A new law making it mandatory for some businesses to report significant cyber and ransomware attacks to the federal government comes in the wake of the number of cyberattacks on corporate networks increasing 50% last year from 2020.
The Cyber Incident Reporting for Critical Infrastructure Act was passed in March. It followed cyberattacks reaching an all-time high at the end of 2021, according to a recent report by Check Point Research.
Specifics regarding what companies will be considered part of the critical infrastructure, and the type of cyberattacks that trigger a report to the Cybersecurity and Infrastructure Security Agency, or CISA, still need to be hashed out. And it could take a while. Final regulations are required to be in place by 2026.
The law does specify that companies in the government-defined critical infrastructure sectors will be mandatory reporters. The 16 sectors include obvious ones, such as nuclear utilities and defense facilities, but the classification also includes financial services, health care, manufacturing and chemical companies – all of which are in abundance in Northeast Ohio.
“Critical infrastructure in the region is not public. It’s actually estimated that about 70% of the nation’s critical infrastructure is privately owned, like banks, manufacturing and hospitals,” said Jeff Brancato, program manager for the Northeast Ohio CyberConsortium or NEOCC.
The goal of the reporting across multiple sectors is to create a government clearinghouse of timely information on cyberattacks to respond with an effective early warning system for others dealing with foreign or domestic bad actors.
Analysts at CIS also plan to use the data to spot trends to better understand how businesses are targeted and then deploy resources to render assistance to those affected.
“CISA will use these reports from our private sector partners to build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure,” said Jen Easterly, CISA Director, in a statement about the law.
Brancato since 2015 has headed NEOCC, a nonprofit version of CISA that share real-time cyber threat and defense information with companies and cybersecurity experts. He said mandatory reporting had the potential to provide better guidance when dealing with some these cyberattacks.
“This is an area where the federal government is uniquely positioned to aggregate information in ways that other players cannot,” he said. “The opportunity for CISA to receive information from a much larger set increases the effectiveness of these types of investigations.”
The Federal Bureau of Investigation and CISA have long encouraged companies to voluntarily report cyber attacks and ransomware payments. But that reporting, when forthcoming, has been spotty and often comes months after an attack, which is too late to warn others.
Those delays stymie attempts to prevent similar attacks, said Damon Hacker, President & CEO of Medina company Vestige Digital Investigations, which encourages companies to file timely reports of cyberattacks to help stem large-scale data breaches. The quick turnaround is important, Hacker said, because when a cyberattack hits a particular industry, it’s highly likely the attackers will move on to a similar company in that same industry.
“One of the things that’s supposed to happen with this new law is that when CISA receives information (of an attack), within 24 hours (it) makes that available to potentially affected sectors and industries,” Hacker said.
Voluntary reporting hasn’t traditionally been popular, because businesses have not jumped at the chance to advertise a data breach or ransomware payment, especially when they involve private data loss.
“A lot of these companies want to keep attacks quiet. If they are able to resolve it, they don’t necessarily want to broadcast it out to the world,” said Alex Hamerstone, an Advisory Solutions Director at TrustedSec.
Hammerstone said he believes the collection of information under the mandatory reporting law could be helpful not only to the bigger companies equipped with the structures to respond to cyberattacks, but for small and midsize businesses. In those companies, which often do not have a chief information security officer, such problems roll directly to the owner or CEO.
CISA’s National Cyber Awareness System caters to smaller businesses offering voluntary reporting and access to current cybersecurity alerts, threat analysis and current activity reports.
“You can’t manage what you can’t measure. So having all this data and really understanding the scope of what’s happening, having it all at one place, helps people make decisions,” Hamerstone said.
By Kim Palmer
Crain’s Cleveland Business