Last month, Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL) along with Senator Susan Collins (R-ME) floated a draft bill, the “Cyber Incident Notification Act of 2021,” that would change United States (U.S.) law to require critical cyber infrastructure owners and operators and many federal contractors to report actual or potential cybersecurity intrusions within 24 hours of detection to the Cybersecurity and Infrastructure Security Agency (CISA). CISA would be tasked with promulgating regulations to effectuate the goals of this bill drafted in response to the SolarWinds and Microsoft Exchange hacks. These Members have gotten feedback and gathered support. Today, Warner was quoted as saying:
Unlike some of the other things I’m working on, huge, huge progress. We are very close to having almost every member of the committee on it. It has been purely waiting for the members to get back [to Washington]. I’ve got to have a couple of member-to-member discussions, but the notion that we need some level of mandatory incident reporting. The fact that many business groups have coalesced behind this, I think it’s all great news.
And so, the prospects for this bill sound good in the Senate, at least. To date, a companion bill has not been introduced in the House.
With these developments in mind, now is a good time to go back and review the bill much more closely than I was able to in June when Warner, Rubio, and Collins published it.
Big picture, the bill is proposing a new mandatory reporting regime for many of the owners and operators of critical cyber infrastructure should their systems experience a “cyber intrusion.” As mentioned, this bill directly flows from the SolarWinds and Microsoft Exchange supply chain hacks, one of which was discovered and exposed only through the efforts of a cybersecurity firm, FireEye, that had been compromised itself. The sentiment among some Members is that it is necessary to dispense with U.S.’ the largely voluntary reporting system that results in some intrusions making their way to federal officials late if at all. Consequently, a mandatory reporting responsibility would be established with liability protection for entities submitting reports is seen as the best incentive structure to change the status quo.
Of course, the U.S. has a system in place for entities to voluntarily report cyber threat information. The “Cybersecurity Act of 2015” (P.L. 114-113) established an information sharing system that provided significant liability protection for private sector entities sharing amongst themselves and especially with the U.S. government. However, this system has been widely panned and rarely used according to U.S. data (the 2017 and 2019 joint Office of the Inspectors General reports on this program.) The creation of a new reporting system inside CISA as opposed to tacking it onto the current, existing system seems like an indictment of the latter’s functionality.
The draft Cyber Incident Notification Act of 2021 seeks to address a flaw inherent in the cyber information sharing system established in the Cybersecurity Act of 2015. There are a host of reasons why private sector companies have not participated in this information sharing arrangement as noted in this blog posting from 2015 by a “white shoe” law firm that warned “disclosing information about a company’s own specific cyber vulnerabilities and incidents can carry legal, competitive, and reputational risks that are far greater if that information is learned by competitors and customers.” However, the draft bill makes this a responsibility and has language allowing for enforcement, but whether the penalties are enough to compel reporting or the likelihood of not reporting being discovered by the federal government are questions for later in this post.
Now to the specifics of the bill. CISA shall have six months to establish “Cyber Intrusion Reporting Capabilities to facilitate the submission of timely, secure, and confidential cybersecurity notifications from Federal agencies and covered entities to the Agency.” Any entity may submit information to CISA’s new reporting mechanism and shall be exempt from all federal, state, local, and tribal Freedom of Information requests. The bill goes even further in creating an incentive by barring the use of any such submissions from use in any criminal or civil trial in the U.S. This, along with other liability protections, go to the recurring claim of industry that companies would face significant if not ruinous liability if plaintiffs’ attorneys could get their hands on any such submissions. CISA must implement the same privacy and civil liberties protections used in the information sharing program created per the Cybersecurity Act of 2015 to protect the privacy of any identifiable individuals in the information transmitted to the agency.
DHS would be required to issue an interim final rule establishing many critical parts of the new systems with no notice within 60 days of enactment that would define the critical terms of the new reporting system that will determine which entities are covered, what kind of intrusions and information must be reported, and what constitutes the confirmation of a cybersecurity incident that will trigger reporting requirements. DHS would accept comments and thereafter issue a final rule with some modifications based on the comments.
Those entities that must submit a cybersecurity notification in the event of a confirmation or potential confirmation of a cybersecurity intrusion but no later than 24 hours after confirmation. The bill makes clear that this responsibility does not replace any existing legal, regulatory, or contractual obligations of entities to report such intrusions to another federal agency. For example, many electric utilities have the responsibility to report cybersecurity incidents within one hour to both Electricity Information Sharing and Analysis Center (E-ISAC) and CISA. Consequently, electric utilities would still need to submit a cybersecurity notification under this bill.
Covered entity is a term to be defined in CISA’s rulemaking, but it must include “at a minimum, Federal contractors, owners or operators of critical infrastructure, and nongovernmental entities that provide cybersecurity incident response services.” Therefore, CISA could go beyond those classes of entities in determining who shall be required to report intrusions. Other terms that will be defined through the rulemaking will also determine the parameters of the duty to report. For example, “cybersecurity intrusion” and “potential cybersecurity intrusion” need to be defined, and what does or does not qualify as either will be hugely consequential because the duty to report will hinge on whether a cyber incident is an actual or potential cybersecurity intrusion. Moreover, one can depend on the legal departments of covered entities urging the company’s leadership to read these terms as narrowly as possible once CISA has defined them in order to avoid reporting and any possible bad consequences. Be that as it may, the definition of “cybersecurity intrusion” must include those incidents that
- involves or is assessed to involve a nation-state;
- involves or is assessed to involve an advanced persistent threat cyber actor;
- involves or is assessed to involve a transnational organized crime group (as defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C. 2708));
- results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States;
- is or is likely to be of significant national consequence;
- is identified by covered entities but affects, or has the potential to affect, agency systems; or
- involves ransomware.
But the way this passage in this bill is written, the agency could possibly include other circumstances.
In the same vein, what constitutes “cybersecurity threat information” pursuant to a cybersecurity notification in the event of an actual or potential cybersecurity intrusion must contain certain things:
- a description of the cybersecurity intrusion, including identification of the affected systems and networks that were, or are reasonably believed to have been, accessed by a cyber actor, and the estimated dates of when such an intrusion is believed to have occurred;
- a description of the vulnerabilities leveraged, and tactics, techniques, and procedures used by the cyber actors to conduct the intrusion;
- any information that could reasonably help identify the cyber actor, such as internet protocol addresses, domain name service information, or samples of malicious software; and
- contact information, such as a tele- phone number or electronic mail address, that a Federal agency may use to contact the covered entity, either directly or through an authorized agent of the covered entity; and
- actions taken to mitigate the intrusion.
It may well prove to be the case that covered entities will want to report the minimum amount of information.
DHS and CISA must coordinate with the sector-specific agencies that regulate each of the 17 critical cyber infrastructure sectors. Pursuant to this responsibility, DHS and CISA must
establish a set of reporting criteria for Sector Risk Management Agencies and other Federal agencies as identified by the Director to submit cybersecurity notifications regarding cybersecurity incidents affecting covered entities in their respective sectors or covered entities regulated by such Federal agencies to the Agency through the Cyber Intrusion Reporting Capabilities;
As mentioned, the Cyber Intrusion Notification Act gives liability protection to entities that submit a cybersecurity notification to CISA through this new reporting system. These entities could not be sued in any U.S. court except by the U.S. government which could presumably litigate to exercise its new enforcement powers to either possibly bar a company from obtaining federal contracts or to levy .5% fine equal to the company’s gross revenue from the previous year. These provisions would become operative if an entity fails to follow the requirements of the new reporting requirements.
The bill applies the reporting requirements to federal agencies, too. Moreover, the definition of agency used in the bill (from 44 U.S.C. 3502) encompasses virtually the entire federal government, including the Department of Defense and independent agencies:
any executive department, military department, Government corporation, Government controlled corporation, or other establishment in the executive branch of the Government (including the Executive Office of the President), or any independent regulatory agency,
Hence, the customary differentiation between civil and military critical cyber infrastructure is not honored in this legislation.
Both CISA and DHS must submit annual reports to Congress on the program with differing focuses. CISA shall report “on the number of notifications received through the Cyber Intrusion Reporting Capabilities, and a description of the associated mitigations taken, during the 1-year period preceding the report.” DHS is to report on “the categories of covered entities, noting additions or removals of categories, that are required to submit cybersecurity notifications; and the types of cybersecurity intrusions and other information required to be submitted as a cybersecurity notification, noting any changes from the previous submission.” This reporting requirement would allow for easier oversight of the program and permit Members to press for changes if needed.