On Tuesday, President Joe Biden signed into law a federal cyber attack reporting requirement aimed at protecting critical infrastructure in the United States.
The Strengthening American Cybersecurity Act of 2022 was created to shore up cyberdefenses and increase the power of agencies investigating cybersecurity incidents. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a part of the new law that focuses on how critical infrastructure organizations must report cyber attacks to the federal government, specifically the Cybersecurity and Infrastructure Security Agency (CISA).
The Critical Infrastructure Act states that an entity in the critical infrastructure sector "shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred." It also says that the director of CISA may not require a report any earlier than that 72-hour mark.
Peter Guffin, chair of law firm Pierce Atwood's privacy and data security practice, discussed the aim of the law with SearchSecurity.
"As its name suggests, the Strengthening American Cybersecurity Act, passed by the U.S. Senate last week, aims to bolster the defenses of federal government agencies and critical infrastructure owners, such as energy and healthcare facilities, against major cyberthreats and cyber incidents, including ransomware attacks," Guffin said. "The expectation is that the prompt reporting and subsequent sharing of such information will arm federal agencies and critical infrastructure owners with the information they need to be able to defend themselves against major cyberthreats and incidents."
On top of the initial report, any entity that submits a ransom payment to a threat actor must also report that they did so to CISA within 24 hours of delivering the payment.
The law details not only the timeline for reporting cyber attacks and specifically ransomware attacks on critical infrastructure, but also outlines the new powers and responsibilities given to CISA.
The law identifies CISA as the head agency in charge of collecting and analyzing the data on cyber incidents, but it also dictates that the agency must "coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments, including those utilizing virtual currencies."
Sharing information with other agencies was a sticking point when the bill got to Congress, as it did not explicitly require CISA to assist other agencies, something that the Department of Justice took issue with.
The bill was passed by the House, however, and was adjusted so that all federal agencies were able to see what reported incidents CISA was handling if they wished. It also stated that CISA was required to share relevant findings with not just federal departments, but local entities as well.
Subsection (a)(4-5) of section 2241 states that the agency must provide "timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures," to all "appropriate entities, including sector coordinating councils, Information Sharing and Analysis Organizations, State, local, Tribal, and territorial governments, technology providers, cybersecurity and cyber incident response firms, and security researchers."
Another key part of the law comes from a subsection titled "Periodic Briefing," which states that on the first day of each month, the director of CISA must collaborate with the national cyber director, attorney general and the director of national intelligence to give a briefing on the "national cyber threat landscape." This briefing would feature the total number of reports received by CISA in the previous month, new trends in cyber incidents and ransomware attacks, and how the past month compares to the month before it. It also says that the briefing must have a summary of how the information in the received reports was used by CISA.
The law requires the briefings to be delivered to the majority and minority leaders of the Senate, the speaker of the House and the minority leader of the House, the Senate Committee on Homeland Security and Governmental Affairs and the House Committee on Homeland Security.
What is still left
As far as how this new critical infrastructure law relates to state data breach notification requirements, Guffin said that it borrows from and enhances some of the laws produced by state legislatures.
"By requiring the prompt reporting of and sharing of information regarding actual data security incidents, the Act adopts, but vastly strengthens and improves upon, a sound regulatory model found in most existing data breach notification laws in the U.S.," he said.
While this law focuses on critical infrastructure attacks and informing federal agencies, it does differ in how American citizens receive data breach notifications under different state laws. The federal law does not require critical infrastructure entities to inform U.S. citizens of cyber attacks. The only requirement is to inform federal agencies, and that leaves millions of Americans potentially in the dark about cyber attacks.
As of 2018, each state within the U.S. has some form of data breach notification law. While they all differ as far as how data breaches are reported to federal agencies and state governments, they all have one thing in common: They require entities to notify victims if their personal information may have been exposed or stolen.
Heidi Shey, a principal analyst at Forrester Research, discussed obstacles that are holding the U.S. back from enacting a federal data breach notification law.
"I think some of this stems from how the U.S. as a whole thinks about privacy and consumer privacy, because compared to a place like Europe, which looks at it as a fundamental right, you have a right to privacy," Shey told SearchSecurity. "Whereas I think in the U.S., it's more of this perspective of a trade-off. Because of that, I think there's greater tie into this environment of what is considered a business-friendly type of policy or regulation versus what is about protecting consumers and their privacy."