Since the beginning of the year, lawmakers have coalesced around the idea of breach reporting laws — mandating that some group of businesses report some class of breaches to some federal agency. But subtle differences in opposing bills in Congress, including a version in the National Defense Authorization Act passed Friday by the House, could have major impacts for enterprises and the government itself.
Mandating companies to report breaches is not a new idea. In 2012, Sens. Susan Collins, R-Maine, and Joe Lieberman, at that time an independent from Connecticut, first proposed legislation along those lines. The idea was jolted back to life in early 2021 after the FireEye disclosed a massive espionage campaign using vulnerabilities in Solarwinds products in the waning days of 2020. FireEye's disclosure was voluntary. What would have happened, lawmakers wondered, if FireEye didn't volunteer?
"Had FireEye not detected this compromise in December and chosen on their own to come forward, would we still be in the dark today?" asked Committee Chairman Mark Warner, D-Va., at a hearing in February.
Since then, three similar bills have been introduced in the House and Senate, both requiring breaches of significance to be reported to the Cybersecurity and Infrastructure Security Agency, which will be left to develop much of the rules. The bills differ in some critical details.
The widest discussed differences have to do with timing. The House language in the defense authorization requires CISA set a rule to give companies at least 72 hours to report, one Senate bill limits it to 24 and another Senate bill lets CISA pick a timeframe between 72 hours and a week.
For CISA's part, Director Jen Easterly suggested at a hearing Thursday that sooner might be better. "The earlier that CISA, the federal lead for asset response, receives information about a cyber incident, the faster we can conduct urgent analysis and share information to protect other potential victims," she said.
But industry pros, including FireEye, whose reporting of Solarwinds was widely lauded by lawmakers and CISA, say that timeframe may be too short.
Companies should have at least 72 hours to conduct investigations and make sure the information being sent to CISA is accurate and useful, said Heather Hogsett, senior vice president for technology and risk strategy for BITS, the technology policy center of the Bank Policy Institute, at a House hearing earlier this month.
“The initial stages of an incident response require all hands on deck and frontline cyber defenders should be focused on investigation response and remediation, rather than completing compliance paperwork,” she said.
That would not just be for the company's benefit, said Hogsett at the time. With too short a deadline, CISA would be awash in false positives.
At the same hearing, Ronald Bushar, vice president and government chief technology officer of FireEye Mandiant, said the company paused before going forward with the Solarwinds announcement to confirm that the attack was not an errant employee or a glitch in its technology.
"You can have situations where initial indicators are indicative of an actual, true compromise; that you want to allow organizations time to fully analyze what's happening in their environment and determine that there is, in fact, a real impact,” he said.
By their nature, investigations yield more information. A better way to view the problem, said Michael Daniel, former White House cybersecurity coordinator and current president and CEO of the industry threat sharing group the Cyber Threat Alliance, might be to frame notifying CISA less as a "report" and more as a start of a continuing conversation.
"Twenty-four hours is probably workable for a notification that essentially says something like: 'We are experiencing a cyber incident. It appears to be a ransomware attack. More details to follow.' However, few organizations would have more details than that within 24 hours of an incident. For most events and malicious cyber campaigns, 72 hours is probably still soon enough for the government to turn around and provide useful warning to other potential targets, but possibly too long if it is a systemic cyber incident unfolding in real-time or for the U.S. government to interdict a ransom payment, a la Colonial Pipeline," he said.
Craig Hoffman, an attorney at BakerHostetler, told SC Media that in practice, companies and governments have been able to adapt to different deadlines without the purported disasters they were supposed to cause.
"There was a lot angst and concern about being able to meet the 72-hour notice requirement to a data protection authority under GDPR or under the NY DFS," he said. "And you do not see many enforcement actions or fines solely on the basis of the timing of notice."
The bills vary on what is covered, including a Senate bill covering potential breaches, and who is covered, ranging from critical infrastructure to incident response teams. The House and two Senate Bills also diverge on enforcement, with the Senate using fines to encourage compliance and the House relying on subpoenas and the threat of losing legal protections offered to those who report.
Easterly said limiting enforcement to subpoenas would not be "agile" enough a solution, noting their success rate across industries, including in her private sector job immediately prior to taking the director's office. “I just came from four and a half years in the financial services sector, where fines are a mechanism that enables compliance and enforcement."