White House Meets With Tech Companies and Others; Rival Cyber Incident Notification Bill Floated

Subscribe to my newsletter, The Wavelength, if you want the content on my blog delivered to your inbox four times a week before it’s posted here. The Wavelength will transition to a subscription product early in 2022. Details to come.

The Biden Administration hosted a meeting with some of the United States’ (U.S.) biggest technology companies and others in a cybersecurity summit of sorts. The White House unveiled a number of initiatives to bolster U.S. cybersecurity, most of which were commitments made by private sector entities.

In late July, the Biden Administration announced the meeting when Press Secretary Jen Psaki remarked during a press briefing:

Also, on August 25th, the President and members of his national security team and across the administration will hold a meeting with private sector leaders to discuss how we work together to collectively improve the nation’s cybersecurity.  So that is a continuation of his effort to work in close partnership with the private sector.

A “senior administration official” explained the invitees and structure of the meeting:

From tech, the companies participating will be Google, Amazon, Apple, Microsoft, IBM, and ADP.  You’ll note that we particularly included ADP because of the services they provide to thousands and thousands of small- and medium-sized companies.

From financial: JPMorgan Chase, Bank of America, TIAA, and U.S. Bancorp.

From insurance: Coalition, Vantage Group, Resilience, and Travelers.

From education, a creative set: Code.org, University of Texas System, Tougaloo College, Girls Who Code, and Whatcom Community College.

So, after the meeting with the President, participants will also join smaller meetings with various members of the President’s Cabinet and national security team for a more informal discussion on concrete steps we can take to improve national cyber posture.

Those discussions will occur in three parallel breakout sessions, specifically:

  • “Critical Infrastructure Resilience,” which will be co-chaired by Secretary Mayorkas and Secretary Granholm, with participants across energy, financial, and water
  • “Building Enduring Cybersecurity,” which is chaired by Secretary Raimondo and the Small Business Administrator Guzman — participants: tech and insurance.  We really see insurance as a way to drive better cybersecurity practices.
  • And then the “Cybersecurity Workforce,” chaired by the National Cyber Director.  Participants are education leaders.

No word on who would represent the above entities, suggesting the meeting and breakout sessions were more substantive and less public relations oriented. Moreover, there was no information released on the breakout sessions.

In its summary of the meeting, the White House articulated the purpose behind the meeting:

The White House’s fact sheet enumerated some of the “commitments and initiatives” that emerged from the meeting (although, in all likelihood White House staff have been negotiating these with the private sector entities for some time, which was confirmed in the background briefing: “this meeting is a sum-up of a lot of work in the last few weeks, working with participants to discuss initiatives.”):

  • The Biden Administration announced that the National Institute of Standards and Technology (NIST) will collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain. The approach will serve as a guideline to public and private entities on how to build secure technology and assess the security of technology, including open source software. Microsoft, Google, IBM, Travelers, and Coalition committed to participating in this NIST-led initiative.
  • The Biden Administration also announced the formal expansion of the Industrial Control Systems Cybersecurity Initiative to a second major sector: natural gas pipelines. The Initiative has already improved the cybersecurity of more than 150 electric utilities that serve 90 million Americans.
  • Apple announced it will establish a new program to drive continuous security improvements throughout the technology supply chain. As part of that program, Apple will work with its suppliers — including more than 9,000 in the United States— to drive the mass adoption of multi-factor authentication, security training, vulnerability remediation, event logging, and incident response.
  • Google announced it will invest $10 billion over the next five years to expand zero-trust programs, help secure the software supply chain, and enhance open-source security. Google also announced it will help 100,000 Americans earn industry-recognized digital skills certificates that provide the knowledge that can lead to secure high-paying, high-growth jobs. 
  • IBM announced it will train 150,000 people in cybersecurity skills over the next three years, and will partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers to grow a more diverse cyber workforce.
  • Microsoft announced it will invest $20 billion over the next 5 years to accelerate efforts to integrate cyber security by design and deliver advanced security solutions. Microsoft also announced it will immediately make available $150 million in technical services to help federal, state, and local governments with upgrading security protection, and will expand partnerships with community colleges and non-profits for cybersecurity training.
  • Amazon announced it will make available to the public at no charge the security awareness training it offers its employees. Amazon also announced it will make available to all Amazon Web Services account holders at no additional cost, a multi-factor authentication device to protect against cybersecurity threats like phishing and password theft.
  • Resilience, a cyber insurance provider, announced it will require policy holders to meet a threshold of cybersecurity best practice as a condition of receiving coverage.
  • Coalition, a cyber insurance provider, announced it will make its cybersecurity risk assessment & continuous monitoring platform available for free to any organization.
  • Code.org announced it will teach cybersecurity concepts to over 3 million students across 35,000 classrooms over 3 years, to teach a diverse population of students how to stay safe online, and to build interest in cybersecurity as a potential career.
  • Girls Who Code announced it will establish a micro credentialing program for historically excluded groups in technology. The program will make scholarships and early career opportunities more accessible to underrepresented groups.
  • University of Texas System announced it will expand existing and develop new short-term credentials in cyber-related fields to strengthen America’s cybersecurity workforce. A major part of this effort will be to upskill and reskill over 1 million workers across the nation by making available entry-level cyber educational programs through UT San Antonio’s Cybersecurity Manufacturing Innovation Institute. Credentials do not depend on traditional degree pathways, and should also contribute significantly to diversifying the pipeline. 
  • Whatcom Community College announced it has been designated the new NSF Advanced Technological Education National Cybersecurity Center, and will provide cybersecurity education and training to faculty and support program development for colleges to “fast-track” students from college to career. The nature of community colleges dispersed in every community in the nation makes them an ideal pipeline for increasing diversity and inclusion in the cybersecurity workforce.

The Administration can accomplish first two on the list, but the others will likely rely on the will and follow though of the entities making the commitments. These entities do not need to follow through, and given the delivery timeline, they may not for the focus inside the White House will almost certainly moved on and policymakers will be dealing with different problems and issues.

In his remarks, President Joe Biden said “my team is hosting a meeting, bringing together 30 of the nations — 30 nations to step up in their fight against ransomware.” However, neither the White House nor any major media sources have published additional information about this meeting. In the background briefing, the “senior administration official” noted “the President established the [ransomware] experts group, and we continue to meet and make progress in that forum.” It is probable that this meeting and related meetings will result in the launch of an international effort to combat ransomware, much of which would be driven through voluntary actions or actions the involved governments can persuade or require regulated entities to take.

In what is not a change from previous statements, the Biden Administration is operating from the position that the federal government’s hands are largely tied when it comes to enforcing standards on and issuing directives to the private sector. And based on current U.S. law and regulation this is largely true outside a few sectors. For example, the Transportation Security Administration does have the authority to issue directives to the pipeline industry, which is why two such orders were issued after the Colonial ransomware attack.

Of course, this begs the question as to why the Administration is not asking Congress for more authority given this gap in national security. The Australian with its center-right government is looking to enact changes to its regulation of critical infrastructure through its bill the “Security Legislation Amendment (Critical Infrastructure) Bill 2020” introduced in December 2020. Thus far, the Biden Administration has largely left these sorts of policy proposals to Congress, which also seems intent on maintaining the status quo.

In the background call mentioned above, the “senior administration official” asserted:

  • I want to emphasize that tomorrow is a call to action. The federal government can’t solve this complex, growing international challenge alone, and we can’t do it overnight.
  • For those of you who know me know that we’re sincere when we say that cybersecurity is a matter of national security, the public and private sectors must meet this moment together, and the American people are counting on us.

Despite cybersecurity being a matter of national security, there have been no public calls from the White House for increased authority. In response to a direct question about working with Congress on legislation, the “senior administration official” answered:

And then we want to work with the private sector and Congress to ensure these standards are adopted across the board.  In other words, “Heads up.  This is what we think is reasonable as a threshold of — since you’re an owner and operator of critical infrastructure.”  We’re going to work to make sure that these standards are adopted across the board because, you know, we — we, as the government, owe that to the citizens we serve.

It appears the Biden Administration is willing to work within the status quo and then point to the limits on its authority when some new cyber development occurs.

Of course, Congress has turned to addressing at least one aspect of the U.S. cybersecurity. At present, most of those entities deemed critical cyber infrastructure have no responsibility to report attacks, penetrations, or incidents. And so, should a critical private sector entity be breached or compromised, in most case, it has no responsibility to alert the U.S. government. A notable exception are some Department of Defense contractors that have a duty under DOD regulations to report some cyber incidents within 72 hours to the Pentagon.

Some in Congress want to see a similar duty for all owners and operators of critical infrastructure. To this end, Senate Intelligence Committee Chair Mark Warner (D-VA) and Ranking Member Marco Rubio (R-FL), and Senator Susan Collins (R-ME) introduced the “Cyber Incident Notification Act of 2021” (S.2407), which tracks closely with the draft bill released in June (see here for more detail and analysis). In their press release, Warner, Rubio, and Collins contended that the “bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.” They added:

  • The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
  • Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.

Thus far, this bill has not been acted upon, and until recently the House did not have a companion bill. However, at the end of last month, Representatives Yvette Clarke (D-NY) and John Katko (R-NY) floated a discussion draft, the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” that takes a slightly different approach than the Warner-Rubio-Collins bill. Clarke and Katko are key stakeholders in the House as the former chairs the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, and the latter is the ranking member for the full committee. Consequently, their bill may well be the House’s position in talks with the Senate.

The Clarke/Katko bill is less directive than the Warner-Rubio-Collins bill and would give the Department of Homeland Security and critical cyber infrastructure owners and operators much more leeway in determining when a reporting duty exists, the deadline for reporting, and what must be reported. The Clarke/Katko bill gives the U.S. government few new tools to enforce the reporting requirement and would provide legal protection from those entities that do report significant cyber incidents no matter how reckless or negligent the entity was.

This bill would amend the section of the “Homeland Security Act of 2002” that established the Cybersecurity and Infrastructure Security Agency (CISA) and establish a new Cyber Incident Review Office. And this is even though DHS already has an entity receiving and distributing cyber information. However, there have been long documented problems with this entity inside CISA’s National Cybersecurity and Communications Integration Center (NCCIC). In September 2020, the DHS Office of the Inspector General (OIG) issued one of its periodic evaluations of DHS’ information sharing program and found continued problems:

It must be noted CISA largely concurred in these findings.

Nevertheless, it seems to be a bill establishing a new parallel reporting system and new entity inside DHS will necessarily complicate the enterprise of encouraging entities to report information. To be fair, the Clarke/Katko bill is designed to require critical cyber infrastructure entities to report significant cyber incidents, a different class of information from the cyber threat indicators and defensive measures. And perhaps industry has little to no faith in NCCIC’s system and starting fresh makes sense from at the very least a branding perspective. Having said all that, the bill’s drafters are looking to graft the new system onto the old system from the perspective of taxonomy and liability protection.

Most of the definitions come straight from Title I of the “Cybersecurity Act of 2015” (Division N of P.L. 114-113) except for a few, some of which will define the scope of the new reporting system. For example, who is a “covered entity” and what constitutes a “covered cybersecurity incident” and a “significant cyber incident” are definitions that CISA will need to hash out during a rulemaking process. In Congress delegating the responsibility to an agency to determine the scope of legislation, there is the benefit of allowing experts to figure out tough questions of the sort staff and Members lack the expertise to do. However, rulemakings are where the potentially regulated can work throughout the process to dilute and defang rules in ways that frustrate policymakers if the agency does not have the expertise or will to push back. It seems likely many crucial players will claim to the agency they should not be covered entities and only the most serious incidents should trigger the reporting requirement.

As noted, the Clarke/Katko bill establishes a Cyber Incident Review Office “to receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by covered entities…to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.” More specifically, this new Office would:

  • receive, aggregate, analyze, and secure reports from covered entities related to a covered cybersecurity incident to assess the effectiveness of security controls and identify tactics, techniques, and procedures adversaries use to overcome such controls;
  • facilitate the timely sharing between relevant critical infrastructure owners and operators and, as appropriate, the intelligence community of information relating to covered cybersecurity incidents, particularly with respect to an ongoing cybersecurity threat or security vulnerability;
  • for a covered cybersecurity incident that also satisfies the definition of a significant cyber incident, or are part of a group of related cyber incidents that together satisfy such definition, conduct a review of the details surrounding such covered cybersecurity incident or group of such incidents and identify ways to prevent or mitigate similar incidents in the future;
  • with respect to covered cybersecurity incident reports under subsection (d) involving an ongoing cybersecurity threat or security vulnerability, immediately review such reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stakeholders, in coordination with other Divisions within the Agency, as appropriate;
  • publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cybersecurity incident reports under subsection (d); and
  • proactively identify opportunities, in accordance with the protections specified in subsections (e) and (f), to leverage and utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable.

In short, this new Office would recreate what DHS already has a system in place to do and hence critical cyber infrastructure entities could conceivably start receiving two sets of information about these sorts of incidents. Moreover, will this Office disseminate the information it receives on covered cyber incidents and significant cyber incidents to entities that do not qualify as critical cyber infrastructure? The bill is not clear on this point.

CISA would then have 400 days (14 months of so) to establish through an interim final rule the system to:

  • require covered entities to submit to the Office reports containing information relating to covered cybersecurity incidents; and
  • establish procedures that clearly describe—
    • the types of critical infrastructure entities determined to be covered entities;
    • the types of cybersecurity incidents determined to be covered cybersecurity incidents;
    • the mechanisms by which covered cybersecurity incident reports under subparagraph (A) are to be submitted, including—
      • the contents, described in paragraph (4), to be included in each such report, including any supplemental reporting requirements;
      • the timing relating to when each such report should be submitted; and
      • the format of each such report;
    • describe the manner in which the Office will carry out enforcement actions under subsection (g), including with respect to the issuance of subpoenas, conducting examinations, and other aspects relating to noncompliance; and
    • any other responsibilities to be carried out by covered entities, or other procedures necessary to implement this section.

CISA would need to coordinate with what were called the Sector-Specific Agencies (now known as Sector Risk Management Agencies) and other agencies as appropriate in establishing this reporting system. Also, CISA would have to take comments on the interim final rule and publish a final rule, meaning possible changes, within a year after the interim rule is published.

As part of this rulemaking, CISA would need to determine “which types of critical infrastructure entities are covered entities” and in defining who is a covered entity must consider

  • the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety;
  • the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country;
  • the extent to which damage, disruption, or unauthorized access to such and entity will disrupt the reliable operation of other critical infrastructure assets; and
  • the extent to which an entity or sector is subject to existing regulatory requirements to report cybersecurity incidents, and the possibility of coordination and sharing of reports between the Office and the regulatory authority to which such entity submits such other reports.

And so, instead of just deeming all entities regulated by Sector Risk Management Agencies (i.e. the 16 Critical Infrastructure Sectors), CISA would need to pick and choose based on the above criteria. From one point of view, if an entity is in a critical sector would not an attack or disruption pose a danger to other critical entities? Apparently, the bill’s drafters think otherwise and believe CISA should focus on the highest risk entities, which would have the likely effect of forcing hackers to exploit entities deemed lower risk and their inevitable connections to higher risk entities.

Moreover, the criteria seem to lend themselves to not deeming as covered entities those companies that currently have reporting requirements. And so, certain Defense Industrial Base (DIB) contractors have reporting responsibilities and depending on how well the DOD would share these with CISA, DIB entities would not be covered entities? Or maybe they would become covered entities and then need to report to both agencies. Entities in the electric grid also have some mandatory reporting requirements, namely “cyber security incidents that either compromise or attempt to compromise Electronic Security Perimeters, Electronic Access Control or Monitoring Systems, and Physical Security Perimeters associated cyber systems.”

Also, the DIB and electric grid reporting requirements are not as broad as the new ones CISA puts in place, possibly leading to a system in which two critical sectors either under report incidents through the current system or face duplicative reporting requirements. The latter, while not perfect, is preferable from the view of cybersecurity.

In establishing the new reporting system CISA will have to determine which cyber incidents shall be covered cyber incidents that trigger a reporting requirement. The bill provides criteria the agency must use along with “minimum thresholds.” To wit, Clarke and Katko would require CISA to consider:

  • the sophistication or novelty of the tactics used to perpetrate such an incident, as well as the type, volume, and sensitivity of the data at issue;
  • the number of individuals directly or indirectly affected or potentially affected by such an incident; and
  • potential impacts on industrial control systems, such as supervisory control and data acquisition systems, distributed control systems, and programmable logic controllers.

The language suggests CISA may be making determinations on what is a covered cyber incident on a case by case basis, but it seems more likely CISA needs to determine the “types” of cyber incidents that would be covered cyber incidents.

But the bill takes an odd turn in specifying “minimum thresholds” for what are covered cyber incidents” and requires “a cybersecurity incident shall, at a minimum, include at least one of the following:

  • Unauthorized access to an information system or network that leads to loss of confidentiality, integrity, or availability of such information system or network, or has a serious impact on the safety and resiliency of operational systems and processes.
  • Disruption of business or industrial operations due to a distributed denial of service attack, a ransomware attack, or exploitation of a zero-day vulnerability, against—
    • an information system or network; or
    • an operational technology system or process.
  • Unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by a compromise of, a cloud service provider, managed service provider, other third-party data hosting provider, or supply chain attack.

The first of the minimum thresholds seems like an easy bar to clear for most notable cyber incidents, and it may be the agency comes to lean heavily on this criterion in making this determination. The second criterion seems oddly specific in a way that could render it obsolete as other attacks arise. The third one seems broad enough for most attacks and seems fine. However, all three criteria seem to contemplate actual or successful attacks and potential attacks may be outside the definition of covered cybersecurity incident.

However, that CISA must use the above minimum thresholds in determining what types of attacks are covered cyber incidents raises other questions. Must the agency formulate a definition so that prospectively covered entities will know what types of incidents must be reported? Or is this to be a determination CISA will make from as attacks are discovered? Surely, the agency would articulate guidelines or criteria in the interim final rule to put potentially covered entities on notice? However, the bill is not clear on this point. Moreover, even if this supposition is right, would this not create an opportunity for covered entities to argue with CISA about whether the incident is, in fact, covered and requires reporting and disclosure? It would seem so.

The agency must also establish a timeline for reporting covered cybersecurity incidents “but in no case may [CISA] require reporting by a covered entity earlier than 72 hours after confirmation that a covered cybersecurity incident has occurred.” The Warner-Rubio-Collins bill requires reporting within 24 hours of confirmation of a cybersecurity intrusion or potential cybersecurity intrusion. Nonetheless, the Clarke/Katko bill would require CISA to keep in mind other, current reporting requirements and its need for situational awareness visa vis a covered entity’s need to investigate and respond to incidents.

Also of concern is allowing covered entities to confirm a covered cybersecurity incident has occurred. This could result in entities delaying notification for any number of reasons, including concerns about reputational risk or legal consequences. I think the language should be revised to require reporting upon suspicion that a covered cyber incident has occurred with supplemental reporting to follow.

Strangely, the Clarke-Katko bill would permit covered entities to submit reports of covered incidents through third parties or Information Sharing and Analysis Organizations (ISAO). Why this is necessary is not discernible from the bill. Surely covered entities could report cyber intrusions directly and involving a third party seems like it would add complexity and difficulties.

Next comes a weird section, which I will quote in full:

Covered entities shall submit promptly to the Office an update or supplement to a previously submitted covered cybersecurity incident report if new or different information becomes available that would otherwise have been required to have been included in such previously submitted report. In determining reporting timelines, the Director may choose to establish a flexible, phased reporting timeline for covered entities to report information in a manner that aligns with investigative timelines and allows covered entities to prioritize incident response efforts over compliance.

The first sentence makes sense. Covered entities should need to submit more information to supplement initial reports. It is the second sentence that seems out of place and somewhat inexplicable. It would appear this is a drafting or organizational error, for the intent appears that CISA would have discretion to permit covered entities to use a “flexible, phased reporting timeline” that allows covered entities to prioritize investigation and response over compliance. It appears this would refer to the entire reporting timeline and not just supplemental reports. This, too, is not clear. However, surely a covered entity can walk and chew gum at the same time and inform CISA of the incident while tending to the organization’s needs.

The bill lays out the type of information covered entities must include in their reports and shall “coordinate with the Office to the extent necessary to comply with this section, and, to the extent practicable, cooperate with the Office in a manner that supports enhancing the Agency’s situational awareness of cybersecurity threats across critical infrastructure sectors.”

CISA also has the responsibility of harmonizing the new reporting system with existing systems and other agencies with existing reporting systems.

As a baseline, agencies may not retain, use, or disclose information submitted to CISA unless the agency determines “disclosure, retention, or use is necessary for

  • a cybersecurity purpose;
  • the purpose of identifying—
    • a cybersecurity threat, including the source of such threat; or
    • a security vulnerability;
  • the purpose of responding to, or otherwise preventing, or mitigating a specific threat of—
    • death;
    • serious bodily harm; or
    • serious economic harm, including a terrorist act or a use of a weapon of mass destruction;
  • the purpose of responding to, investigating, prosecuting, or otherwise preventing or mitigating a serious threat to a minor, including sexual exploitation or threats to physical safety; or
  • the purpose of preventing, investigating, disrupting, or prosecuting an offense related to a threat—
    • described in subparagraphs (B) through (D); or
    • specified in section 105(d)(5)(A)(v) of the Cybersecurity Act of 2015[1]

CISA would have a lot of latitude to justify keeping, sharing, and deploying the information covered entities submit. However, if the Office determines “the incident that is the subject of such report is connected to an ongoing cybersecurity threat or security vulnerability,” it may “use such report to identify, develop, and rapidly disseminate to appropriate stakeholders actionable, anonymized cyber threat indicators and defensive measures” without a determination from CISA.

However, the bill bars Federal, State, Tribal, or local governments from using information in reports submitted to the Office for any regulatory use “including through an enforcement action, the lawful activities of any non-Federal entity.” However, there is one exception. These reports “may, consistent with Federal or State regulatory authority specifically relating to the prevention and mitigation of cybersecurity threats to information systems, inform the development or implementation of regulations relating to such systems.” And so any federal agency or state government agency would need to have existing authority aside and apart from the bill to use the information in a report to fashion regulations to develop and implement rules to mitigate cyber threats to information systems. This seems like fighting with an arm tied behind one’s back. It seems like a natural use of this information to craft and improve cybersecurity regulation.

The Clarke/Katko bill would extend the liability protection from the “Cybersecurity Act of 2015” entities have for monitoring their information systems and sharing information with NCCIC. Consequently, covered entities required to submit information and even entities that voluntarily submit information would be shielded from lawsuits on the basis of the information in their reports on cyber incidents. These reports are also exempted from federal and state freedom of information statutes and “considered the commercial, financial, and proprietary information of the covered entity when so designated by the covered entity.”

Incidentally, the Clarke/Katko bill requires CISA and the Office to hew to the privacy and civil liberties standards DHS developed for its information sharing program per the “Cybersecurity Act of 2015.”

The enforcement provisions are weak. If CISA catches wind of a cyber incident that may be a covered cybersecurity incident that a covered entity did not report, the agency is supposed to ask the entity for information to determine whether the incident is indeed a covered cybersecurity incident. But, this information would still receive all the same legal protection as if the covered entity had submitted it in a report to the Office. If after a week, the covered entity has not responded CISA can issue a subpoena to compel production of the requested information. If the entity thumbs its nose at CISA’s subpoena, the agency may seek enforcement of the subpoena in federal court. If the court agrees with CISA, a failure to comply would place the entity in contempt of court. If CISA determines “the facts relating to the cybersecurity incident at issue may constitute grounds for a regulatory enforcement action or criminal prosecution,” it may refer the case to the Department of Justice, which is not obligated to investigate or prosecute.

There is a provision that would allow non-covered entities to voluntarily submit information on cyber incidents to the Office, and, as mentioned, these reports would receive the same legal protection as reports required to be filed by covered entities. Might non-covered entities use this as a means to acquire liability protection to possibly shield them from lawsuits?

If CISA “receives information regarding a cybersecurity incident impacting a Federal agency relating to unauthorized access to data provided to such Federal agency by a covered entity, and with respect to which such incident is likely to undermine the security of such covered entity or cause operational or reputational damage to such covered entity,” the agency must notify the covered entity and provide the information necessary for the entity to address the risks posed by the intrusion. CISA’s responsibility extends to mere cybersecurity incidents and not the smaller universe of covered cybersecurity incidents.

Once the reporting system has been establish, CISA must conduct outreach to inform covered entities about the new requirements.


[1] (v) the purpose of preventing, investigating, disrupting, or prosecuting an offense arising out of a threat described in clause (iii) or any of the offenses listed in—

(I) sections 1028 through 1030 of title 18 (relating to fraud and identity theft);

(II) chapter 37 of such title (relating to espionage and censorship); and

(III) chapter 90 of such title (relating to protection of trade secrets).

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Photo by Josh Hild on Unsplash

Photo by Greg Weaver on Unsplash

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s