Cyber incident reporting isn’t the problem — ignorance is

For over 20 years, the federal government has urged industry — particularly those operating critical infrastructure systems like water systems and electric grids — to voluntarily secure their digital assets, share relevant threat information within their sectors, and report incidents to the government. This purely voluntary approach initially made sound legal and policy sense. The alternative, such as government monitoring private networks for signs of potential breaches, seemed both extreme and impractical. 

But simply relying on industry to report incidents voluntarily hasn’t been enough. We still lack key data about cyber incidents: What is the overall rate of incidents? How does it differ by sector or region or company size? Can we use knowledge about an incident at one company to prevent something bad from happening to another?

Acknowledging that voluntary reporting isn’t sufficient, Congress passed legislation earlier this year requiring critical infrastructure owners to report substantial cyber incidents. While almost everyone supports mandatory reporting in theory, some organizations are trying to weaken the new requirements.

They argue that the reporting requirements could harm them. They argue the data could be used for regulatory enforcement and that the federal government cannot protect incident data shared with it. Given these concerns, these organizations are trying to narrow the reporting requirements as much as possible to avoid being subject to the mandate.

However, these concerns are not grounded in reality. The law specifically prohibits the use of reported information for being used for regulatory purposes. While adequate data protection is a legitimate concern, the solution is for the Cybersecurity and Infrastructure Security Agency (CISA) to invest in effective cybersecurity for incident data.

We cannot combat cyber threats effectively if we don’t have better data about attacks — that includes mandated reporting. We need to know the number, type, and distribution of cyber incidents across our digital ecosystem. We now have the legislative foundation to collect this data. As CISA works through the details, we should take this opportunity to collect as much data as practical, while keeping the burden to a minimum. 

Absent broad, consistent data across many sectors from a wide variety of companies, neither the government nor the private sector can identify trends, understand the true impact of the problem, or develop effective policies. Such data is critical to creating a safer ecosystem. Both mandatory and voluntary incident reporting are essential elements in helping us understand our vulnerabilities so we can strengthen our collective digital security. While having concerns about an as-yet undefined requirement is understandable, efforts to narrowly limit mandatory reporting are misguided.

Consider that barely a year and a half ago, Americans were putting gasoline in grocery bags, the result of a ransomware attack on the Colonial Pipeline, a major fuel pipeline on the East Coast. Since then, public schools and other critical components of our daily lives, including healthcare systems, have continued to fall victim to ransomware incidents. Yet, we have a gap — has the rate of ransomware incidents gone up, down, or stayed the same in 2022 compared to 2021? Some data seems to indicate it has gone down, while other sources indicate that it has remained steady, albeit hitting lower-profile targets.   

The recently enacted Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will help address this gap. It requires owners or operators of covered critical infrastructure to report significant cyber incidents to the Department of Homeland Security. The law directs the DHS Secretary to issue a regulation to implement the requirement and it requires stakeholder feedback on the regulations’ development. 

This law tracks with recommendations made in the 2021 Ransomware Task Force Report by the working group we co-chaired. The report recommended that reporting requirements for victims of cyber incidents, including ransomware attacks, should be an essential component to managing our critical dependence on digital systems that remain vulnerable to a range of threats. 

We believe that CISA should maintain broad coverage for the reporting requirement, define significant cyber incidents to only encompass instances when real harm has occurred, and follow a set of principles (such as allowing for updates) in developing the regulation. Our comments also provide sample reporting formats complete with information fields. In particular, CISA should ensure that the reporting process is easy, accessible, and iterative, and that it considers the burden placed on organizations experiencing a cyber incident.

Stronger reporting requirements will help some of the same industries concerned about them. Information from these reports can help other similar organizations prioritize their security strategy and actions. It can also inform budget allocations. Incident information is also critical to efforts by law enforcement and the intelligence community to identify the perpetrators of such incidents and bring them to justice or otherwise disrupt their insufficiently contested ability to operate with impunity, particularly from safe havens. It can also support international efforts to secure critical infrastructure and shut down cyber-criminal rings. 

Unfortunately, we have reached the limits of what purely voluntary approaches to cybersecurity can achieve. Without sufficient information, as a nation we remain ignorant of and overwhelmingly exposed to the full scope of our cyber risk. Our experience over the last 20 years indicates that we need the federal government to impose certain requirements if we want to reduce our level of cyber risk.  

Mandatory and voluntary incident reporting are essential elements in illuminating our weaknesses; we must move beyond ignorance. The bigger risk is not in data collection, but in our continued collective blindness with respect to cyber incidents.

Michael Daniel was Special Assistant to President Barack Obama on cybersecurity; he is CEO of the Cyber Threat Alliance.

Megan Stifel is the chief strategy officer for the Institute for Security and Technology. For over two decades she has worked at the intersection of technology and national security, having previously served at the White House as cybersecurity adviser to the National Security Council and at the U.S. Department of Justice as director for cyber policy in the national security division and as counsel in the criminal division’s computer crime and intellectual property section.