Cyber Incident Reporting for Critical Infrastructure Act of 2021 Introduced by US House of Representatives

cyber-incident-reporting-critical-infrastructure
Blog

Cyber Incident Reporting for Critical Infrastructure Act of 2021 Introduced by US House of Representatives

The U.S. House Homeland Security Committee recently introduced the Cyber Incident Reporting for Critical Infrastructure Act of 2021. The bill seeks to amend the Homeland Security Act of 2002 to establish a Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency (CISA) of the Department of Homeland Security and would require critical infrastructure firms to disclose cybersecurity incidents to this office within 72 hours of discovery.Proponents of the bill claim that this timeframe will help ensure that CISA receives actionable information on significant incidents, while also giving incident responders enough time to do forensic analysis on the intrusion and determine its impact.

This bill is part of a flurry of legislative efforts to combat cybersecurity threats to critical infrastructure in the wake of major cyberattacks such as the SolarWinds hack and the Colonial Pipeline incident. The full Cyber Incident Reporting for Critical Infrastructure Act of 2021 is available online to read and download here.

As specified in this bill, CISA will manage the following six aspects related to the information it receives:

  1. Receive and analyze reports to assess the effectiveness of security controls and identify tactics, techniques, and procedures adversaries use to overcome such controls.
  2. Facilitate the timely sharing between relevant critical infrastructure owners and operators, and the intelligence community of information relating to covered cybersecurity incidents.
  3. Conduct a review of the details surrounding a significant cybersecurity incident, and identify ways to prevent or mitigate similar incidents in the future.
  4. Review reports for cyber threat indicators that can be anonymized and disseminated, with defensive measures, to appropriate stake holders.
  5. Publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cybersecurity incident reports.
  6. Proactively identify opportunities to leverage and utilize data on cybersecurity incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations.

While this bill is encouraging since the Federal government is taking notice of the cybersecurity challenges facing critical infrastructure, it has also faced criticism over the 72-hour timeline, with critics questioning whether that is enough time for an organization to identify and gather relevant, helpful information on a potential security breach. The bill also provides a relatively vague definition for who is compelled to report an incident and what is considered a reportable incident, which could lead to confusion during implementation.

The bill also doesn’t address or incentivize the implementation of foundational security controls, such as the US government’s NIST Cybersecurity Framework, across critical infrastructure sectors to protect them from cyberthreats and maintain the availability and safety of OT systems. Focusing too narrowly on information sharing or threat modeling won’t do much to stop the impacts of a cyberattack. You don’t invest in expensive surveillance cameras without installing locks on your doors and windows first, and the same holds true for cybersecurity. Perhaps as the bill progresses through Congress some of these shortcomings will be addressed.

OT Compliance Guide: NIST Cybersecurity Framework

Download Guide

Stay Informed.

Sign up for our newsletter and receive the latest on ICS cybersecurity, product updates and more.

We welcome contributions to our blog from the ICS security community. View our submission criteria here.