On March 15, 2022, United States President Joe Biden signed the Cyber Incident Reporting For Critical Infrastructure Act of 2022. This Act requires critical infrastructure entities and government agencies report a cyber security incident within a defined period of time.
“In general.--A covered entity that experiences a covered cyber incident shall report the covered cyber incident to the Agency not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.”
The “covered entities” are defined in the PRESIDENTIAL POLICY DIRECTIVE/PPD-21 and cover everything from Healthcare, Water and Waste Systems, Communications, Financial Services, and many more. The Act also defines “covered cyber incidents” as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director.” The term “incident” is further defined as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”
While these definitions will have to evolve as the implementing regulations are developed, they are actually very telling in how security teams should be measuring their organization’s risk. My interpretation of “incident” within the Act is that an incident is not just something that has occured but also something that is imminent. Imminent to me means that full transparency of “incidents”includes security vulnerabilities or when you are using libraries with known vulnerabilities such as defined in the OWASP Top 10. It is not just about reporting a breach or incident after the exploit or attack has occured. Detecting, addressing, and sharing cyber security risk (vulnerabilities, breaches, exploits, etc) information will be commonplace among more than federal agencies in the near future.
This new Act really sends home the message to the cyber security community that the only way forward is full transparency in the overall fight against cyber threats. As a community, we learned a lot following the log4shell incident and quickly realized that we required fast communications and transparency between our customers and third party vendors in order to understand our risk of exploitation.
As many organizations fall in the covered entities categories, they will be required to report these incidents. However, as an industry, it makes sense moving forward that we all start reporting incidents more routinely to allow others to prepare for future exploits or to examine their systems for any indicators of compromise (IoCs). Having more information and more data to look for allows organizations to lengthen the time between incidents and shorten the time to detection (mean time to detect (MTTD)).
This Act is a powerful first step toward better cybersecurity transparency. But it’s just a first step. All breaches, not just critical infrastructure, should be made visible. We trust everything important in our lives to software -- finances, healthcare, elections, social life, government, and more. Not all of this software is deemed critical infrastructure, yet we deserve to know if it’s been breached.
Visibility around breaches is great, but it’s too late for the victims to do anything about. And frankly, tracking down those responsible and punishing them is difficult, often impossible, and doesn’t make the victims whole. Don’t we have a right to know about the cybersecurity of the systems we are forced to blindly trust *BEFORE* they are hacked? Shouldn’t we know about the security mechanisms in place, what security testing was performed, whether developers were trained, what libraries are used, etc…
The only way to protect ourselves against cyber attacks is to fix the software market so that it encourages better security by ensuring that both producers and consumers have all the information they need to make informed decisions.
