Cyber Reporting Law Offers Broad Safe Harbor
There’s a wind of change blowing through federal cybersecurity policy. The new SEC proposal for mandatory disclosure of cybersecurity incidents by publicly traded companies is one straw in that wind. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is another. But it’s a pretty hefty straw.
Attached to the omnibus spending package President Biden signed March 15, the new law requires “critical infrastructure operators” to report “substantial cyber incidents” to the Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and to report ransomware payments within 24 hours. CISA must now begin a rule-making process to implement the new law.
Companies, even those not covered by the law, that report cyber incidents voluntarily will get broad safe harbor and immunity. Reports will be protected from Freedom of Information Act requests, cannot be used as the basis for regulatory or enforcement actions and may not be introduced as evidence in any court proceeding.
The law defines a “cyber incident” as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”
The law provides little guidance on what might constitute a critical infrastructure operator, beyond a reference to the 16 critical infrastructure sectors long-defined by federal regulation. But it mandates CISA to draft regulations that properly define both the companies covered and the types of incidents that will have to be reported.
CISA Director Jen Easterly called the new law “a game-changer” and “a critical step forward in the collective cybersecurity of our nation.”
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and quickly share that information with network defenders to warn other potential victims,” Easterly said.
Indeed, the new law is the result of a growing realization that the government doesn’t have good information about the exact shape and scale of the cyber problem, said Seth DuCharme, former chief of the national security and cyber crime section in the U.S. Attorney’s Office for the Eastern District of New York.
The number of ransomware attacks, for instance, has grown explosively over the past few years, yet many if not most go unreported. The scale of unreported attacks can be clearly seen in the wake of the Conti leaks, a huge dump of internal message traffic from the Conti ransomware gang.
An analysis by cryptocurrency tracking firm Chainalysis, which totaled Bitcoin ransomware payments made in publicly reported attacks, found payments to Conti totaling $180 million last year. But the Conti leaks revealed the gang’s Bitcoin wallet addresses, and one report found that the primary wallet contained cryptocurrency worth as much as $2 billion. Conti has been active, and presumably filling that wallet, for more than three years, but the figures nevertheless suggest that the great majority of ransom payments—and therefore ransomware attacks—are not reported.
U.S. intelligence and law enforcement agencies have grown increasingly concerned about “a very high level of under-reporting” of cyber incidents, DuCharme told SIGNAL Media.
“It’s hard to make policy choices, to adopt a more aggressive posture towards cyber threats, if you don’t have good data about the problem,” said DuCharme, now an attorney in private practice for the global law firm Bracewell. “It’s impossible for the government to have confidence in its strategies … if it is suffering from an information deficit.”
With the Russian invasion of Ukraine ratcheting up the cyber threat, the government was trying to put the country on “nearly a war footing” in cyberspace, he said. But without visibility into the true scope and scale of the attacks being launched, it was effectively operating in the dark. “The victim companies are the ones with the information about what happened, and if they don’t come forward, the government won’t get the information it needs,” he said.
From their very beginning, at the turn of the century, federal efforts to improve the cybersecurity of America’s critical infrastructure have revolved around partnership with the private sector. It’s an approach born of necessity as much as anything else because the vast majority of critical infrastructure is owned and operated privately.
And even though much of it—banking, the power grid, telecommunications and healthcare, for example—was already regulated, a two year-rule-making process isn’t an ideal way to respond to a fast-developing cyber threat. But that approach left the government dependent on private sector reporting to learn the extent of cyber attacks.
Initially, DuCharme said, the carrot offered for reporting was information in return, including clearances for executives and classified briefings on cyber threats. But that quickly became less attractive as private sector cyber threat intelligence grew in sophistication. “At a certain point, the seesaw tipped and the private sector actually had as much, sometimes more, information about the threats than the government,” and could communicate it faster, he said.
Now, DuCharme added, the Biden administration was showing more interest in possible sticks. “I think the administration signaled early on … that it was time for the private sector to get their house in order.”
Law enforcement and regulatory agencies “are adopting a more aggressive posture,” he said. One example is the Justice Department’s Civil Cyber-Fraud Initiative, launched last October, targeting contractors who take government money without meeting mandatory cybersecurity standards. In March, the initiative claimed its first victory: A Florida healthcare company that provided medical services at State Department and Air Force facilities in Iraq and Afghanistan paid $930,000 to settle allegations that it charged for a secure electronic medical records system, or EMR, but then didn’t ensure all EMR were stored on it.
Deputy Attorney General Lisa O. Monaco, announcing the initiative, framed it as, in part, an information-gathering exercise. “For too long, companies have chosen silence under the mistaken belief that it is less risky to hide a breach than to bring it forward and to report it,” she said.
This more aggressive posture on enforcement made the safe harbor provisions the new reporting law offered all the more attractive, DuCharme pointed out. “You need to have safeguards so you don’t end up punishing the victims.”
Cyber attacks, especially widespread, destructive penetrations like ransomware, are extremely complex incidents, DuCharme said. The response requires high stakes decisions that might balance investigative visibility against a swift recovery. And in the midst of this, some companies will now have to make mandatory federal disclosures.
“What they’re saying effectively is: ‘Tell us right away about this incident, even though you may not properly understand yourselves what happened, or what went wrong.’ Obviously, a company might see some risk there,” he explained. “The less time you give companies to respond, the broader the safe harbor provisions need to be to encourage compliance.”
But critics of the new law zero in on its impact on response. They argue it will divert scarce resources away from responding to fulfill the new reporting mandate.
“We are hundreds of thousands of people short and the attacks are growing like crazy,” Larry Clinton, president of the Internet Security Alliance, told SIGNAL Media. The Internet Security Alliance is a multisector trade association that promotes a market-based partnership approach to federal cybersecurity policy. The association didn’t take a position on the law, but Clinton believes it is “ill-considered.”
Under the reporting requirements of the new law, Clinton said, “When you find out you’ve been attacked and you’re trying to respond, you immediately have to pause to bring in the lawyers, and get all of your security people filling out compliance forms when they actually need to be responding to the attack.”
“I think it’s not going to be helpful, and it’s probably going to be hurtful,” said Clinton, adding that “There are much more important things Congress should be spending its time on, like for instance workforce development.”
Clinton challenged the very basis of the law, which is the proposition that more information sharing will aid the government’s response.
“The whole notion that, once the government is aware of these breaches, they’re going to be able to help resolve them is not borne out by the facts,” he said, citing a GAO report last year that reported negative stakeholder feedback about CISA information sharing programs.