Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Advanced Search Go
Free Newsletter Sign Up

It’s Time for National Cyber-Incident Reporting Legislation

July 12, 2021, 8:01 AM

On June 17, the Senate unanimously confirmed Chris Inglis as the first National Cyber Director. During his confirmation hearing, Inglis supported the idea that companies should report significant cyber incidents to the federal government. He is right. A national cyber-incident law is long overdue.

Malicious cyber-actors continuously sharpen their tradecraft. Meanwhile, because the vast majority of U.S. networks is in private hands—and because our society appropriately imposes certain limits on domestic surveillance—federal authorities’ view of the cyber-threat landscape is mottled with blind spots. The government therefore relies on private industry to come forward with evidence of cyberattacks.

But because there is no general reporting requirement under federal law, most cyber incidents are never disclosed. When incidents are reported, the information is often incomplete. Even when the government informs a victim of a likely incident, the victim typically has no obligation to confirm it, let alone share relevant information.

The status quo thus creates few incentives for the robust public-private pooling of information needed to confront the problem of rampant cyber intrusions, to impose costs on that malign behavior, and to bring those responsible to justice.

SolarWinds, Microsoft Exchange Attacks

Notably, both the SolarWinds and Microsoft Exchange attacks—two of the most far-reaching cyber intrusion campaigns in recent memory—came to light thanks to reports by private companies.

Last December, the cybersecurity firm FireEye disclosed that it had been victimized by a sophisticated intrusion that enabled unauthorized access to many of its prized tools. Days later, FireEye announced an additional bombshell: After compromising SolarWinds, adversaries had exploited that company’s popular monitoring and management software to expose as many as 18,000 entities to potential compromise by inserting malicious code into patches that SolarWinds then distributed to its customers worldwide.

As soon as FireEye published this information, federal incident responders surged to investigate and remediate the incident. The government coordinated an all-hands-on-deck response, issuing emergency directives to federal agencies, and issuing cybersecurity advisories to the public, to ensure that all relevant parties had the necessary information to mitigate the attack’s impacts. That important remediation work continues.

FireEye’s sharing of its technical findings helped identify other victims and gave the government a toehold into investigating the perpetrators, who have since been assessed likely to be of Russian origin. Had FireEye kept this information to itself, we can only speculate how much longer this pernicious attack would have continued undiscovered and unabated.

The same holds true for Microsoft’s announcement in March that Chinese hackers had gained access to thousands of organizations’ email accounts through vulnerabilities in the company’s software.

More recently, Colonial Pipeline notified law enforcement the same day it was victimized by a ransomware attack. Within a week, not only did the FBI attribute the attack to the DarkSide criminal group, but DarkSide claimed (perhaps falsely) to have shut down.

Shortly thereafter, the FBI clawed back the majority of the cryptocurrency that had been paid as ransom. This would have been impossible had Colonial Pipeline not promptly informed law enforcement.

Federal Reporting Obligations Are Sector-Specific

And yet, these companies’ actions represent the exception. Most entities have no duty to report to the federal government when they discover they’ve been victimized—and so they don’t. Typically, the federal reporting obligations that do exist concern breaches of personal data in specific sectors (for example, health or financial data), or arise out of particular terms in government contracts.

In addition, while public companies do have certain disclosure obligations relating to cybersecurity risks and incidents under SEC guidance, critics contend that, in practice, “cyber-related disclosure language is boilerplate” and that regulated entities need to provide “more specificity about cyber-risk” in their disclosures.

After the Colonial Pipeline incident, the Biden administration issued an ambitious executive order designed to strengthen the nation’s cybersecurity. The EO requires companies providing information technology services to U.S. government agencies to notify such agencies of cyber incidents. In addition, the Transportation Security Administration directed critical pipeline owners and operators to report confirmed and potential cybersecurity incidents. These new requirements are noteworthy—but they are obviously limited in scope.

Similarly, three federal agencies in January proposed requiring banks to provide their regulator with accelerated notice of certain cybersecurity and related events, including in contexts extending beyond compromises of personal information. However, this proposal, too, is sector-specific, and it is unclear how its scope and contemplated time frames will cohere with existing state incident reporting laws.

Indeed, these varied federal requirements operate against a background patchwork of more than 50 state and territorial data- breach reporting laws. But those laws apply only to incidents involving personal data; and each reporting regime has its own idiosyncrasies.

The Disjointed Reporting Model Is Cumbersome, Expensive

Everyone loses under this disjointed model. It’s cumbersome and expensive for businesses to navigate what (and to whom) they need to report in the aftermath of discovering a cyber incident. Companies are often compelled to hire teams of expensive experts just to untangle the varying requirements, and to limit any necessary disclosures to the absolute minimum so as to protect themselves from costly lawsuits and reputational harm.

If we want to encourage businesses to report incidents and provide relevant details, the requirements should be clear, reasonable, and standardized nationwide.

Consumers, too, lose under the current cyber-incident reporting regime. When an entity that possesses your personally identifiable information is breached, what you’re entitled to know depends almost entirely on where you happen to live. Consumer notification in every state and territory should be governed by a uniform standard. This will only happen with federal legislation.

What Must Be in Cyber-Incident Reporting Legislation

A bipartisan group of lawmakers is expected soon to introduce cyber-incident reporting legislation. Any effective proposal must reflect at least three key features.

First, legislation must protect consumers by requiring notice and credit monitoring when their personal information is compromised, unless there is no reasonable risk that the breach resulted in harm.

Second, the bill should protect the nation’s essential services and reduce blind spots by requiring reporting to the federal government of large data breaches and of critical infrastructure cyber incidents.

Finally, any law should simplify compliance by superseding the varied state and territorial data breach reporting laws with a single, straightforward nationwide standard; and it should incentivize compliance by providing appropriate legal immunity and confidentiality protections.

A uniform federal standard for cyber-incident reporting would not be a panacea. Our adversaries are sophisticated and persistent, and they often launch attacks from within the U.S. to better escape scrutiny.

Nonetheless, a nationwide cyber-incident reporting law would be a major step in the right direction. It would represent a win for consumers, businesses, and our nation’s overall cyber-posture. And it would unite lawmakers in common purpose to protect Americans’ privacy, security, and prosperity.

If the spate of recent, high-profile cyber-incidents isn’t enough of a wake-up call for Congress to enact a uniform federal reporting standard, one shudders to imagine what event will.

This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.

Write for Us: Author Guidelines

Author Information

Sujit Raman is a partner at Sidley Austin LLP, and a former U.S. Associate Deputy Attorney General.