. It is a cost, but not that onerous.”

Several improvements

Also, the final version of the bill tightens up some loose ends from an earlier version.

About a month ago, the bill didn’t include a definition of a “significant” cyberattack. The final language defines it as an incident or group of incidents that include breaches of sensitive information, attacks that disrupt business or operations, and those that are “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.”

That definition will get much more specific in the final rule, including exactly what CI operators are covered by it, how likely they are to be targeted, and how much damage an attack could cause. But even a general definition gives a good idea of what’s coming.

It also includes liability protection for organizations that comply with the reporting requirements. Reports can’t be used to regulate those entities, they can’t be used as evidence or in discovery proceedings, and they can’t be the “sole basis” of a cause of action in any court.

Monette, who had noted the lack of liability protections in an earlier draft of the bill, said those now included “are pretty good — at least now there are some. Of course, industry will clamor for more and stronger protections, but cutting out whole causes of action is a pretty big deal when you think about legal risk.”

Finally, the bill now includes some enforcement teeth. It allows CISA to issue subpoenas to compel entities to produce the required information, and the DoJ to initiate civil lawsuits to enforce the subpoenas. An organization that refuses to comply with the subpoena could be found in contempt of court.

Flynn said some enforcement mechanism is necessary, and that these aren’t heavy-handed. “It’s very measured,” he said. “There are provisions that require outreach by CISA, so it’s calibrated in a way to help. The only ones to get hit will be really bad actors.”