On March 15, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law. This new law mandates that specified critical infrastructure owners and operators report breaches and other notable cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. Ransomware payments must be reported within 24 hours.
This legislation impacts how the federal government and infrastructure owners and operators interact around cybersecurity. It builds on the U.S. government’s efforts to make cybersecurity a strategic priority, using insights gained from security incidents to strengthen America’s critical infrastructure against future attacks. At the same time, it represents a major, and potentially demanding, change for organizations in this sector.
Background and Synopsis of the Legislation:
High-profile cyberattacks like the SolarWinds supply chain breach of 2020 and the Colonial Pipeline and JBS Foods ransomware attacks of 2021 emphasized just how important critical infrastructure systems are to the United States and its citizens. Both cybercriminals and foreign-backed, advanced threat groups are capable of causing significant damage to the security of the nation’s infrastructure. The new law’s reporting requirements will provide federal government agencies with significantly enhanced understanding of such incidents and their impact, and therefore help these organizations counter future attacks.
The law potentially impacts 16 critical infrastructure sectors, including energy, transportation, food and agriculture. Details including sectors and types of incidents that will be considered in scope are still being worked out by CISA.
Our View on the Law:
This legislation is another encouraging sign of how the U.S. government is prioritizing cybersecurity. It has the potential to significantly enhance cyber maturity across the critical infrastructure spectrum. However, Secureworks can’t ignore the demands it places on our customers and how it may change the support they require from us.
As a security organization that leads over 1,400 incident response engagements annually, we are well accustomed to supporting customers through the aftermath of incidents. We know what customers go through in the first 72 hours after an incident is discovered. That is why we feel strongly that the requirements this law places on organizations in scope should be implemented in a way that balances the important goals of the legislation with what is sustainable for those tasked with reporting.
Our focus is to ensure that the required reporting takes into account the fast-paced nature of responding to cyberattacks, and the importance in the immediate aftermath of discovery of containing the attack. In short, we want to ensure that customers don’t suffer negative consequences as a result of complying with the legislation.
Advocating for Our Customers:
As a key participant in the Joint Cyber Defense Collaborative (JCDC) and in other bodies supporting U.S. efforts on cybersecurity, we will use the voice of Secureworks to continue to advocate on behalf of our customers and their best interests. By doing so we will help ensure that critical infrastructure and business operations within the United States will be better protected and secured for years to come.
At Secureworks, we see this legislation as an opportunity to unify against a common adversary. By sharing security incidents and investigative findings, it is our hope that the federal government and infrastructure owners can align around a shared interest in defending our most critical infrastructure and capabilities against cyber criminals and hostile state actors.
To learn more about how Secureworks is supporting customers in fighting the full spectrum of cybersecurity risks, download our 2021 Incident Response Year in Review.