In Samuel Taylor Coleridge’s Rime of the Ancient Mariner, a sailor shoots a friendly albatross and has to wear the corpse around his neck in penance. Today, the risks from cyber incidents are increasing at a faster rate than the benefits from technology have increased. Those risks are our collective “cyber albatross,” and the load gets heavier every day.
We need to lighten the load, or we may face terrible threats to services, both mundane and critical. Technology promises society an engine for economic activity. Tech can save lives, promote living standards, and generally improve the human condition. But if we don’t grapple with all the evolving cyber issues soon, there are potentially dark days ahead for us all.
On March 15, President Biden signed into law the new Cyber Incident Reporting Infrastructure Act as part of a larger “omnibus” spending bill. At a high level, the law established an obligation for organizations that own or operate critical infrastructure (CI) to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours on “significant” cybersecurity incidents and report ransomware payments within 24 hours. The next step is with CISA Director Jen Easterly.
Today, many organizations report when cyber incidents happen. Even beyond those that are required by other regulations and laws to report, many openly disclose what has happened. However, many do not. Anyway it gets sliced, reporting isn’t easy. There’s a “fog of war” to know what happened or didn’t as we might infer from the Okta case, where at first there were conflicting messages within a 24-hour period and then a full statement the other day admitting that by delaying the disclosure they had made a mistake. Disclosing takes bravery and comes with consequences. This should make it easier, at least for CI, to know what they need to do; and it should also remove some of the liability associated with doing so. As the dust settles on the wave of attacks against Fortune 500 companies by Lapsus$, it’s not surprising that momentum builds for more stringent reporting when initial intrusions occur and not weeks or months later.
The protections afforded against certain liabilities here are among the most significant implications for CI organizations. Could stock prices drop? Yes. Could lawsuits still happen? Yes. But at the very least, the new law will remove several categories of disclosure-related risk, and this transparency and disclosure may potentially lead to a world where CI organizations don’t become pariahs, but are seen as responsible and participatory in our collective response as global citizens. While it’s much too soon to predict that, we can hope for that version of the future.
Moving forward, CISA must define more precisely which entities are affected and what constitutes “significant” for a cyber incident. Once the law goes fully into motion, the agency will have actionable information it can use for the public good as never before. How these terms are defined and what purposes the data gets used for are significant in our collective cyber future and for what the agency can then accomplish. This has the potential to shine a light in a dark area.
We view this law as a necessary and encouraging step to ensure the continuity of the nation's critical services. Ideally, it will help ease the growing weight of the cyber albatross that the technology industry wears around its collective neck every day. If not addressed, eventually it will impede technology innovation and growth, and that’s not good for anyone. It can also set an example for those who support CI indirectly and become a model for other organization types and for other nations.
Sam Curry, chief security officer, Cybereason