Cyber Incident Reporting for Critical Infrastructure Act Signed Into Law

The U.S. Congress has now passed, and President Joe Biden has now signed, the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill will amend the Homeland Security Act of 2002 to establish a Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and would require critical infrastructure firms to disclose cybersecurity incidents to this office within 72 hours of discovery and within 24 hours of making a ransom payment.

Proponents of the bill claim that this timeframe will help ensure that CISA receives actionable information on significant incidents, while also giving incident responders enough time to do forensic analysis on the intrusion and determine its impact.

CISA Director, Jen Easterly, lauded the passage of the bill saying that it “marks a critical step forward in the collective cybersecurity of our nation” and would “build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure”.

This bill is part of a flurry of legislative efforts to combat cybersecurity threats to critical infrastructure in the wake of major cyberattacks such as the SolarWinds hack and the Colonial Pipeline incident. The full Cyber Incident Reporting for Critical Infrastructure Act of 2021 is available online to read and download here.

As specified in this bill, CISA will manage the following six aspects related to the information it receives:

1. Receive and analyze reports to assess the effectiveness of security controls and identify tactics, techniques, and procedures adversaries use to overcome such controls.
2. Facilitate the timely sharing between relevant critical infrastructure owners and operators, and the intelligence community of information relating to covered cybersecurity incidents.
3. Conduct a review of the details surrounding a significant cybersecurity incident, and identify ways to prevent or mitigate similar incidents in the future.
4. Review reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stake holders.
5. Publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cybersecurity incident reports.
6. Proactively identify opportunities to leverage and utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations.

While this bill is encouraging since the Federal government is taking notice of the cybersecurity challenges facing critical infrastructure, it has also faced criticism over the 72-hour timeline, with critics questioning whether that is enough time for an organization to identify and gather relevant, helpful information on a potential security breach. The bill also provides a relatively vague definition for who is compelled to report an incident and what is considered a reportable incident, which could lead to confusion during implementation.

The bill also doesn’t address or incentivize the implementation of foundational security controls, such as the US government’s NIST Cybersecurity Framework, across critical infrastructure sectors to protect them from cyberthreats and maintain the availability and safety of OT systems. Focusing too narrowly on information sharing or threat modeling won’t do much to stop the impacts of a cyberattack. You don’t invest in expensive surveillance cameras without installing locks on your doors and windows first, and the same holds true for cybersecurity. Perhaps as the bill progresses through Congress some of these shortcomings will be addressed.