A new law requiring critical sectors to report cyber breaches is “a good first step” but long overdue, experts said, as it is the first federal-wide mandate of its kind.
Prior to the federal law, there were state-based requirements for reporting hacks that some experts said presented a regulatory burden for companies as they tried to comply with different state regulations.
Reed Loden, vice president of security at Teleport, said that having a uniform mandate where businesses can report to one authority instead of 50 makes it much easier to report cyber breaches.
“That was really annoying because that’s 50-plus different laws and regulations that [companies] had to follow,” Loden said.
The experts also praised the new mandate because it will encourage more transparency and collaboration between the federal government and the private sector as they try to work together to counter cyberattacks.
The new mandate requires companies in critical sectors to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).
The law passed in March as part of the omnibus spending bill. That legislation significantly increased funding for CISA, a federal agency that oversees cybersecurity infrastructure and enforcement. The federal spending bill dedicated a $2.6 billion budget for the agency, which includes funding for threat hunting and vulnerability management.
The new mandate comes amid heightened security and warnings from U.S. officials urging critical infrastructure to shore up their cyber defenses against possible Russian cyberattacks.
Jonathan Reiber, a senior director for cybersecurity strategy and policy at AttackIQ, said he’s been advocating for this type of law to pass and applauds the increase in funding to CISA, especially with the ongoing conflict between Russia and Ukraine.
Reiber also said that although he sees how certain companies may be burdened to report every major cyberattack to the government, the mandate increases visibility into what the adversary is doing, which makes the U.S. better prepared to counter those attacks.
It’s all about “visibility into defense effectiveness coupled with visibility into what we know about the adversary,” Reiber said.
Reiber added that the law will also measure companies’ readiness to respond to cyber threats and how their cybersecurity has improved over the years.
“Prove to me that you are in a better position than you were a year and a half ago,” Reiber said, explaining what the government will be looking for in companies. “That is a legitimate question, and that’s why the legislation passed.”
Loden, who echoed Reiber’s views, said it is critical for companies to report to the government because keeping cyber breaches private doesn’t benefit anyone, especially if another business is the victim of a similar attack that could have been prevented if alarm bells had gone off.
“It’s not a matter of if you get hacked, it’s a matter of when,” Loden said.
He added that it’s about learning from the previous attack so that a company is as secure and resilient as it can be.
“If a company tells me that they got breached this way, I always look at that and say, ‘Hey, let’s make sure that we’re not vulnerable to the same thing and how we can learn from this.'”
Although the cyber legislation unanimously passed the Senate, before being signed into law, it did face some harsh criticism from FBI and Justice Department officials who were disappointed that the bill did not require companies to jointly report to CISA and the FBI.
FBI Director Christopher Wray said that while he applauds the intention of the legislation, the bill “has some serious flaws.”
Meanwhile, Deputy Attorney General Lisa Monaco said in a statement first reported by Politico that the “bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.”
A spokesperson for Sen. Gary Peters (D-Mich.), the chairman of the Senate Homeland Security and Governmental Affairs Committee who sponsored the bill, said that what Monaco and Wray were suggesting is “completely false,” adding that the agencies had been consulted and that revisions were made to address some of their concerns.
Although Loden did not want to speculate further on the government’s infighting over the bill, he said he did understand the FBI’s point of view because the agency has been a longtime partner with industries.
But ultimately, he said he didn’t have a preference in who takes the lead as long as companies are reporting cyber incidents to the government as mandated by the new law.
“The goal is that we are sharing information with the right people that allows us to be proactive and not have to be reactive when something happens,” Loden said.