Current legislative reporting requirements on breaches create more problems than they solve
We’re living in “interesting” times when it comes to the United States’ cybersecurity. There is a concentrated effort to rehabilitate, renovate, and bring security standards up to par in the nation. As you know, critical infrastructure attacks were driving factors for regulatory changes. But with these swift new standards, there’s friction and gridlock when it comes to an enterprise and what it’s required to do in a post-breach environment.
The current law is the Cyber Incident Reporting act, or “Cyber Incident Reporting for Critical Infrastructure Act of 2022.” This law is aimed at any agency or entity network handling critical infrastructure. The phrasing is broad, but includes companies dealing with public health/safety, water, energy, and transportation.
In a nutshell, it requires an entity to report a ransomware breach event to the federal government within 72 hours of said breach. If the company paid the ransomware demand(s), they must report that within 24 hours. While time is of the essence in situations like a ransomware attack, the CIRCI act creates a few problems.
How it can hurt a company vs. help
The goal of the law is to provide CISA and federal agencies with as much information as possible about a breach event as soon as possible. Time is of the essence, so early reports allow agencies to create threat profiles and respond to them quickly. In theory.
In practice, it’s creating some issues.
One key problem is the time to report. What is meant to be an advantage has become a hindrance for an enterprise. When a network is hit with ransomware, the time to recover can vary, but it’s a long, stressful process needing as much time as possible. In those scenarios, resources are focused on dealing with the ransomware problem, resetting networks, recovering data, and getting services back online.
Creating an audit within 72 hours is difficult, if not downright impossible. Companies in a post-breach environment are focusing a majority of their resources on recovery operations. And, 72 areas is not a guarantee they will reach normalcy. With the time constraint in place, the act can hurt already bludgeoned organizations and place additional penalties.
However, in scenarios where an organization does not comply (such as refusal), they can be subpoenaed.
Foggy on the details
As the law is new and entering a chaotic digital climate, there is a lack of true clarity on what needs to be reported. Indeed, while the mandate implies an enterprise must report a breach incident, the exacts of that are still unclear. The final ruling for the act will be within 12 to 24 months after its passing in March 2022. By then, however, if it’s not clarified, it will create more confusion in the long term.
The overall impression is legislation and comprehension of deep-rooted cybersecurity issues are lethargic at best. There still exists wide gaps between political action and IT stability, as shown with “quick action” bills. While said bills are solid in intent, with the long-term goal of creating a comprehensive defense against ransomware, the implementation needs a lot of work.
In the meantime, any entity that works with critical infrastructure should have not only backup measures in place for potential ransomware attacks but plans for reporting as well.