Site icon Check Point Blog

A must-read guide: Interpreting new breach US reporting mandates

Insights into the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in Cyber/Information/Network security.

In this interview, expert Tony Sabaj explores new information that holds relevance for many US-based businesses. The insights in this article can help your organization proactively adapt to aggressive new mandates, optimize hierarchical structures, maneuver through legal minefields, and achieve stronger cyber security outcomes. Understand, interpret, and take action around the US’s groundbreaking cyber security legislation. What are the implications for your business?

On March 15th, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed. What kinds of enterprises will this legislation affect?

This act affects 16 sectors deemed critical within the United States:

Although not universally applied to all organizations, this legislation -across 16 sectors- covers an enormous number of entities in the United States and its territories. More detailed information regarding the sectors and definitions can be found at: https://www.cisa.gov/critical-infrastructure-sectors

Will this law force organizations to fundamentally change the way in which they operate in relation to cyber security?

The law mainly focuses on breach reporting and ransomware payment disclosure within 72 and 24 hours, respectively. Although the law does not require specific protections to be in place, the best way avoid reporting a breach or ransomware payment is to not have the breach in the first place.

Organizations will need to place greater focus on threat prevention solutions and architectures designed to thwart advanced threats, and shift focus away from detection and reporting alone.

Given the relatively short reporting windows, how realistic are the new reporting requirements for the average enterprise?

It’s very important to understand that the legislation requires disclosure of a breach within 72 hours of when it is known to the organization. The breach may have happened days or months in the past. The question “Who knew what and when” will be an important distinction when determining the legal adherence to this law.

The ransomware payment disclosure is straightforward. Once an organization makes a payment, they have 24 hours to report it, along with to whom they made the payment and how (crypto, bank transfer).

If businesses report incidents quickly, what kinds of protections are bundled into the legislation?

Any information submitted as part of the breach or ransomware payment is protected as confidential and proprietary information to the reporting organization and cannot be used in legal proceedings that do not pertain to this act.

Additionally, the information is excluded from FOIA (Freedom of Information Act) requests and other similar disclosure laws.

Ransom payments must be reported within 24 hours. What are the implications for businesses, for attackers, and for national security at-large in the US?

The act of paying ransom gives credibility and encouragement to malicious actors. Many ransomware campaigns implement double or triple extortion. Not only will the ransomware extortionists ask for a payment to decrypt the affected assets, there will be an additional ransom asked for to not release exfiltrated data and/or disclosure to affected third parties. Although not illegal to pay ransom amounts to threat actors, it is illegal to make payments or conduct financial transactions with entities that appear on the OFAC SSI list (Office of Foreign Assets Control, Sectorial Sanctions Identification). In turn, this has become a bit of a legal gray area, which becomes further complicated by cryptocurrency payments.

How will the new legislation affect the CIO-CISO dynamic within organizations, if at all?

The focus of this legislation is on the reporting and timelines. One of the most interesting aspects of this legislation requires the affected organization to have a named CISO and the CISO has some authority over the CIO. Organizations will need to make cyber security decisions that can be independent from IT initiatives. For many smaller organizations, the option of a vCISO (virtual CISO) may be the best way to adhere to this law.

In accordance with the legislation, CISA will create a centralized repository of information about threat actor intentions, programs and operations. Will this help everyone achieve stronger cyber security outcomes and if so, how?

Much like after 9/11, the Department of Homeland Security (DHS) moved to consolidate overall security into one single agency. CISA, part of DHS, is now the consolidated cyber security component of DHS. The US government has always had robust public/private partnerships in regards to cyber security. CISA is required to share the information in an anonymized format with the public and non-governmental organizations. More data will strengthen the security of organizations and the effectiveness of security tools.

Would threat intelligence + MITRE ATT&CK serve the same purpose?

MITRE ATT&CK receives most of its data from publicly available data sources. As CISA starts to publish more information, as required by this legislation, it could very well be a great source of information for tools like MITRE.

Anything else that you wish to share with the CyberTalk.org audience?

This legislation is a good first step in consistent cyber security incident reporting. It is not an all-encompassing requirement that applies to all organizations. As this legislation and other pieces of legislation mature, organization will be forced to look at prevention strategies and further adoption of zero trust principals.

For more outstanding insights from Tony Sabaj, see CyberTalk.org’s past interviews. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.

Exit mobile version