Blog: DFIR

Reporting of cyber incidents becomes law in the USA

Duncan Slater 13 Apr 2022

On March 15th 2022, president Joe Biden and the US Government passed new legislation to strengthen the Department for Justice (DOJ) Cybersecurity and Infrastructure Security Agency (CISA) position by requiring the reporting of all cyber incidents or ransomware payments.  The Cyber Incident Reporting for Critical Infrastructure Act.

The bill only affects organisations that provide critical national infrastructure in the USA. A list of them is yet to be defined but it’s likely to include hospitals, power plants, water utilities, airports and similar entities.

Not unlike the UK’s GDPR requirements to report, the impacted entities will be required to report a cyber incident within 72 hours to the CISA.  However, when it comes to ransomware, if an organisation providing critical infrastructure pays the ransom this must be reported within 24 hours of the payment.

The legislation defines a cyber incident as:

  • something leading to substantial loss of confidentiality, integrity or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes,
  • disruption of business or industrial operations, including due to a denial of service attack, ransomware attack or exploitation of a zero-day vulnerability against 1) an information system or network, or 2) an operational technology system or process,
  • unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, managed service provider or other third-party data hosting provider, or by a supply chain compromise

It’s that last point that could have the greatest impact as it brings into scope third-party service providers- highlighting the importance of conducting due diligence reviews on service providers and requiring incident notification obligations in any contractual agreements.

The bill also sets out clear reporting guidelines for the information that must be provided:

  • a description of the incident,
  • the vulnerabilities exploited including the tactics, techniques, procedures (TTPs) used to orchestrate the attack, and the security controls that were in place to mitigate it,
  • any identifying or contact information related to the threat actor(s) believed to be responsible for the attack,
  • the category of information believed to have been impacted by the cyber incident,
  • full details of any ransom demand including payment instructions and amount demanded, and the date of any payment made,
  • identification and contact information for the impacted entity.

A requirement for such detailed information within such a short space of time will put additional pressure on organisations incident responders, and any third-party incident response services providers, such as PTP, to work fast to get the answers required.

However, reporting to the CISA is not a one-off event, as the bill sets out that supplemental reports must be provided when substantial new or different information becomes available until the entity notifies CISA that the incident has concluded and been fully mitigated and resolved.

A final requirement of the bill states that entities covered “shall preserve data relevant to the covered cyber incident or ransom payment”.  Exactly what ‘relevant data’ means is yet to be determined within the legislation but is likely to include log files, network traffic, and preservation of any impacted host or server in the state it was in at the time of the incident.

This has the potential to force organisations to change their infrastructure log storage methods and their immediate response processes, which for many is to immediately decommission an impacted system and rebuild.

The requirements of this bill on the covered entities are not too dissimilar to those set out for entities involved in the payment card industry, where reporting an incident is mandatory along with the requirement for the preservation of data sources likely to hold evidence which could be required for examination by approved independent examiners.

Is this the start of a change in attitudes towards our data and those responsible to looking after it?  Are we about to see organisations be held accountable for breaches in security and their decisions to pay ransoms in hope that they can recover without anyone noticing?

Will the the US Government use this as a means of discouraging and eventually banning the payment of ransoms, which only fuel the rise in ransomware attacks?  I’m sure these and many other questions about this bill will be answered in the coming months and years.

Althoiugh the bill has been signed the finer details of the legislation are yet to be finalised and therefore this will not become law in the USA for another 18 – 24 months. It sets a clear precedence for others to follow.