Federal officials are beginning work with the private sector to prepare for the historic provision passed last week that requires critical infrastructure providers to notify the Cybersecurity and Infrastructure Security Agency of malicious cyber intrusions.
Critical providers including utilities, banks, energy providers and other sectors will have to alert CISA within 72 hours of a major cyberattack or 24 hours of a ransom payment under new federal regulations. The requirements are part of a long-sought partnership that shields companies from liability and allows for rapid intelligence sharing.
The legislation gives CISA the authority to subpoena companies that fail to adhere to the reporting requirements and refer them to the Department of Justice if they fail to provide the requested information.
The Edison Electric Institute, which represents investor-owned utilities, said it will work with CISA and "other government partners" to integrate new requirements into rules that already exist for the electric power sector. Some reporting requirements already exist for utilities, through Critical Infrastructure Protection (CIP) rules overseen by the North American Electric Reliability Corp.
The industry will work to "harmonize new and existing reporting requirements," EEI Senior Vice President, Security and Preparedness, Scott Aaronson said in a statement.
The goal of the legislation is to provide legal cover for companies to share threat intelligence with law enforcement and government agencies. The SolarWinds attack showed how federal authorities had little to no insight into the nation's IT infrastructure.
The private sector has only informed government agencies of about 30% of cyberattacks they have encountered, said Sen. Mark Warner, D-Va., chairman of the Senate Intelligence Committee, during a hearing last week on worldwide threats. That means the government has no intelligence on about 70% of the cyber threats facing the U.S.
Executives in the C-suite and shareholders often keep data breaches and cyberattacks on a need-to-know basis, fearing the embarrassment of public disclosure and concerned that information sharing would open them to investor suits, law enforcement probes and irreversible damage to brand reputation.
"Many companies have historically wanted to maintain plausible deniability because the disclosure of cyber intrusions has a material impact and is a source of significant reputational risk," Tom Kellermann, head of cybersecurity strategy at VMware, said via email. "For too long, the curtain of plausible deniability has been undermining cybersecurity investment."
The new legislation will help close visibility gaps for investigators and security responders, said Robert Sheldon, director of public policy and strategy at CrowdStrike, one of the nation's top cybersecurity and incident response firms. CISA and other relevant government agencies need timely access to threat information and ransomware, he said.
"Cyberattacks targeting critical infrastructure have grown increasingly severe and impactful over the past couple of years," Sheldon said.
The law closes some visibility gaps for both investigators and responders, Sheldon said, which can help strengthen the overall security posture of critical infrastructure providers.
However, providers still need to push to incorporate best practices for the purpose of proactive defense, including the use of endpoint detection and response, zero trust and sound log protection practices.
Top vendors weigh in
In the months following the December 2020 discovery of the SolarWinds attack, Microsoft was a major proponent of greater information sharing between industry and the federal government.
Microsoft, a target of the SolarWinds threat actor, which it dubbed Nobelium, publicly called out numerous other firms in the information technology space that were known to have been impacted by the same threat actor, either through the SolarWinds vector or direct impact, but failed to publicly share detailed threat information.
"Amid increased threats from nation-state adversaries and cyber criminals, it's great to see Congress pass bipartisan incident reporting legislation — a strong step to shore up our nation's cyber defenses in critical infrastructure and strengthen the cyber ecosystem," Tom Burt, corporate vice president, customer security and trust at Microsoft said in a tweet after the Senate passed the incident reporting provision.
SolarWinds, which was originally notified of the attack by FireEye Mandiant researchers, said it readily shared threat information with federal authorities after the attack.
Companies need to be open and transparent about disclosing sensitive data in order to prevent malicious attacks from spreading to other companies in the future, the company said.
"SolarWinds voluntarily notified the U.S. government when we learned of the Sunburst incident, which targeted SolarWinds and other companies, and we offered complete and total cooperation," Chip Daniels, head of government affairs at SolarWinds, said in an emailed statement. "The nature of today's cyberthreat landscape means the defense roles of the public sector and private companies are more interconnected now than ever - cybersecurity is everybody's responsibility."
SolarWinds fully supports the new regulations, Daniels said, and described the approach by CISA Director Jen Easterly and her team as spot-on.
The practical import of this legislation will require a better understanding of the interim rules from CISA, however Daniels added that SolarWinds is looking forward to more details on how the process will play out.
What it gives authorities
Beyond sharing cyberthreat information, the new regulations are designed to give federal authorities more insight and actionable intelligence on ransomware and extortion crimes in real time.
While companies have been reluctant to share information on data breaches and simple supply chain attacks, they've been even more secretive about ransomware attacks. The hesitation is, in part, because they face the possibility threat actors posting sensitive company data or compromising information on the Dark Web or selling it to secondary threat actors.
Colonial Pipeline executives quietly shared information about $4.4 million in payments made to the threat actors, following an attack that caused a six-day shutdown of its massive fuel pipeline. The FBI was able to recover about $2.3 million through a court-ordered operation to claw back part of the bitcoin payments Colonial provided during the attack.
"When Colonial's systems were threatened by a bad actor, notifying the authorities was a logical step," the company told Cybersecurity Dive. The FBI — and CISA via the FBI — were contacted by midday.
The federal government can play an important role in providing guidance and sharing best practices for responding to an attack of this type, the company said, including sharing lessons learned from prior incidents.
Colonial officials emphasized the importance for companies to have clear directions of who they should be working with in the government. A concern in the past has been company leaders did not know which agency was responsible for handling incidents.
"For companies defending against these evolving threats or responding to an attack, having clear knowledge of who in government they should be coordinating with is important," the company said.