In light of recent high-profile cyberattacks, including those against SolarWinds and Colonial Pipeline, the federal government is scrambling to build greater resilience against future attacks. Federal agencies are revisiting provisions under existing laws to push new requirements on both federal agencies and critical infrastructure operators; in fact, last month US banking regulators passed a rule requiring financial institutions to report breaches within 36 hours of discovery. The Department of Justice has announced its plan to apply a Civil War-era law to hold federal contractors accountable for failing to disclose breaches.
Simultaneously, the US Senate is considering legislative responses, an acknowledgement that laws written before the invention of the Internet would be ill-equipped to help secure it today. A core component of all the bills is the requirement for organizations to disclose cybersecurity breaches to the Cybersecurity and Infrastructure Security Agency (CISA) to help the government better assess, prevent, and respond to cyberattacks.
The new bills would create the first federal mandate requiring such widespread disclosure of security incidents. Senator Mark Warner (D-VA) said, "We shouldn't be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."
Under Warner's bill, the Cyber Incident Notification Act, organizations that fail to report cyber intrusions within 24 hours would be subject to penalties of up to 0.5% of their previous year's revenue for every day they neglect to report either a potential or successful intrusion. Senator Elizabeth Warren's (D-MA) bill, the Ransomware Disclosure Act, would fine organizations for not disclosing ransomware payments within 48 hours of payment.
Although new cybersecurity legislation is necessary, for it to be effective, any new cybersecurity law must consider certain realities. First, due to a talent shortage, many organizations do not have the ability to comply with these mandates today. Second, the federal government has to earn the private sector's trust by being clear about legal and financial ramifications. Finally, a patchwork of conflicting legislation will only lead to industry confusion and pushback, ultimately undercutting the intent behind these legislative moves.
Legislators must consider the disincentives for disclosing a breach and the legitimate reasons an organization may be reluctant to do so. Any legislation that becomes law should factor in those reasons. Some key questions to consider:
● What defines a "potential" security incident? Such terms in the Cyber Incident Notification Act are too broad to be enforceable and could leave organizations sending every security alert to the government before they are effectively triaged.
● Today, ransomware payments reside in a legally gray area where disclosure of them could be self-incriminating. In the event of a disclosure, can the information be used to support criminal prosecution of the victim organization? Currently, at least four states — New York, Texas, North Carolina, and Pennsylvania — are considering bills that make ransomware payments illegal. Without direct clarity on these points, businesses will be reluctant to comply with Warren's Ransomware Disclosure Act.
● What is the specific set of threat indication information that must be shared? How confident does the disclosing organization need to be about that evidence before sharing it ahead of the reporting deadline? Is there liability if the information is inaccurate? Imagine an IP or email address being added to an Internet-wide blocklist only to find out weeks later that the entity was unrelated to the attack and quite harmless.
● Should the reporting timeline be the same for all organizations? Right now, the Cyber Incident Notification Act states that all covered organizations will have only 24 hours to disclose an incident. But practitioners know that forensic investigations often take much longer. There must be provisions that allow organizations to share information in real time, while also acknowledging that the full story may take longer to reveal.
● What security measures will be taken to secure the disclosure databases? What elements will be anonymized? Will disclosures be subject to Freedom of Information Act (FOIA) requests? This will help organizations balance the risk of disclosure against the defined penalties.
● Are incident response service providers obligated under this legislation to disclose on behalf of — or in parallel with — clients? What is the role of legal privilege in this process? Neither bill sufficiently covers these topics.
Finally, we need to properly structure incentives for disclosure to ensure that the solution doesn't create undue harm to businesses. For starters, there should be legal protections for organizations that disclose threat information, protecting them from criminal and civil liability. A history of past violations should be factored into penalty size. Any federal law should also include incentives for organizations that are taking due care and implementing strong security measures. If a business falls prey to a security incident but demonstrates appropriate security measures, such as encryption, that business should be treated differently than an organization that has taken no precautions at all.
As these bills work their way through the halls of Congress, what should businesses do to prepare for this pending legislation? Develop a threat detection and response plan that will reduce the time to detect, respond, and notify to help mitigate business risk and avoid potential penalties. Better still, ensure that they have the proper security controls in place to mitigate the risk of future cyberattacks, working with a managed detection and response (MDR) partner that can provide the required cybersecurity talent and technology.