US Critical Infrastructure Companies Will Have to Report When They Are Hacked

This will be law soon:

Companies critical to U.S. national interests will now have to report when they’re hacked or they pay ransomware, according to new rules approved by Congress.

[…]

The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that’s considered part of the nation’s critical infrastructure, which includes the finance, transportation and energy sectors, to report any “substantial cyber incident” to the government within three days and any ransomware payment made within 24 hours.

Even better would be if they had to report it to the public.

Tags: , , , , , , , ,

Posted on March 15, 2022 at 6:01 AM26 Comments

Comments

Anonymous March 15, 2022 8:28 AM

I wonder if there are any constitutional issues with this? Maybe something about compelled speech? Of course, there are already other forms of compelled speech, like warning labels. I’m not saying the law is a bad idea, I just instinctively suspect gov’t overreach on just about everything LOL.

Cooper March 15, 2022 9:23 AM

… yes, of course there are major Constitutional issues here.

The U.S. Federal Government has absolutely zero Constitutional authority to enact such a law.

But nobody much cares at this late stage of American history.
Plus, if we now started getting fussy about Constitutional legalities — 90% of Federal law & regulation would be voided immediately.

JonKnowsNothing March 15, 2022 9:32 AM

@All

re: Even better would be if they had to report it to the public.

Reporting it and doing something about it are different. I would prefer to have them do something about it but then… there isn’t much they will or can do.

I envision a news section in MSM titled “Today’s List of Hackees”. Followed by a list 200-500 names long.

Then there is the question of “how long do they have to report for”?
* Is a 1x notice enough even if the event takes months to fix (provided it’s fixable)?
* Do they have to report for every day they haven’t fixed it?
* If they get hit multiple times, do they report for each event?
* If the event hits multiple systems do they report for each system?

It’s like the COVID positive reporting problem.

If the system is truly part of the nation’s critical infrastructure, do we really want to advertise that The Pentagon is SOL and all missile targeting systems are BORKED or that our divisions of balloon tanks just deflated?

Better than just Reporting It would be to Fix It.

isabela March 15, 2022 10:03 AM

I have to wonder whether this law will have the “Texas loophole”, wherein a company is only part of “critical infrastructure” if they’ve declared themselves to be (an action which, at least in Texas, seems to bring obligations with no corresponding benefits). Saying that “critical infrastructure … includes the … energy sector” isn’t clear about whether it includes every company in that sector, or which companies are part of that sector (e.g., transformer manufacturers?—according to the DoE’s Large Power Transformer Study, a well-targeted destruction of transformers could take 0.5 to 2 years to recover from, but most manufacturers are outside the USA).

EnviableOne March 15, 2022 10:52 AM

surely by reporting it to CISA, does it not become part of the public record and then be available to the world and dog?

throughout Europe, all CNI are required to report, as the Network and Information security directive snuck in under the ruckus caused by GDPR and went into force a couple of weeks before it on 10th May 2018.

it also creates a reporting structure and similar structures at the national level across the bloc.

Winter March 15, 2022 10:53 AM

@isabela
“I have to wonder whether this law will have the “Texas loophole”, wherein a company is only part of “critical infrastructure” if they’ve declared themselves to be”

I think the major Tom Boyd of Colorado City (Texas) explained very well how the Texas legislature and executive think about “Critical Infrastructure”:

No one owes you or your family anything; nor is it the local governments responsibility to support you during trying times like this! Sink or swim, it’s your choice!” he wrote. “The City and County, along with power providers or any other service owes you NOTHING!

Also, the latest voting laws in Texas also make sure that voters are not allowed to change this. I think Texas is well aligned with Putin and the late Robert Mugabe in how they see Multi Party “Democracies”

ResearcherZero March 15, 2022 11:49 AM

It’s only a little under 30% that don’t take security seriously, and some companies actually do take care of their customer’s data. Many companies do take security and bug reports seriously too. It’s often a pain to report problems, but most companies do respond. A few don’t respond at all, which isn’t that reassuring, but if you publish the security flaws it can get results, though not always good.

Some of those flaws end up in the hands of a nation state, someone opens an email and POP, you have no [insert critical civilian service of your choice]

It is getting easier to report security flaws, and the number of times it is a complete PITA has decreased.

I’ve never had nightmares about 0dayz, just one of friends who says, “You left us behind”.

Ted March 15, 2022 12:41 PM

Whoops. The article I posted previously referenced a different reporting bill (S.3600) that has only passed in the Senate.

The cyber legislation that was just presented to the President to sign is tucked in the Consolidated Appropriations Act, 2022 (H.R.2471).

That portion of the bill is called the “Cyber Incident Reporting for Critical Infrastructure Act of 2022.” It looks like a good read for a lawyer. I’m sure lots of people are sitting down with a cup of coffee or a consultant to tease apart what’s going on there.

https://www.congress.gov/bill/117th-congress/house-bill/2471/all-info

Some Guy March 15, 2022 1:15 PM

The bigger issue is that while critical infrastructure will be regulated, the software vendors are often not regulated.

Isabela – For many of the 15 critical infrastructure sectors (energy, nuclear, water/wastewater, chemical, communications, dams) – if you are a member, you know it because of all the regulations you already fall under.

Tõnis March 15, 2022 6:08 PM

@Anonymous and @Coopeer, of course there are constitutional issues with this (e.g. compelled speech), but these companies are more than likely already beholden to the federal government as licensed monopolies, and as recipients of federal funds and other forms of corporate welfare. They shouldn’t have it both ways, as “capitalists” on the one end and as socialists on the other.

tim March 16, 2022 9:10 AM

So many Constitutional lawyers here with no understanding of how business is regulated in the United States.

(this bill is an excellent start)

Canuck March 16, 2022 11:03 AM

Call me stupid if you want, but how is the mandatory reporting of a crime unconstitutional?

Give me actual legal authority to support this argument.

I think the point is that the businesses being hacked have a duty of care that imposed obligations on them if they hacked.

lurker March 16, 2022 12:19 PM

@Canuck, @tim
Is “hacking” constitutionally well defined as a crime? Or is it conveniently tucked into Interstate Wire Fraud?

ciphertext March 16, 2022 3:31 PM

Is there an online preview of the proposed bill? I haven’t found one linked through the AP article.

I would like to know how the proposed bill defines:
1) hacking
2) critical infrastructure
3) ransoms (presumably through ransomware)

Could these reports be used in civil or criminal proceedings as evidence against the companies that did the reporting? Or could these reports serve as exculpatory evidence in those cases where the “hacking” entry point was turn-key or COTS software?

Leon Theremin March 16, 2022 3:39 PM

All telecoms will have to report that their 3G/4G/5G systems were hacked into with silicon trojans and are now used for electromagnetic spying, theft and sabotage.

All military contractors and suppliers will have to report that their microwave weapon development plans were stolen from their hacked devices and repurposed to run covertly on the computers that control 3G/4G/5G equipment.

JonKnowsNothing March 16, 2022 5:52 PM

@ lurker, @Canuck, @tim, @Cooper

re: Is “hacking” constitutionally well defined as a crime

In the USA, often the word “constitutionally” is used to imply if it’s enumerated in the US Constitution and Amendments.

Hacking is not listed there.

In the USA hacking and its many offshoots are listed and enumerated in other laws both Federal and State and perhaps some local county or city variations.

There are lots of these laws and they can be applied in many ways and combinations. Source and Destination or Target can be combined in different ways to produce the desired LEA effect.

Internal or External attacks or targets are included. If the source and target are in different countries then you get the other side’s laws involved too.

The crimes enumerated are more descriptive in scope and rely less on jargon for definitions.

re: The U.S. Federal Government has absolutely zero Constitutional authority to enact such a law.

Yes they do. There are many laws that require or compel reporting and define required actions.

An example case of State Laws (California) requiring action, restricted action and speech.

  • If you are involved in an accident, do not leave the scene of the accident, until required documentation exchanges are met.
  • Report damage (limit) if threshold met.
  • Report injuries.

In California, driving is a Privilege, not a Right. If it’s not a Right, you don’t have a Left to stand on.

You might want to escalate that argument to the Federal v State Authority Argument but there are equal cases there: DHS, TSA etc.

Just try to get on a plane in the USA without a “RealID”, which in California looks like a Bear with a Bullet Hole in it.

JG4 March 18, 2022 12:58 AM

I have a sad that no one mentioned that there are two kinds of companies.

Those who know they’ve been hacked, and those who don’t.

If they were going to compel one thing, shouldn’t it be robust detection of breaches?

Assuming that is even possible, under certain limited circumstances.

If they are successful in compelling detection, then compelling reporting begins to make sense.

Good luck with robust anything. If it were easy, more people and organizations would be doing it.

Clive Robinson March 18, 2022 5:46 AM

@ JG4, ALL,

If they are successful in compelling detection, then compelling reporting begins to make sense.

Perhaps you might with just one more tiny step to joint the last of the dots, realise why they are “compelling reporting” not “compelling detection”…

If they are not compelled to detect, then your,

Those who know they’ve been hacked, and those who don’t.

Comes into play along with the old truism of,

“Ignorance is bliss”

That is if they “don’t detect” or detect insufficiently, then they have nothing to report. Regardless of reality, their “blind eye sees nothing, coming over the horizon”.

In the UK we attribute such “wilful ignorance” to Horatio Nelson who allegedly put a spyglass to his blined eye and said “I see no ships”.

You could say that there are only two kinds of legislators,

Those who write proportionate and focusedd legislation and those the for various reason “game the system” I presume out stupidity, direct gain, indirect gaming, or some combination there of…

We have another saying in the UK,

“The last man to enter Parliment with honest intentions was Guy Fawks”

Who’s face is the mask others hide behind.

That was back in 1605, and for a quater of a millennium English legislation demanded children celebrate every 5th Nov the failed “Popest plot”. So the treachery of the agents of evil beliefs who desired unrestricted power would not be forgotton[1].

https://en.wikipedia.org/wiki/Guy_Fawkes

[1] Maybe we should bring such celebrations back, but on “All Fools Day” and use the effigy of a modern pretender to the Tasrist myths.

JonKnowsNothing March 19, 2022 12:23 AM

@ Clive, @ JG4, ALL,

re: if they “don’t detect” or detect insufficiently, then they have nothing to report.

This was the position of the NSA+Chums+Chumps for many years. They played a neat game with the “oversight” committees where the majority and senior members were (and still are) firmly in the correct pocket.

The few members who refused to be pocketed had/have to play 20-Loaded-Questions with the 3Ls in attempts to get them to confirm publicly what the committee knows from their private briefings given by the agencies.

The folks running the agencies are well trained and well schooled in SpySpeak. They rarely slip up. They are masters of redirection, redefinition and never answering the question asked.

It’s notable when they do or when they give wonderful descriptions of what they think will be swallowed whole.

20 Questions For Gina:

  What did Gina See? What did Gina Know? What did Gina Say?

===

Search Terms

Gina Haspel

Fatima Boudchar

Abdelhakim Belhaj / Abdel Hakim Belhaj

Attorney General Jeremy Wright told lawmakers that Prime Minister Theresa May had apologized “unreservedly”

CIA abductions/renditions

Foreign Secretary Jack Straw

Sir Mark Allen, a former senior officer in the MI6 intelligence agency.

Moussa Koussa the head of Muammar Gaddafi’s intelligence service

Sir Mark Allen wrote: “I congratulate you on the safe arrival of [Belhaj]. This was the least we could do for you and for Libya to demonstrate the remarkable relationship we have built over recent years.”

“Fatima Boudchar Was Bound, Gagged And Photographed Naked. John McCain Wants To Know If Gina Haspel’s Okay With That”

JG4 March 19, 2022 9:22 AM

@Clive and The Usual Suspects

Thanks for the honor of commenting positively on what I had to say. The mention of Guy Fawkes was a pleasant reminder of the good old days. An interesting overlap to the problem of proportionate and focused in constructing legislation. “Appropriate and directed,” if you prefer. All legislation should have to pass Constitutional muster. “Narrowly constructed,” “overbroad,” and “compelling government interest” spring to mind. Not sure what the compelling government interest in sponsoring torture is. It should be clear that there is no compelling government interest in going to foreign lands to kill the residents and steal their oil. Unless they are secretly making WMDs, then it is not only OK, but a moral obligation. At least to people who shoot their friends in the face. No surprise that psychopaths like that want to torture us too.

The Science of Interrogation – Schneier on Security
https://www.schneier.com › blog › archives › 2017 › 10 › the_science_of_.html
Fawkes was both right and wrong, in much the same way as Kaczynski. his premises generally were correct, but he diluted his moral authority with a resort to violence, the worse for apparently having been random. in a successful competing harms defense, the violence has to be a) appropriate and b) directed.

I concluded some time ago that we are living under a failed government. In many ways, especially if you are wealthy, it is better than a lot of others. I was slow to realize that given enough time, all governments, all economies, all currencies, all ecosystems and all bioenergetics will fail in ways both small and large. “Time will find a point of failure, if not multiples points.” I almost certainly said before that the distribution of failures generally will follow various power laws. No doubt Guy Fawkes was living under a failed government, not to excuse his poor choices. For humans at the present juncture, bioenergetics means large inputs of fossil fuels to manufacture fertilizers. Apparently, the flow of fossil fuels and fertilizers can be shut off with the stroke a pen. Putting delta functions and square edges into systems that are brittle may not be the best approach. To his credit, Bill Gates, when he wasn’t flying Lolita Express (aka shagging minors rotten with Jeffrey Epstein), and maybe when he was, has invested significantly in greener alternatives to fossil fuels.

Getting back to the problem at hand, of developing robust systems, I have warmed up to the concept of having something like blockchain to record the data inputs and data outputs, which opens the door to robust detection and robust reporting of data breaches. It also opens the door for citizens to audit and correct their personal data on systems owned by various liars, thieves and murderers, and hold responsible the parties who enter erroneous data. That could rein in some of the credit and collection abuses, speaking of liars, thieves and murderers. I am not a big fan of the proof of work approach to consensus algorithms. In any case, some efficient consensus algorithm (e.g., hashgraph), implemented on appropriate hardware, would be capable of logging all input of data and all output of data. The log files would capture who, what, when, where, why. The present approaches to statistical detection are better than nothing, but intrinsically flawed. As we have noted, requiring reporting without requiring robust detection is worse than pointless. Like security theater, it creates a false and counterproductive sense of security.

Friday Squid Blogging: US Army Developing 3D … – Schneier
https://www.schneier.com › blog › archives › 2018 › 05 › friday_squid_bl_623.html
Trust is a consensus algorithm. It hasn’t been scalable, at least not stably. Governments are consensus algorithms – “consent of the governed.” Voting is a consensus algorithm. Money and transactions are consensus algorithms. Loosely speaking, science is a consensus algorithm. Banking is a collection of consensus algorithms.

Pounding the nail directly on the head, we need reliable systems. Shannon showed that arbitrarily reliable systems can be constructed from arbitrarily unreliable components. The specifications for holding sensitive data that has the potential to harm others must be the subject of legislation or regulation. The days of the Wild West may be drawing to a close. In the interim, the best that you can do is optimize the tradeoff between your data footprint and the value you derive from it. We are a long way from graceful degradation. We are a long way from resilience. Good luck, Godspeed, Github.

Jeffrey March 20, 2022 8:46 PM

So they “have to” report breaches.

And how do you determine if they have had one but have not reported it?

Some “good faith” BS maybe..?

Ted March 20, 2022 10:07 PM

@Jeffrey

And how do you determine if they have had one but have not reported it?

The law has a section on noncompliance. I posted a link to the law in an earlier post.

If the Director has reason to believe, whether through public reporting or other information in the possession of the Federal Government…that a covered entity has experienced a covered cyber incident or made a ransom payment but failed to report such cyber incident or payment…

I think they can request the info from the company. If the company doesn’t comply, the CISA Director can issue a subpoena for the info. If the company still doesn’t comply, the matter can be referred to the Attorney General to bring a civil action. Failure to comply with a subpoena can also lead to a contempt of court charge.

I was trying to find a good podcast or explainer of the law. Let me know if you find one. I think I remember hearing that penalties for noncompliance got watered down due to lobbyists.

Winter March 21, 2022 4:28 AM

@Jeffrey
“And how do you determine if they have had one but have not reported it?”

What happens to companies in the US that break the law? Say, a company does flour accounting or stock trading rules, or sells products that do not follow safety or health legislation?

I also think companies involved in critical infrastructure are “vulnerable” to oversight. Unless, they are located in Texas, of course.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.