Senate bill to require cyberattack info from critical infrastructure

Congress is apparently hoping to apply that iconic motto “United we stand, divided we fall” to the cybersecurity of the nation’s critical infrastructure (CI).

A key provision of a proposed bipartisan bill — yes, bipartisan! — now pending in the U.S. Senate would require CI operators to report “substantial” cyberattacks within 72 hours and ransomware payments within 24 hours to the federal Cybersecurity and Infrastructure Security Agency (CISA).

Since the large majority of the nation’s CI is owned and operated by the private sector, that would unite private and public information sharing in a new way; hence the press release calling it “landmark” legislation.

Of course, this unity wouldn’t be voluntary. The Strengthening American Cybersecurity Act reporting requirements, if they become law, will be mandatory.

But politically speaking, the chances of any legislation with bipartisan sponsorship look good. The two cosponsors are Sen. Gary Peters, D-MI, chairman of the Homeland Security and Governmental Affairs Committee, and Sen. Rob Portman, R-OH, ranking minority member of that committee. The two have been working with a bipartisan group of six U.S. representatives — three Republicans and three Democrats — who have been leading a similar effort in the House.

There should be no debate about the need for better CI cybersecurity. It’s almost constantly under attack, and some of those attacks have succeeded and caused significant damage.

• Temple University has collected a dataset of what it calls “critical infrastructure ransomware attacks” that has 1,137 records running from November 2013 to the end of January 2021. It comes with a caveat — the list includes only those that were publicly disclosed.
• CISA, the FBI and National Security Agency recently reported that 14 of the nation’s 16 CI sectors were targeted by ransomware attackers in 2021. Those sectors include chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare, information technology, nuclear reactors, transportation systems, and water and wastewater systems.
• Claroty, an industrial cybersecurity company, in its most recent biannual industrial control systems risk and vulnerability report, wrote that CI assets are “exposed online in record numbers, and along with them, all their blemishes: unpatched vulnerabilities, unsecured credentials, weak configurations, and the use of outdated industrial protocols.”
• This past week, the FBI and the Secret Service posted a warning about a ransomware-as-a-service gang called BlackByte that had compromised multiple U.S. and foreign businesses. The warning said attacks against U.S. CI sectors included government facilities, financial, and food and agriculture.

While many attacks cause only minor damage, some have been significant. Ransomware attacks against Colonial Pipeline and JBS Foods caused major fuel and food supply disruptions that led to price spikes and millions in payments.

And given ongoing international tensions, the risk of cyberattacks from hostile nation states targeting CI is increasing. If such attacks disrupt or damage food or water supply, financial services, or the electrical grid, they could cause supply problems and price spikes that would make current inflation look like the good old days.

A layup? Not so much

So a bill like this ought to be a layup, right? Who could be against making our critical infrastructure more resilient?

Well, as is almost always the case, the devil is in the details.

For starters, the private and public sectors haven’t always played well together in the cyber sector. There have been numerous complaints at cybersecurity conferences that when the federal government calls for information sharing, it’s a “one-way street” — the feds demand that the private sector share but won’t reciprocate.

That hostility may be softening. At a White House meeting last summer with President Biden, the heads of some of the biggest tech companies in the world pledged to spend billions on cybersecurity training and improving security technology. The White House said Biden called the meeting to discuss the efforts of private sector CI entities in the banking, energy, and water utility industries to improve cybersecurity and collaborations with the government.

And Sammy Migues, principal scientist with the Synopsys Software Integrity Group, said collecting attack and ransomware information is a legitimate role for government. “Being a central clearinghouse of ‘bad stuff under way’ is an appropriate federal government function,” he said. “They need this information on a timely basis to do federal government things that might range anywhere from sending a tweet to military action.”

Emile Monette, director of government contracts and value chain security with the Synopsys Software Integrity Group, agrees that the feds have the capability to help CI operators protect themselves from nation-state or other highly sophisticated attacks, but thinks there ought to be other incentives to share built in.

“It’s unclear what a reporting company might get from the government by reporting. I think it’s missing some WIFM [what’s in it for me?],” he said. “Ideally, government would offer some liability protection or other safe harbor, or treat participation in such a program as a mitigating factor in determining whether the company might be subject to some penalty.”

Indeed, it’s one thing for tech giants, or anyone else, to invest in their own security. It’s another to share information they’d like to keep private.

Years to go

There will be time to get those potential conflicts resolved — perhaps a lot of time. Even if the bill passes, it will be years before its long-term effects are known.

One reason is the lack of a definition of a “substantial cyberattack” or, as the bill puts it, a “covered cyber incident.” What does that mean? The bill says it is an attack that “satisfies the definition and criteria established by the Director in the final rule issued pursuant to section 2242(b).”

And if we look at section 2242(b), buried in the middle of the 211-page bill, we find that the deadline for the definition and criteria is 42 months after the bill passes.

Migues said most CI firms have a pretty good idea about the definition right now. “I think ‘substantial’ in the cybersecurity world is like ‘material’ in the auditing world,” he said. “You pretty much always know it when you see it.”

Still, if it comes down to an organization appealing a fine or other penalty for its alleged failure to meet the reporting requirements, a court is likely to want something specific.

Monette noted that the bill does define a “major” attack but not a “covered” incident. “I believe a substantial incident would be less than a major incident but defining that threshold at the lower end may be difficult,” he said. “If it meets all but one of the major elements, it stands to reason that would probably be substantial. But what if it misses the ‘major’ mark by three elements? Two? Five? Is that insubstantial?”

“Congress should have defined it — pretty inartful drafting,” he added. “Seems to me this is a punt by Congress because they couldn’t figure it out and to me it’s a flaw because it will cause the law — assuming it gets passed — to have a high potential never to be enforced if nobody knows what ‘substantial’ actually means.”

No comment

Neither Peters’ nor Portman’s offices responded to requests for comment.

Also, it’s not entirely clear what will happen to companies that fail to comply with the reporting deadlines. There are no specific penalties set out in the bill.

Migues said that doesn’t mean the bill will be toothless. “The federal government can leverage whatever federal service it provides to ‘entice’ companies to do things,” he said. “Don’t like a state’s drinking age? Withhold their federal highway funds until they change it. So, can it be forced on organizations? Even if the answer is no, it’s yes.”

And Monette said regulators might include failure to report in their oversight of regulated CI sectors, “which would trigger risk of loss of authority to operate. Or it might be included in government contracts, which would trigger liability under the False Claims Act.”

At present, this is all speculation — the bill is just a proposal. And Monette is dubious that, even with bipartisan sponsorship, it will pass as is. “It may well spur others to draft amendments that make it into something more meaningful,” he said.

If that’s the case, he has a suggested amendment. “It would be great if the government harmonized all the reporting requirements, setting aside the variety of state and local requirements, all of which drives up costs to comply,” he said.