Cybersecurity concerns have gained even greater significance in the recent Russia-backed SolarWinds sabotage and the Ukrainian war. In response, the US House and Senate will soon pass the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
Shortly after that, President Biden is expected to sign it into law. Once enacted, the legislation will mandate that any company doing business that affects critical infrastructure promptly reports all cybersecurity incidents, including whether they have made ransomware payments.
Affected entities include healthcare organizations, utilities, transportation companies, and IT providers whose work involves the nation’s vital security infrastructure. Should one of these come under cyber attack, it must report to the Cybersecurity and Infrastructure Security Agency (CISA). Liability protections are furnished to those who submit timely reports. In contrast, those who fail to comply with this regulation may be subject to a civil lawsuit. The government will collect, analyze and anonymize the supplied data, sharing it with relevant stakeholders to enhance understanding of the threat landscape.
Even after this bill becomes law, there may be a lag before it is actually enforced. It will not go into effect until CISA clarifies the types of security breaches that must be reported, the specific infrastructure-related organizations required to report, what the reports should include, how they will be submitted, and the methods of storing and preserving them.
Concluding this process may take as long as 42 months. Until that happens, companies can examine the details about what the rule will cover. It will include the following requirements:
- Owners and operators of critical infrastructure entities must report all significant cyber incidents to CISA, including ransomware attacks. Reports on cyber incidents must be submitted within 72 hours, and ransomware payments must be reported no more than 24 hours after they are made.
- Relevant incidents that must be reported include data breaches and attacks that disrupt operations. It will not be necessary to divulge threats of unsuccessful attacks.
- The report should specify the methods used by the cybercriminals and be saved until the issue is fully resolved.
- Failure to report relevant incidents may result in CISA issuing a subpoena and/or initiating a civil lawsuit by the Justice Department.
Entities that submit these reports will enjoy certain protections. The data gathered cannot be used against the submitter by regulators. Reports can be designated as commercial and proprietary for confidentiality reasons. Furthermore, companies cannot be found liable for submitting a report, nor can the data be used as evidence in a federal or state court or regulatory body.
The details obtained by CISA will be used to prevent child exploitation, protect cybersecurity and increase safety. CISA will react quickly to identified incidents, providing details about threat indicators and defensive measures. It will share relevant data with Congress, federal and private stakeholders, and the public, including an assessment of currently available security controls and the techniques employed by bad actors to protect the country’s overall security landscape.