The Good, The Bad, and the Ugly
Buried within 2741 pages of Congress’s recent work product is the “Tell us you were hacked” law, actually named the “Cyber Incident Reporting for Critical Infrastructure Act of 2022.” Within H.R. 2471, the Cyber Incident Reporting for Critical Infrastructure Act (“Act”) transforms the once permissive information sharing options into mandated actions for any entity considered “Critical Infrastructure” (called a “Covered Entity” in the Act).
Before pronouncing opinions, the natural question is “Does this apply to me?” Based on the wording of the bill, the answer is a resounding “YES” whether someone owns a public relations firm or manufactures ethylene.
Consistent with 42 U.S.C. §5195c(e), the Act uses the critical Infrastructure definition from Former President Obama’s 2013 Presidential Policy Directive 21, entitled “Critical Infrastructure Security and Resilience” (“PPD-21”). Therein, PPD-21 lists the same 16 critical infrastructure sectors used today, all of which refer to “systems and asserts, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
According to Section 2242 of the Act, any time a “Covered Entity” experiences a vaguely defined “cyber incident,” the entity must report it to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and any paid ransomware demands to CISA within 24 hours.
The Covered Entity is also required to supplement its initial reports as new information about the incidents are learned and preserve as much data as possible. Third Parties retained by covered entities to provide incident response assistance are further tasked with providing compliance counsel with the Act. Failure to comply with the incident reporting requirements will result in civil lawsuits brought by the U.S. Attorney General.
Opinions on HR 2471 could accurately be described as “the good, the bad, and the ugly.” Beginning with positivity, the concept of mandatory reporting by critical infrastructure of cyber incidents and indicators of compromise facilitates the critical need for real-time information sharing to combat cybersecurity threats. This bill forces substantial private sector investment into cyber hygiene to prevent government entities from performing cavity-searches. Furthermore, the Act attempts to carry over civilian protections previously found in the Cybersecurity Information Sharing Act of 2015, which preserves federal legal privileges and exempts incident reporting from publics records act requests.
However, the Act is best described as a “False Start” by non-cybersecurity professionals meddling in a perceived “sexy” industry (too harsh?). Sadly though, there is not a five-yard penalty to reverse the error if the Act is signed into law as expected.
Although H.R. 2471 increases CISA’s budget to $1,992,527.00, the agency is not yet prepared to receive and react to the information supplied by critical infrastructure. While launching free cybersecurity tools, information campaigns, modernizing hiring practices, and offering competitive salaries, there are simply not enough people to conduct the work anticipated by the Act. What’s more, in September 2021, the U.S. Department of Treasury, Office of Foreign Assets Control (“OFAC”) doubled-down on its threats to sanction entities that pay ransomware demands to OFAC’s Specially Designated Nationals and Blocked Persons List or those countries subject to embargoes (Russia, Iran, Syria etc.).
Combine mixed messaging, lack of personnel to perform the Government’s obligations under the Act, and the poor definition of what constitutes a “covered cyber incident” that triggers reporting, the Act is predictably going to result in the following events:
Increased costs of cyber insurance – which is already skyrocketing in the present threat climate;
Increased cyber attacks on critical infrastructure to drive up ransom demands (criminals love to use regulations against their victims to coerce them into knee-jerk payments)
Increased civil litigation (outside of the Department of Justice’s purview) within the cybersecurity commercial services and products community;
Inability to process and potentially protect the information generated by the Act; and
Negatively impact economic motivations for U.S. based critical infrastructure assets to remain state-side.
For full transparency, the predicted effects of the Act can only benefit business for cybersecurity lawyers. However, akin to becoming an elementary school educator or veterinarian, this is not a business where the financially-motivated professionals hang-out.