What the Newly Signed US Cyber-Incident Law Means for Security

When President Biden signed the omnibus spending bill Tuesday, he also put the bipartisan Cyber Incident Reporting Act into effect, which requires critical infrastructure companies in the 16 industry sectors identified by the federal government to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyberattack and within 24 hours of making a ransomware payment.

While this wasn't the all-encompassing data breach law that has been stalled in Congress for many years, it was notable in that the Senate passed the legislation unanimously. The bill was championed by Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (D-Ohio); it covers a broad swath of the economy, including the defense industrial base sector, which has more than 100,000 companies alone.

Game Changer
"It's a game changer," says Tom Kellermann, head of cybersecurity strategy at VMware. "It's a fundamentally important strategic decision made by the federal government to finally eliminate the plausible deniability that had existed for far too long. ... Corporations have [for some time] underinvested in cybersecurity because they could always maintain plausible deniability."

Kellermann argues that the new law will force companies to hire a CISO, give that person a budget, and provide detection response oversight.

"Companies need to show that they are taking this seriously," Kellermann says. "They will either have to hire a CISO, or if they already have one, promote the CISO and make sure they have veto authority over the CIO. The general counsel will also have to become more familiar with privacy and cyber laws. They will need to work hand-in-hand with the CISO in their information-sharing efforts in public-private partnerships with the ISACs and working with CISA."

The new law gives CISA the authority to subpoena companies that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. 

The provision requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs CISA Director Jen Easterly to establish a joint ransomware task force to coordinate federal efforts — in tandem with industry — to prevent and disrupt ransomware attacks. The new omnibus law also authorizes $2.59 billion in funding to CISA, which was $300 million above the Biden administration's proposal.

"This is very significant legislation as it addresses the increasing cybersecurity threats amid rising concerns that Russia's invasion of Ukraine could lead to Kremlin-backed hackers attacking critical infrastructure such as hospitals, power plants, and fuel pipelines," notes Chris Cruz, SLED CIO at Tanium.

Centralized Repository
CISA will have a centralized repository of information on threat-actor plans, programs, and operations, he notes. "This will allow information sharing among the critical agencies like the DoJ and FBI and provide a standardized method in which to deal with these attacks, prosecute these perspective cyber hackers, and ensure that each reporting entity has a well-defined cybersecurity strategy that integrates security and operations across their respective networks."

Davis McCarthy, principal security researcher at Valtix, adds that the new incident reporting law stands as a proactive, collaborative approach by the federal government to combat the booming cybercrime industry. McCarthy says data has become a valuable commodity in both traditional and criminal markets.

"They say that 'knowing is half the battle,' and this law will improve our collective understanding of who stole the data, what data they want next, and what they stand to gain by possessing it," McCarthy says. “However, the law uses policy to make a valuable security process available to the public and critical infrastructure organizations. The law does not enforce the output value: No one has to patch a critical vulnerability, harden their cloud infrastructure, or threat hunt for recent ransomware [indicators of compromise].”

VMware’s Kellermann would have liked to have seen lawmakers get tougher on the ransomware payments and the cryptocurrency operators who manage the ransom payments, many of whom have ties to North Korea and Russia. He says federal officials will collect data and over time prove the correlation between the ransom payments and the bad threat actors.

"I would like to see a banning of ransomware payments and explicit regulation as it relates to the exchanges," Kellermann says. "But I’ve been in cybersecurity for 23 years. To have true bipartisanship action in this regard is historic."