The U.S. Congress has now passed, and President Joe Biden has now signed, the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill will amend the Homeland Security Act of 2002 to establish a Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and would require critical infrastructure firms to disclose cybersecurity incidents to this office within 72 hours of discovery and within 24 hours of making a ransom payment.
Proponents of the bill claim that this timeframe will help ensure that CISA receives actionable information on significant incidents, while also giving incident responders enough time to do forensic analysis on the intrusion and determine its impact.
CISA Director, Jen Easterly, lauded the passage of the bill saying that it “marks a critical step forward in the collective cybersecurity of our nation” and would “build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure”.
This bill is part of a flurry of legislative efforts to combat cybersecurity threats to critical infrastructure in the wake of major cyberattacks such as the SolarWinds hack and the Colonial Pipeline incident. The full Cyber Incident Reporting for Critical Infrastructure Act of 2021 is available online to read and download here.
As specified in this bill, CISA will manage the following six aspects related to the information it receives:
While this bill is encouraging since the Federal government is taking notice of the cybersecurity challenges facing critical infrastructure, it has also faced criticism over the 72-hour timeline, with critics questioning whether that is enough time for an organization to identify and gather relevant, helpful information on a potential security breach. The bill also provides a relatively vague definition for who is compelled to report an incident and what is considered a reportable incident, which could lead to confusion during implementation.
The bill also doesn’t address or incentivize the implementation of foundational security controls, such as the US government’s NIST Cybersecurity Framework, across critical infrastructure sectors to protect them from cyberthreats and maintain the availability and safety of OT systems. Focusing too narrowly on information sharing or threat modeling won’t do much to stop the impacts of a cyberattack. You don’t invest in expensive surveillance cameras without installing locks on your doors and windows first, and the same holds true for cybersecurity. Perhaps as the bill progresses through Congress some of these shortcomings will be addressed.