Congress adds historic cyber incident reporting rule to massive $1.5 trillion spending package

Dive Brief:

Congress passed landmark legislation Thursday that mandates critical infrastructure providers and federal agencies promptly report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
The historic reporting requirements are part of a $1.5 trillion omnibus spending bill that President Joe Biden signed Friday. CISA Director Jen Easterly praised the legislation in a statement Friday, noting the provisions will give her agency better visibility and data to protect businesses and critical infrastructure.
Some reporting requirements already exist for electric utilities, and the industry must now work to "develop the rules to harmonize new and existing reporting requirements," Edison Electric Institute Senior Vice President, Security and Preparedness, Scott Aaronson said in a statement.

Dive Insight:

Security experts have strongly advocated for reporting requirements following the 2020 supply chain attacks on SolarWinds and the rash of ransomware attacks on critical infrastructure providers, including Colonial Pipeline.

"CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure," Easterly said in the statement.

"This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims," she added.

Critical Infrastructure Protection (CIP) rules overseen by the North American Electric Reliability Corp. already require utilities to report some attacks. Aaronson said that the electric sector "will be working with CISA and our other government partners" to integrate new requirements with existing rules.

Electric utilities are generally well-protected by investments in cybersecurity and the adherence to CIP standards, experts say. But the most sophisticated hackers do have the capability to crash parts of the U.S. grid, government officials have conceded.

The incident reporting legislation has been the subject of fierce debate within the information security community. Numerous companies had declined to notify federal agencies of ransomware and supply chain attacks prior to the SolarWinds nation-state attack and subsequent ransomware incidents.

Among the many concerns companies had were potential litigation from investors if companies incurred major costs as well as potential investigations from federal or state regulators.

Federal authorities have urged prompt notification so they can alert other potential targets. Investigations of the SolarWinds attack uncovered that threat actors were, in some cases, lurking in the systems of unsuspecting companies since late 2019, almost a year before the attack was uncovered in December 2020.

A major turf war recently erupted over which agency should receive the incident reports. The question centered on whether CISA should be the only mandated federal agency, or the FBI, which plays a central role in investigation and notification of ransomware and nation-state threats.

Katell Thielemann, Gartner Research vice president analyst, said via email, "But as always, the devil will be in the details of implementation and in the outcomes that the reporting will support."