Industry groups testified before Congress last year in support of a 72-hour window for reporting, and they were ultimately happy with how that issue shook out. Companies may provide preliminary responses and follow up later, he said. That includes information about the tactics used by the attackers, details about the impact on the target, the vulnerabilities exploited in the attack, date ranges of the attack and much more. It’s “a little bit unrealistic” for companies to have all the information CISA wants within 72 hours, said Kellen Dwyer, a former senior DOJ official and currently the co-leader of Alston & Bird’s national security and digital crimes practice. Others fear that 72 hours might still be too quick a timeline. And Kaplan said that after a company knows it’s been hit, “at that point, I see no reason why it can’t be faster.” Stifel, now chief strategy officer for the Institute for Security and Technology, said that timeframe was likely to “piss off the incident response community” who want information as quickly as possible to stop the spread of an attack. The final version of the legislation, chiefly sponsored by Senate Homeland Security and Governmental Affairs Committee Chair Gary Peters, D-Mich., requires relevant companies and agencies to report incidents to CISA within 72 hours after they “reasonably believe” to have been hit by one. I’m glad we finally have something on the books, and we’ll have to see how it works out.” The compromises “We should have been doing this six years ago,” said Paul Rosenzweig, the principal of Red Branch Consulting, a senior fellow in tech, law and security at American University and a former senior DHS official. Those issues might not be settled until late 2024, under the timeline the bill sets for DHS to fully implement the law. They also said the way the law is written might hinder rapid cybercrime investigations and law enforcement actions.Īnd many of the specifics about how the law will work in practice have yet to be decided, such as the definition of a “significant incident” that triggers the mandate for a company to disclose it to CISA. Justice Department officials expressed concern that they won’t receive incident reports at the same time CISA does. Parts of the law are unpopular in a key corner of the Biden administration. I’m glad we finally have something on the books, and we’ll have to see how it works out.” - Paul Rosenzweig, former DHS Official “So we’re now in a place where what we need to do is work with industry.” “When we did the legislative push in 2011 - and we all have battle scars from that - even though it was regulation-light, it was still perceived by industry to be hardcore and that’s why they went after it with some very long knives and very sharp spears,” said Megan Stifel, who served as cyber policy director at the Justice Department’s National Security Division at the time. That law sprung from a larger package that Congress failed to enact in 2011.
The nearest comparison to the legislation is a 2015 law that provided liability protections to companies who shared cyberthreat information with DHS, then-hailed as the biggest cybersecurity legislation Congress had passed but widely viewed as disappointing since.
“And you’ve got to start somewhere, and then you react and you change over time once you start seeing how it rolls out.” “We have to make some sort of progress, right? No one’s ever going to agree completely,” said Jay Kaplan, CEO and co-founder of security company Synack and a former Defense Department and National Security Agency official. Still, the final product is almost universally hailed as a success by security experts and even industry groups who had opposed the stricter elements of the Warner legislation. The earliest proposal, from Senate Intelligence Chair Mark Warner, D-Va., was more aggressive in how quickly companies needed to report major incidents - 24 hours - as well as who had to comply and what happened to companies if they failed to do so. It crossed the president’s desk after nearly two years of work, triggered by the late-2020 revelations about the SolarWinds hack that led to other companies and federal agencies suffering compromises. It requires those same owners and operators to report a ransomware payment within 24 hours. The law requires critical infrastructure owners and operators to report to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency within 72 hours when they’ve suffered a major hack. President Joe Biden last week signed into law some of the most celebrated cybersecurity legislation Congress has passed yet - but it didn’t end up looking like what everyone wanted, and there’s a long way to go from his signature to a final regulation.
0 kommentar(er)
