How much time should government agencies, critical infrastructure operators and contractors (including MSSPs) have to report a breach to federal security authorities?
Pending U.S. legislation originally focused on a 24-hour breach disclosure policy. But a new draft bill -- which extends the breach disclosure deadline to three days -- has gained the endorsement of private industry and technologists.
The bipartisan pushback against the 24-hour disclosure deadline surfaced in a hearing of the House Homeland Security subcommittee. Concerned parties included Reps. Yvette Clarke (D-NY), chairwoman of the subcommittee, and John Katko (R-NY), ranking member of the full committee. The updated bill -- with the three-day disclosure policy -- would allow companies suffering a security breach the often-needed time to assess the incident before reporting it to the Cybersecurity and Infrastructure Security Agency (CISA), industry officials said.
U.S. Breach Disclosure Legislation: Potential MSSP Implications
Any legislation involving cyber incident disclosures could influence how MSSPs, MSPs and MDR (managed detection and response) service providers work and communicate with their customers and the government.
At first glance, 72 hours seems like a safe amount of time for victims to investigate the incident, assess the damage and respond without worrying about fulfilling compliance requirements. Nevertheless, immediate help from CISA might be welcomed. The key clause in the draft bill is victimized companies can elect to report before 72 hours have elapsed but CISA cannot require it.
Under existing law, no federal requirement for individual companies to disclose to CISA a breach is currently on the books, let alone mandated within a certain time frame. To address the issue, legislators have brought forward the bipartisan Cyber Incident Notification Act of 2021 that would require critical public and private organizations to notify CISA within 24 hours of discovering the system compromise. A number of prominent businesses have claimed that incident reporting, no matter what the acceptable time frame, would disproportionately concern their shareholders and weaken their competitive positions.
The measure, which drew support from a host of lawmakers on both sides of the aisle, would grant limited immunity to companies that report a breach and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy. Lawmakers pointed to the SolarWinds Orion and the Colonial Pipeline attacks as examples necessitating federal action.
“Cyber attacks are often complex and require sophisticated analysis to fully understand the full scope of compromise,” Ron Bushar, vice president and global government chief technology officer at FireEye Mandiant, testified as part of prepared remarks to the subcommittee. “Allowing for a reasonable amount of time to properly assess the situation before requiring reporting will limit false positives and redundant or contradictory information and prevent unnecessary data collection,” he said, The Hill reported.
John Miller, senior vice president of Policy and General Counsel at the Information Technology Industry Council, held a similar opinion in his prepared remarks during the hearing. “We recommend that any legislation allow for reasonable reporting timelines commensurate with incident severity levels, but of no less than 72 hours,” he said. “Requiring an entity to report an incident on a shorter timeline may be insufficient for companies to determine the nature of the issue – is it a cyber attack or is it merely a network outage?”
Similar testimony came from Heather Hogsett, the senior vice president of technology and risk strategy, of the Bank Policy Institute's Technology Policy Division and Kimberly Denbow, managing director of security and operation at the American Gas Association (per The Hill).
A spokesperson for Senate Intelligence Committee Chairman Mark Warner (D-VA), one of the lead sponsors of the Incident Notification bill, told The Hill that “Senator Warner continues to believe that we need mandatory reporting and some incentives to ensure that everyone is sharing the information we all need to stop these cyber attacks and improve security for everyone.”
Cyber Incident Reporting Mandates: This Sounds Familiar
Mandated cyber incident reporting by the private sector has previously garnered support from federal security agencies. In April, directors of the National Security Agency, National Intelligence and the Federal Bureau of Investigation told bipartisan members of the Senate Intelligence Committee that a law requiring the private sector to report a breach can help stitch together the nation’s cyber defenses against attacks on critical industry.
In addition, both CISA director Jen Easterly and Chris Inglis, the White House national cyber director, made it clear at their nomination hearings that they support imposing minimum reporting standards on critical infrastructure outfits and private companies.