CISA Leader Backs 24-Hour Timeline for Incident ReportingExecutive Director Wales Cites Colonial Pipeline's Rapid Notification to Customers
A top leader of the U.S. Cybersecurity and Infrastructure Security Agency has voiced support for a 24-hour timeline for cyber incident reporting involving critical infrastructure, signaling a push by the Biden administration to implement a rapid mechanism for federal response.
See Also: Healthcare Sector Threat Brief
Brandon Wales, the executive director - and former interim director - of CISA, said during a Bloomberg event on Tuesday, "I think the U.S. government has argued that we think 24 hours is the right amount of time, that brings it in early enough for us to use the information, but does give the company some time to determine whether this is a real incident or not."
Wales said that in reviewing examples of major incidents, "Twenty-four hours is pretty deep into the response cycle already." He added: "In the Colonial Pipeline example, they were already letting their customers know that they were shutting down parts of their pipeline well in advance of 24 hours. And so we think that 24 hours is a good metric, recognizing that there are other opinions out there."
In the Colonial Pipeline incident, fuel supply for the U.S. East Coast was temporarily halted, and the company paid a $4.4 million ransom to the DarkSide cyber gang - though Department of Justice officials later confirmed they had clawed back approximately $2.3 million worth of the ransom (see: FBI: DarkSide Ransomware Used in Colonial Pipeline Attack).
CISA's executive director said on Tuesday that his agency continues to work with Congress on specific legislative measures. "We think getting information in is the most important thing, and so if we have to work on a timeline other than 24 hours, we will."
Mike Hamilton, former vice chair for the Department of Homeland Security State, Local, Tribal, and Territorial Government Coordinating Council, tells Information Security Media Group: "The fact that CISA is asking for a 24-hour reporting suggests a focus on rapid information sharing - something that's been a stated goal for quite some time, but which has never been adequately realized."
Hamilton, who is the CISO for the security firm Critical Insight, adds, "While 24-hour reporting will speed up information sharing and help to target areas where threats are currently extant, it will still not address the need to share information broadly; rather, this will provide CISA with data to help prioritize resources without necessarily disseminating the information to the private sector operators of critical infrastructure."
Pending Senate Bill Calls for 24 Hours
Wales' support for a 24-hour timeline aligns with the Senate Select Intelligence Committee's Cyber Incident Notification Act of 2021 - sponsored by Sens. Mark Warner, D-Va., Marco Rubio, R-Fla., and Susan Collins, R-Maine.
The bill would require federal agencies, federal contractors and organizations that are considered critical to U.S. national security to report security incidents to CISA within 24 hours of discovery (see: Senators Introduce Federal Breach Notification Bill).
Per the bill, companies that do not report an incident within 24 hours could face a maximum financial penalty equal to 0.5% of the previous year's gross revenue. The measure, however, allows for exceptions to the penalty.
Another provision would allow organizations to anonymize personal data when they report a breach - to encourage victims to report incidents without revealing sensitive data.
Some cybersecurity experts have said that it's unrealistic to expect organizations to report incidents within 24 hours of discovery because they need more time to properly assess an attack and determine if it meets the criteria for notification.
Von Welch, associate vice president for information security and executive director for cybersecurity innovation at Indiana University, says that a 24-hour deadline, a broad definition of covered cyber events and the fear of fines "means companies will be inundating CISA with reports to cover their obligation."
"I worry how CISA is going to work through all this data to find useful information," Welch tells ISMG."
Separate Bill Mandates 72 Hours
In addition to the July bill, leaders of the Homeland Security and Governmental Affairs Committee introduced a similar measure last month - the Cyber Incident Reporting Act of 2021. This bill mandates a 72-hour deadline for a variety of companies to report incidents to CISA (see: New Legislation Eyes Both Ransom, Incident Reporting).
The proposed legislation, which was put forward by committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, would also require state and local governments, critical infrastructure groups, nonprofits and businesses with 50 or more employees to report ransom payments within 24 hours.
Sen. Warner said last month that his 24-hour bill may merge with the proposal by Peters and Portman - and that incident reporting language and updates to the Federal Information Security Modernization Act, or FISMA, may appear in the Senate's version of the National Defense Authorization Act.
Critical Insight's Hamilton says the Peters and Portman bill, which passed through committee, "has been received well by the private sector" and "sets up further discussion on what's more important: protecting the private sector from early reporting that may not be accurate, versus fast ingest for decision-making, despite the fact that the information submitted may contain factual errors."
Frank Downs, a former offensive analyst for the NSA and currently director of proactive services for the firm BlueVoyant, says, "The industry-preferred 72-hour window allows companies to control more of the narrative around an incident to minimize the negative perception of the reporting organization.
"[But] initial 24-hour reporting, even if it's simply to notify CISA of what type of attack has occurred, will allow CISA and other organizations more time to assess security controls which could deter the same attack, or a similar one."
Cyber Leaders Talk Fines, Liability
Testifying before the Senate Homeland Security Committee last month, CISA Director Jen Easterly indicated that the agency supported incident-reporting legislation and hoped to see Congress include language that levies fines against noncompliant critical infrastructure operators, rather than give CISA additional subpoena power (see: Senators Debate Cyber Rules for US Critical Infrastructure).
"I think a compliance and enforcement mechanism is very important here. I know some of the language talks about subpoena authority," Easterly said. "My personal view is: That is not an agile enough mechanism to allow us to get the information that we need and to share it as rapidly as possible to prevent other potential victims from threat actors. So I think that we should look at fines."
Speaking about critical infrastructure cybersecurity during a McCrary Institute event on Tuesday, National Cyber Director Chris Inglis also suggested, "If you've not performed well in [cybersecurity], there will be consequences. There should be liability."
Liability protections stem from the nonpartisan, public-private Cyberspace Solarium Commission, which recommended such measures, along with federal resources and intelligence, to spur companies to bolster their security posture.
Meanwhile, CISA leaders continue to tout the agency's Joint Cyber Defense Collaborative, an information-sharing arrangement and another recommendation of the Cyberspace Solarium Commission.
The JCDC office for joint cyber planning is composed of representatives from the Department of Homeland Security, the Department of Justice, U.S. Cyber Command, the National Security Agency, the FBI, and the Office of the Director of National Intelligence. It consults with voluntary partners - including state and local governments and information-sharing and analysis organizations, as well as owners and operators of critical information systems.