In light of recent high-profile cyberattacks, including cyberattacks on SolarWinds and Colonial Pipeline, the federal government is scrambling to increase its ability to withstand future attacks. Federal agencies are reviewing regulations under existing laws to promote new requirements for federal agencies and critical infrastructure operators; in fact, the U.S. banking regulator passed a regulation last month that requires financial institutions to detect irregularities Report within 36 hours. The Justice Department has announced that it plans to apply civil war laws to hold federal contractors responsible for failing to disclose violations.
At the same time, the U.S. Senate is considering a legislative response, acknowledging that laws enacted before the invention of the Internet cannot help protect it today. The core component of all bills is to require organizations to disclose cyber security vulnerabilities to the Cyber Security and Infrastructure Security Agency (CISA) to help the government better evaluate, prevent, and respond to cyber attacks.
The new bill will create the first federal authorization to require such extensive disclosure of security incidents. Senator Mark Warner (D-VA) said: “We should not rely on voluntary reports to protect our critical infrastructure. We need a regular federal standard so that when important sectors of our economy are damaged, the federal government can be mobilized to respond. And avoid its impact.”
According to Warner’s Act, the Cyber Incident Notification Act, organizations that fail to report network intrusions within 24 hours will be punished by up to 0.5% of their previous year’s revenue if they neglect to report potential or successful intrusions every day. Senator Elizabeth Warren’s (D-MA) bill, the Ransomware Disclosure Act, will impose fines on organizations that fail to disclose ransomware payments within 48 hours of payment.
Although new cybersecurity legislation is necessary, for it to be effective, any new cybersecurity law must take into account certain realities. First, due to a shortage of talents, many organizations currently do not have the ability to comply with these regulations. Second, the federal government must win the trust of the private sector by clarifying the legal and financial consequences. Finally, the piecing together of conflicting legislation will only lead to industry confusion and resistance, and ultimately weaken the intent behind these legislative initiatives.
Legislators must consider the disadvantages of disclosing violations and legitimate reasons why the organization may be unwilling to do so. Any legislation that becomes law should consider these reasons. Some key issues to consider:
● What defines a “potential” security incident? Such provisions in the Cyber Incident Notification Act are too broad to be enforced, and may cause organizations to send every security alert to the government before effective classification.
● Today, ransomware payments are in a legal gray area, and disclosing these payments may lead to self-incrimination. If disclosure occurs, can that information be used to support criminal prosecutions against victim organizations? Currently, at least four states—New York, Texas, North Carolina, and Pennsylvania—are considering bills that make ransomware payments illegal. If these points are not directly clarified, companies will be reluctant to comply with Warren’s Ransomware Disclosure Act.
● What is the specific threat indication information set that must be shared? How much confidence does the disclosure organization need to have in the evidence before it is shared before the reporting deadline? If the information is inaccurate, do I need to take responsibility? Imagine that an IP or email address was added to the Internet-wide block list, but only a few weeks later it was discovered that the entity was not related to the attack and was completely harmless.
● Should the reporting schedule be the same for all organizations? Currently, the “Cyber Incident Notification Act” stipulates that all covered organizations have only 24 hours to disclose the incident. But practitioners know that forensic investigations usually take longer. There must be regulations that allow organizations to share information in real time, while also acknowledging that the complete story may take longer to reveal.
● What security measures will be taken to protect the disclosure database? Which elements will be anonymized? Is information disclosure subject to the requirements of the Freedom of Information Act (FOIA)? This will help the organization balance the disclosure risk with the prescribed penalties.
● According to the legislation, is the incident response service provider obligated to disclose on behalf of the customer or at the same time as the customer? What is the role of legal privilege in this process? Neither bill adequately covers these topics.
Finally, we need to properly structure disclosure incentives to ensure that the solution does not cause undue harm to the company. First, legal protection should be provided to organizations that disclose threat information to protect them from criminal and civil liability. Past violation history should be included in the penalty size. Any federal law should also include incentives for organizations that take due care and implement strong security measures. If an enterprise becomes a victim of a security incident, but demonstrates appropriate security measures (such as encryption), the enterprise should be treated differently from an organization that has not taken preventive measures at all.
When these bills pass through the Congress Hall, what should companies do to prepare for this pending legislation? Develop a threat detection and response plan to reduce the time for detection, response, and notification to help reduce business risks and avoid potential penalties. Even better, make sure they have appropriate security controls to reduce the risk of future cyber attacks, and work with managed detection and response (MDR) partners who can provide the required cyber security talent and technology.
