And now, mandated reporting of significant cyber incidents will likely be coming to a public- and/or private-sector organization near you.
Here are some recent headlines and excerpts on this topic from the past week:
CBS News — White House backs bill requiring mandatory reporting of major cyber incidents to CISA amid Ukraine crisis:
“The White House has come out in full support of a bill requiring hospitals, power plants, water utilities, airports and other critical infrastructure to report cyber attacks to the Department of Homeland Security within 72 hours.
"The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S.
"In a statement confirming the White House's support, a spokesperson said the legislation is 'a part of the administration's comprehensive effort to modernizing America's cyber defenses and complements the president's efforts to improve cybersecurity.' …
"The bill passed with rare unanimous support in the Senate on Tuesday, just 24 hours after the Homeland Security Secretary Alejandro Mayorkas urged lawmakers to act fast amid an escalating Ukraine-Russia crisis, as cyber threats loom over the U.S. homeland.“
TheRecord — Senate approves cyber incident reporting bill amid worries about Russian threats:
“The Senate on Tuesday easily approved a bipartisan package of cybersecurity bills, including legislation that would require mandatory incident reporting for critical infrastructure firms.
"The swift passage — done by unanimous consent ahead of President Joe Biden’s State of the Union address — marks an about-face from just months ago when the measure was stripped from the annual defense policy bill.
"The package represents 'commonsense, bipartisan legislation that will help protect critical infrastructure from the absolute relentless cyber attacks that we see that threaten both our economy as well as our national security,' Senate Homeland Security Committee Chair Gary Peters (D-Mich.) said on the Senate floor before the vote.”
And this video describes the cyber threat situation in more detail:
MORE SPECIFICS AND HISTORY OF CYBER INCIDENT REPORTING MANDATES
The actual bill that passed the Senate is available here. The name given was: “Strengthening American Cybersecurity Act of 2022.”
This article from January 2022 describes many of the provisions included in the mandatory cyber and ransomware reporting bill.
And over the past year, I have covered this topic extensively in this blog. Here are two of those blogs which provide more background on the topic:
Senate Bill Would Mandate Reporting Infrastructure Data Breaches: “The Cyber Incident Notification Act of 2021 would require reporting cyber incidents impacting critical infrastructure to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.”
Banks Must Report Cyber Incidents Beginning in May 2022: “Under the rule, banks must inform their primary federal regulator about incidents that have — or are reasonably likely to materially affect — the viability of their operations, their ability to deliver products and services, or the stability of the U.S. financial sector. That could include large-scale distributed denial-of-service (DDoS) attacks that disrupt customer access to banking services, or computer hacking incidents that disable banking operations for extended periods of time.”
FINAL THOUGHTS
As I have mentioned on numerous occasions over the past several years, I believe mandatory reporting of cyber incidents will be coming TO state and local governments, especially when they are performing functions that are deemed critical.
And no, I don’t think this will only impact the private-sector critical infrastructure owners and operators.
It now appears that this may be coming even earlier than I expected (date TBD as of this writing). Keep an eye out for more details from CISA regarding mandated reporting for situations such as a ransomwareor DDoS attack. I will also cover this topic again, if and when mandatory reporting becomes law.
My advice: Start getting ready for this now, if you haven’t already built these scenarios into your planning for business disruptions caused by a cyber attack.