Fearing More Cyberattacks, Congress Requires Key Businesses to Report Digital Breaches

Yet the language of the law leaves unclear what it will require from security teams at businesses and federal civilian agencies, as well as which companies will be affected. That means a lot of the impact will depend on how U.S. officials interpret the legislation. For instance, if the officials take a hard line, the law could prove burdensome for companies in the crucial early hours after discovering a breach, and flood the government with more information than it can handle. But if the officials adopt a loose approach, it could leave security officials with poor visibility of cyber threats and limited information to share with companies about how they should defend themselves.

Extracting useful data

“Reporting breaches or meaningful security events to the government would be hugely beneficial,” says Jamil Farshchi, chief information security officer at credit-reporting firm Equifax Inc. The big question, he says, is whether the government can analyze and share that information “in a beneficial way for us organizations.”

A string of damaging cyberattacks in recent years and, more recently, fears of possible Russia-linked hacks stemming from the war in Ukraine, added to the sense of urgency among U.S. lawmakers and other government officials about getting such legislation to President Biden’s desk this week as part of a broader spending package. “Put plainly, this legislation is a game-changer,” says Jen Easterly, director of the body that will oversee the reporting regime, the Cybersecurity and Infrastructure Security Agency, or CISA, an arm of the Department of Homeland Security.

“We need to know the battlefield,” says Sen. Gary Peters (D., Mich.), co-author of the Senate version of the bill with Sen. Rob Portman (R., Ohio). “We need to know where the bad guys are, what they’re doing, who their targets are, so that we can respond accordingly.”

Congress passed the legislation, which is part of the Strengthening American Cybersecurity Act, after a monthslong lobbying push last year to narrow such bills. Businesses protested earlier proposals that they disclose incidents within 24 hours or face potentially steep penalties. Under the new law, companies that operate critical infrastructure—banks, electric utilities and other organizations key to daily life—will be required to share information with CISA about certain incidents within 72 hours. CISA will analyze and anonymize the data to distribute it throughout the federal government and private sector to help prevent similar attacks elsewhere. Covered organizations will also have to report ransomware payments to CISA within 24 hours of making them. Federal civilian agencies will report incidents to CISA and “major incidents” to Congress or security officials.

No penalties

Though the new law will allow CISA to subpoena companies and organizations for information, and refer uncooperative entities to the Justice Department for civil actions, the statute doesn’t give CISA power to fine companies for noncompliance. Companies also will have protections from legal liability and regulatory actions—as well as Freedom of Information laws—after reporting information that could potentially reveal lax security practices.

At the same time, the law will give CISA broad leeway to craft regulations that will dictate how many companies need to comply and what information they will have to report.

Open-ended definitions in the law are by design, Sen. Peters says. “We expect that to be worked out by the experts through the rule-making process.”

But for companies, that is also where things get more complicated.

“I don’t think the legislation has made anything clear,” says Patrick Gaul, executive director of the National Technology Security Coalition, a trade group that advocates on corporate security issues.

Mr. Gaul and other lobbyists point to three aspects of the prospective reporting regime that remain unclear and will depend on how CISA interprets them: which organizations are covered, which incidents are covered and when the 72-hour reporting window begins.

In defining covered entities, the law directs CISA to consider consequences to “national security, economic security, or public health and safety” if the company or organization were to be disrupted or compromised. Likelihood of a cyberattack also will be a factor, as well as whether damage “will likely enable the disruption of the reliable operation of critical infrastructure.”

Covered incidents, meanwhile, will include those that lead to “substantial loss of confidentiality, integrity, or availability of such information system or network.” Additional factors, such as “sophistication or novelty” of attack and number of people affected also will be taken into account.

As the law is written, such terms—likely, substantial, sophistication—will be open to CISA’s interpretation during the rule-making process. So, too, will the point at which the 72-hour timeline begins: when “the covered entity reasonably believes that the covered cyber incident has occurred.”

Early uncertainty

Diagnosing the severity of cyber incidents within hours of spotting suspicious activity can be difficult, says Rinki Sethi, former chief information security officer of Twitter Inc. Adding to the complexity, cybersecurity experts warn that incidents that can seem small at first can have widespread impacts. The stance that companies under attack usually take, Ms. Sethi says, is, “We know something has happened. We don’t know the details yet.”

Organizations such as the U.S. Chamber of Commerce say the way the law is written holds the potential for information overload.

“They have a huge tiger by the tail, and they deserve credit for tackling it,“ says Christopher Roberti, senior vice president for cyber, intelligence and supply-chain security policy at the Chamber of Commerce. Still, he says, “what we don’t want to have is a requirement that floods the government with tons of chaff instead of wheat.”

Some industry groups have opposed reporting requirements based on fears that divulging information about hacks could invite lawsuits and regulatory scrutiny. But a Russia-linked espionage campaign that was revealed in 2020 gave new momentum for mandatory reporting. The cybersecurity firm Mandiant Inc. —known at the time as FireEye Inc.—voluntarily reported a breach of its systems, leading to an investigation that found federal agencies and U.S. companies had been accessed by hackers through a compromised software update from SolarWinds Corp.

CISA, created four years ago to protect critical infrastructure, has since tried to entice cloud providers and telecom companies, which have wide-ranging visibility of the digital world, to share information about cyber threats voluntarily through a partnership called the Joint Cyber Defense Collaborative. Lobbyists have warned that such relationships could be poisoned if too-strict reporting rules were enacted.

“We want to be careful not to have CISA as a regulator,” says Sen. Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. “CISA needs to be there as a partner, and one that businesses will actively seek out to get their help, because of the resources that they’re going to provide.”

CISA declined to comment for this article.

‘Good stuff versus noise’

Some corporate lobbyists hope that a federal mandate will be preferable to an emerging patchwork of reporting regulations, such as Transportation and Security Administration rules for pipelines and railways. Those TSA mandates to report to regulators come in addition to state-level laws requiring companies to make public data breaches that affect consumer information.

The success of the law will ultimately depend on how the government uses reported information to defend against future cyberattacks, says Kevin Mandia, chief executive of Mandiant. “It will require, over time, for folks at CISA, as they take in all this reporting, to get their sea legs under them to be able to potentially filter things into high-fidelity, confident, good stuff versus noise,” says Mr. Mandia, whose firm was acquired by Alphabet Inc.’s Google this month. “Until they do that, they’re telling everybody to do it themselves.”

The law calls for CISA to perform “rapid, confidential” sharing of data with other federal agencies and the private sector, but it stops short of giving CISA a deadline. Justice Department and Federal Bureau of Investigation officials warn that any delay in obtaining information from CISA could hinder their investigations and have called for liability protections that encourage victims to report breaches directly to law enforcement.

Mr. Farshchi, of Equifax, says it would be difficult to set a concrete time frame for when such intelligence would be useful to companies protecting their own computer systems. “Well, since we don’t typically get it, anytime would be cool,” he says.

Mr. Uberti is a Wall Street Journal reporter in New York. He can be reached at [email protected].