To strengthen American cybersecurity, we need clear incident reporting rules
This week, President Joe Biden signed the Strengthening American Cybersecurity Act into law. It requires certain types of companies to report cybersecurity incidents to a federal agency within 72 hours and any ransomware payment within 24 hours.
The spirit of this measure is to highlight our urgent need for stronger cybersecurity. This, of course, has become a critical societal need after a rash of high-profile ransomware attacks in recent years and concerns that assaults on businesses and government agencies worldwide will increase after the Russian invasion of Ukraine.
But the devil is in the details, and it remains to be seen how well the new reporting requirements will specifically address the growing threat and whether, in some cases, they could even be counterproductive. I’m concerned the law could be confusing and force some companies into a wasteful reporting-for-reporting’s-sake exercise.
A public-private framework
The Strengthening American Cybersecurity Act certainly has excellent intentions. The new rules “will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector, so they can defend against future attacks,” bipartisan leaders from the House Homeland Security Committee said in a statement after the House approved the measure.
Furthermore, the measure wasn’t born in isolation. It’s the latest in a push, not only in the U.S. but in Europe too, to tighten up organizations’ obligations around cyber incident reporting.
On March 9, the Securities and Exchange Commission proposed a rule that publicly traded companies disclose data breaches and other significant cybersecurity incidents within four days. Such companies have long been required to report risks and incidents they deem to be material to investors, but “companies and investors alike would benefit if this information were required in a consistent, comparable, and decision-useful manner,” SEC Chair Gary Gensler said.
Since 2018, the EU’s General Data Protection Regulation (GDPR) has required any organization handling the data of European citizens to notify authorities within 72 hours of becoming aware of a breach.
All these watchdog moves are meant to enhance a public-private framework around improving cyber resilience. The new U.S. law makes a potent and positive statement that, after disruptive attacks like the SolarWinds and Colonial Pipeline hacks, the government is taking cyber security very seriously.
Are companies ready?
The measure would require that companies in “critical infrastructure sectors” report cyberattacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and, in the case of ransomware payments made to attackers, 24.
CISA identifies 16 such sectors that are “considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” It’s a broad group that includes financial services, IT, energy, healthcare, transportation, manufacturing, and commercial facilities–in other words, just about everyone.
But will everyone be ready? According to an Ernst & Young survey, three months before GDPR went into effect in 2018, a mere 33 percent of companies said they had an established compliance plan in place and an astonishing 39 percent said they were unfamiliar with the regulation altogether. That’s despite the fact that GDPR was initially adopted in 2016, with enforcement delayed for two years.
The situation is similar with the Strengthening American Cybersecurity Act. CISA will have up to two years to publish a notice in the Federal Register detailing proposed rulemaking for the reporting requirement. In the meantime, the government owes it to companies to make sure they’re aware of the law’s scope and particulars ahead. For their part, companies should start considering, sooner rather than later, the processes they’ll need to put into place.
There will be an adjustment period for huge numbers of companies, and while it’s in Washington’s interest to help, companies also should assume they may be largely on their own in figuring out their compliance strategies.
What exactly does notification involve?
Presumably, any cyber incident reported to CISA also is considered public knowledge. That of course is a good thing if, say, consumers’ personal data is compromised in a breach. They deserve to know as soon as possible.
However, not all incidents are created equal. Some may cause limited damage inside a company’s network and are thwarted before affecting customers or employees. Some may not even be an attack at all: What initially was thought to be a hack could turn out to be some other problem, such as human or code error.
The law doesn’t make clear what constitutes a breach that must be reported–another potential source of confusion for companies. Must the company still initiate what undoubtedly will be a time-consuming bureaucratic reporting process for absolutely everything? If so, does the notification become fully public or will there be ways for companies and CISA to simply share information privately?
The precise requirements need to be made clear so the new law doesn’t confuse companies, or even prompt inconsistent ways of following it.
Companies must also reckon with the fact that 72 hours is a short window to conduct a thorough investigation into an attack, identify what damage was done, and execute a resolution plan. This is another reason why it’s important that the law make clear what kind of incidents must be reported. The law would do more harm than good if unclear and overly onerous public reporting deadlines distract companies from their normal operations.
Will agency infighting be an issue?
The legislation’s designation of CISA as the lead agency to receive notices of hacks and ransomware payments alarmed the FBI, which, according to the Associated Press, had openly campaigned for tweaks to the bill that would shift the responsibility to the bureau.
“We want one call to be a call to us all,” FBI Director Christopher Wray was quoted as saying. “What’s needed is not a whole bunch of different reporting but real-time access by all the people who need to have it to the same report. So that’s what we’re talking about – not multiple reporting chains but multiple access, multiple contemporaneous action, to the information.”
We need a united front in Washington against cybercriminals. Companies cannot be caught in the middle of this apparent rivalry between two key agencies.
While the Strengthening American Cybersecurity Act was a decisive action, only time will tell what impact it will have in actually shoring up cyber defenses. Providing clear and practical guidance is the first step.
Bipul Sinha is CEO and co-founder of zero trust data security company Rubrik.
More must-read commentary published by Fortune:
- Stop asking women how we manage work-life balance. Most of us don’t
- It’s not a Great Resignation–it’s a Great Rethink
- The media’s racial bias is also happening off screen
- The Great Business Retreat matters in Russia today–just as it mattered in 1986 South Africa
- Offices are obsolete—and so are the managers who insist you must go back
Never miss a story: Follow your favorite topics and authors to get a personalized email with the journalism that matters most to you.