Skip to Content

Information Sharing is Caring?

Information Sharing is Caring?

Voluntary vs. Required. That debate regarding the sharing or reporting of vital information emerged in recent days after another salvo in the war on cyberattacks was fired in Washington, D.C.

Last week, a bipartisan group of senators, led by Mark Warner (D-Va.), Marco Rubio (R-Fla.), and Susan Collins (R-Maine), introduced a bill, titled the Cyber Incident Notification Act of 2021, that requires all federal agencies, contractors, and organizations considered critical to U.S. national security to report data breaches and security incidents to the Department of Homeland Security’s’ Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.

This legislation was unveiled in response to the wave of cyberattacks that have crippled U.S. critical infrastructure over the past year, which we have covered extensively in Security Systems News.

All you have to do is go down the list of names. SolarWinds. Colonial Pipeline. JBS USA. Microsoft. Kaseya. All victims of foreign hackers penetrating their IT systems and executing ransomware attacks and data breaches that have devastated these organizations that are vital to our critical infrastructure. This rash of cyberattacks also spread to U.S. schools, hospitals, and a myriad of other essential businesses and organizations as well.

In introducing the legislation that requires U.S. companies to report any cyber incidents within 24 hours, Sen. Warner cited the need to take away the voluntary aspect of reporting any cyber incidents and making it mandatory.

“Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity,” he said. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

The need to have this bill introduced in Congress seems to indicate a shortage of cyber information sharing with the federal government, a topic which we covered in our recent conversation with Sam May, CISSP, Senior Compliance Advisor, Steel Root.

May, who consults with Defense Industrial Base (DIB) clients on cybersecurity regulatory and technical compliance, pointed out a deficit in information sharing on the part of the federal government.

“The Biden Administration pointed out in its recent Executive Order that there has to be more information and intelligence sharing,” he told SSN. “The federal government really needs to take charge and put much more emphasis on information sharing between the federal government and the DIB, and within the DIB itself.”

The bill offers incentives to businesses that come forward to report a cyberattack.

“To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy,” Sen. Warner said.

This statement by Sen. Warner raises some questions. Companies that are hacked may be reluctant to report cyber incidents, for fear of sharing personal and private business information with government entities, even with incentives built in. So where does the line of information sharing get drawn? Will companies feel that they’re being forced to release these personal and business records?

Another red flag that the bill raises is the possibility of penalties or sanctions being imposed for failure to report a breach. As outlined in the bill, the failure to report a “cybersecurity intrusion” to CISA could result in a financial penalty, determined by the Administrator of the General Services Administration (GSA), with a maximum penalty of 0.5 percent of gross revenue for the previous fiscal year, as well as possible removal from GSA’s Federal Contracting Schedule.

“Cyberattacks against American businesses, infrastructure, and government institutions are out of control,” Sen. Rubio noted upon the bill’s introduction. “The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”

While the bill’s intent is clear, with the countless cyber incidents that go unreported, from small- to large-sized companies, is it possible that every entity victimized by a cyberattack is going to report these incidents to the appropriate authorities? And are they willing to do so, even with incentives in place to share their information, and with the threat of financial penalties looming if they don’t report these incidents?

Sen. Collins noted a previous attempt to improve information sharing while strongly endorsing this bill to pass.

“My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector,” she said. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.”

While the bill’s intent is clear, and as we await Congressional approval, we do know that there are other cybersecurity programs being implemented in the fight against ransomware attacks and other incidents in the cyber world.

Recently, and most notably, the Security Industry Cybersecurity Certification (SICC), the industry's first cybersecurity standard, was recently introduced by the Security Industry Association (SIA), with support from PSA Security Network and Security Specifiers, for integrators, manufacturers, consultants and other industry professionals to effectively perform jobs involving critical aspects of cybersecurity.

While the proposed cyber incident notification bill raises questions about voluntary vs. required information sharing, there is no doubt that the SICC certification is a groundbreaking moment for cybersecurity, and the security industry as a whole. 


To comment on this post, please log in to your account or set up an account now.