Strengthening American Cybersecurity Act of 2022
On March 1, 2022, the US Senate unanimously passed the Strengthening American Cybersecurity Act of 2022. This landmark bill comes at a time when cybersecurity threats are at an all-time high, partly due to the Russian Ukraine invasion. Cyberattacks stemming from Eastern Europe are on the rise, and in a bid to protect American infrastructure, the bill now creates a new legal landscape for reporting cyber security breaches.
The Act combines three previous bills, including the cyber-incident reporting bill. The new legislation affects critical infrastructure operators and “covered entities” who will now be required to report any “covered cyber security breaches” to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Any ransom payments will also need to be reported to CISA within 24 hours.
In the wake of high-profile ransomware attacks, this unprecedented, bipartisan package should be a great guideline by which communication is followed in the case of a cyber-attack. With terms such as covered entities and covered cyber incidents, let’s dive into exactly what will be needed, from whom, and to whom.
Understanding Covered Entities and Covered Cyber Incidents
As defined by CISA, critical infrastructure operators are sectors whose assets, systems, and networks, if incapacitated or destroyed, would debilitate normalcy and day-to-day life. Essential critical infrastructure operators include players in the chemical sector, communications, energy, emergency services, commercial facilities, critical manufacturing, dams sector, financial services, food and agriculture, government, health and public health, transport systems, and information technology.
The new legislation, however, does not explicitly state that each of the sectors will be subject to the reporting requirements. It will be up to CISA to determine which entities are to be covered based on:
- “The consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety”
- “The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country”
- “The extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.”
Additionally, the bill defines a covered cyber incident as “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule … .” CISA will then be required to provide a clear definition of what a substantial cyber incident means. At a minimum, a covered cyber incident will be one that:
- Causes a “substantial loss of confidentiality, integrity, or availability” of information or a “serious impact on the safety and resiliency of operational systems and processes”
- Causes a “disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero day vulnerability”
- Involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise.”
What are the New Cyber Incident Reporting Requirements?
Although the bill has already been signed into law, it will not come into effect until CISA provides a clear description of what constitutes a covered entity and which entities may be covered. The Act, however, provides certain minimum reporting requirements, including a description of the cyber incident. Covered entities will need to identify and describe what systems were affected and how the breach affects operations. In addition, entities will need to provide a description of the unauthorized access, an estimate of when the breach occurred, and how it affected operations.
Further, covered entities will need to provide a description of what safeguards were in place and whether they were implemented correctly. In line with this, the affected entity will be required to provide information on how the safeguards would have been implemented differently as well as any additional safeguards that will be needed to mitigate future cyber incidents.
Timeframe for Making Cyber Incident Reports
Covered entities will now have 72 hours to report any cyber incident to CISA. The 72-hour window will begin after the covered entity “reasonably believes” that a covered cyber incident has occurred. If the entity caves to a ransom demand, it will be required to report the payment to CISA within 24 hours. Reporting ransom payment will be required regardless of whether the cyber incident is a covered incident or not.
Since the 24 to 72 hour window may not be enough to adequately provide information related to the cyber incident, covered entities will be required to report any additional issues as they occur. CISA now has the authority to subpoena firms that do not adhere to the reporting requirements. If the covered entity does not provide the requested information, the legislation gives CISA authority to refer the entity to the Department of Justice.
What the New Legislation Means for Covered Entities
The passing of the Strengthening American Cybersecurity Act of 2022 comes at a time when data breaches continue to be a real threat. Cyberattacks targeting entities in the critical infrastructure have been on a steep increase, and given how crucial these sectors are, government interference has become a necessity.
For any organization within the 16 critical sectors, it will no longer be possible to want to maintain plausible deniability in case of a cyber intrusion. While cyber breaches are an expensive affair, they do not just cost financial loss. Companies have to deal with the reputational risk that accompanies a cyber intrusion. Loss of confidence and possible lawsuits are just part of what affected organizations have to deal with post cyber attacks. The legal landscape, however, is changing and affected covered entities will no longer be able to hide behind plausible deniability.
On the flip side, increased coverage gives the government better leverage to combat the cyber security threats targeting critical sectors. As more organizations begin providing detailed reports on cyber incidents, investigators and responders will now have better information muscle to identify vulnerabilities, close any security gaps that will be identified, and ultimately, strengthen cyber security for critical infrastructure providers. Malicious cyber campaigns will now be identified early before they take root and become expensive threats. The private sector will also enjoy better threat intelligence, which will allow players to invest in defensive measures.
What the Act Means for Small Companies
As much as the bill is a huge milestone in the journey towards achieving total cyber security protection, there are a few challenges that will stem from its implementation. The critical infrastructure sector is a public-private framework with private players being both large and small organizations. Any covered entity will need to invest significant resources in identifying breaches and classifying them properly before creating a detailed report to be sent to CISA. All this will need to be done as soon as the breach has been identified to remain within the 72-hour window. While large organizations already have the necessary IT infrastructure to do this, the same cannot be said of smaller companies.
Many small companies do not have an IT department, nor do they have the financial resources necessary to hire an IT consultant or a managed service provider. Yet, this legislation requires a whole department, or at least, a small IT staff to monitor, detect, and report any incidents quickly and efficiently. Small companies have to contend between paying any ransom or risk losing control of their critical operations. This alone is enough to drive them out of business. Further, statistics show that 50% of businesses have been breached while the other 50% have been but don’t know yet. These are telling figures, meaning that small entities will now have to invest in IT services to comply with the requirements as they are already affected and continue to be vulnerable.
What Can Be Done to Make the Act a Success?
The war against cyber attacks is far from being won. Legislation such as this is a powerful arsenal that will help bring victory closer. However, every business that has been the victim of a cyber incident knows that it’s not just about the attack, but how to recover. The government has already laid the ground for preventing cyber-attacks through legislation, but successful implementation needs more. For small companies without the financial resources needed to comply, a little incentive from the government will help.
A great first step would be to help fund the necessary services to not only avoid having a breach in the first place but help fund the remediation as well as assist to strengthen their internal cyber security infrastructure. A good approach might be to offer small and medium-sized businesses an incentive in the form of tax reductions in order for them to use those funds to strengthen their internal cyber security infrastructure and employee training.
Another very important message may also be to offer these companies a carrot instead of a stick. If a company shows that they’ve done all that is possible to fortify their defenses and they still get a cyber breach, they should be exempt from any fines that might be imposed and should be offered resources to allow them to recover from their breach.
For now, partnering with a managed service provider will help small companies comply with the requirements.