Recent cybersecurity incidents, notably the sophisticated nation-state backed supply chain compromise of SolarWinds and the profoundly disruptive ransomware attack of the Colonial Pipeline, have placed the cybersecurity posture of the U.S. in sharp focus. Of particular interest to U.S. policymakers is understanding the lessons that can be learned from these significant cybersecurity incidents. The need for “greater visibility” into private sector cyber incidents has been a consistent message from the administration, which was brought a step closer to reality last month when President Biden signed an Executive Order (EO) on Improving the Nation’s Cybersecurity.
State of Play
President Biden’s EO lays the groundwork necessary for a more robust investigation and examination of cybersecurity incidents in the private sector. For example, the EO directs the development of new requirements that federal contractors and service providers will have to adhere to related to data retention and incident reporting. It also establishes a Cyber Safety Review Board (the Board) to review both federal and non-federal “significant cyber incidents.” ITI is encouraged to see that the Board’s composition includes relevant private sector stakeholders, evidencing the Biden Administration’s desire to deepen the public-private collaboration necessary to further the United States’ cybersecurity posture.
In the U.S., members of the U.S. Congress from both parties, as well as the influential Cyberspace Solarium Commission, are exploring proposals that aim to tackle the persistent challenge of creating a robust, collaborative exchange of cyber incident information. Indeed, U.S. Senator Mark Warner recently stated that mandatory reporting is “one of the few areas left where there’s broad bipartisan support.” As such, a broad spectrum of legislative efforts are emerging that require reporting of a range of cybersecurity incidents, some focusing on gathering security information from critical infrastructure owners and operators, and others aimed at protecting consumer privacy through mandatory data breach notification laws.
What is Incident Reporting?
It is important to distinguish between data breach notification laws and the concept of incident reporting. Data breach notification laws focus on protecting consumers through requiring companies to publicly disclose a compromise involving a consumer’s private information, such as a social security number or banking information. In the U.S., there are more than 50 state and local laws focused on data breach notification. Cybersecurity incident reporting is aimed at notifying government entities of a compromise and gathering the technical details about how the organization was compromised by hackers.
This distinction is significant as the policy foundations and legal concepts applicable to data breach notification are not analogous to the challenges facing computer forensic specialists, incident responders, or federal law enforcement or homeland security. The focus of an incident report to the Federal Bureau of Investigation (FBI) or Cybersecurity and Infrastructure Security Agency (CISA) will contain information on the tactics, techniques, and procedures of a hacker, the technical details of the vulnerability that the hackers exploited, and the kinds of systems that were compromised. As the Colonial Pipeline attack exemplifies, not all significant cyberattacks that may be worthy of reporting to federal authorities are data breaches.
It is also important to differentiate between cyber threat information sharing and cyber incident reporting. The former is focused on getting ahead of hackers, while the latter is aimed at investigating, mitigating, and responding to a compromise that has already occurred. If cybersecurity incident notification looks at the past, then threat information sharing is about the future. Sharing threat information helps entities better understand and assess cybersecurity risks so that network defenders can work to prevent an incident from occurring. In the U.S., the Cybersecurity Act of 2015 is the primary legal foundation for such information-sharing, providing privacy safeguards and liability protections for entities that engage in bidirectional sharing of cyber threat information between the private-sector and federal government.
Why Incident Reporting Matters and Key Considerations
Getting an incident reporting regime right is important, and there are many complex questions associated with developing and implementing such a regime. ITI is exploring policy considerations raised by proposed security incident reporting regimes, with an emphasis on reporting surrounding significant incidents and not the regular sharing of threat information. ITI will focus on a range of questions relevant to developing a robust and effective public-private collaboration that explores the forensic details of the incident. These include:
- What is the threshold for a cybersecurity incident to be relevant enough to be reported to federal actors?
- What is a feasible reporting timeline?
- Which entity or entities, such as third-parties or vendors, should be responsible for reporting incidents?
- Which federal agency or agencies should be the recipient of cyber incident information?
- What are the relevant categories of information necessary for an effective incident report?
ITI and our members strongly believe that cybersecurity is a shared responsibility that requires collaboration between public and private sector actors. We appreciate the Biden Administration’s and Congress’ attention to these complex issues. Notably, the Biden Administration’s EO on cybersecurity makes numerous references to developing the standards, guidelines, and policies based on stakeholder engagement and feedback. ITI is eager to continue to engage with U.S. policymakers to share views on these and other proposals.