The Information Technology-Information Sharing and Analysis Center has convened a working group to review elements of President Biden’s cyber executive order around incident reporting, and has questions for the administration around the security and use of the information to be collected.
“The IT-ISAC appreciates the seriousness of the cyberthreat facing the United States and companies across the globe,” IT-ISAC executive director Scott Algeier said in a blog post on Thursday. “Our members are on the front lines defending the digital infrastructure that propels today’s global economy. IT-ISAC members and the customers they serve are attacked every day.”
Algeier said, “While recognizing mandatory reporting requirements will be limited to IT and OT providers who have contracts with U.S. Federal Government departments and agencies, the EO nonetheless creates a mandatory cyber reporting framework. This represents a significant shift from previous long-standing policy which had encouraged voluntary sharing. The implications for this shift are not yet fully understood.”
The IT-ISAC wants to get more details on the security, use and scope of the sensitive information that the government wants to obtain. Other concerns include mechanisms to protect shared information from public disclosure and what the penalties will be for non-compliance.
Algeier said, “Under current law, sensitive information voluntarily shared by industry with the U.S. Federal Government is protected from public disclosures under certain conditions. However, to receive this protection, information must be shared voluntarily. Information that a company is required to report is generally excluded from these protections. It is important to clarify whether information that a company is required to share under the EO be protected from public disclosure?”
On scope, Algeier said clarity is needed on how much information needs to be shared because “companies experience attacks every day” and “it is important to better define and scope these requirements so that they do not overwhelm agencies or industry with unnecessary reporting.”
“Will companies be required to report all attacks on their networks, even if they are routinely blocked? Will a company be required to report to the government confirmed or unconfirmed vulnerabilities that have no fix? Providing clarity on what constitutes a potential cyber incident will be extremely beneficial,” Algeier said.
The current process for “most cyber threat information sharing with DHS is through CISA,” which Algeier said “provides numerous efficiencies. Under the new model, however, companies would be required to share with all potentially impacted government agencies in addition to CISA. “
Algeier said, “This has the potential to be costly and burdensome to both industry and government. Most federal agencies, including CISA, are ill-prepared and lack resources to intake, process, and evaluate information that is shared with them. Resources (time, money, qualified people) are always constrained. The implementing regulations should consider this and account for both the economic cost of the reporting requirements as well as the potential that these costs divert funding from other security investments.”
The EO creates info-sharing requirements that are “one-way” from industry to government, Algeier said. “If government will impose a requirement that industry share incident information, which requires industry to re-allocate scarce resources for compliance-- then government has an obligation to share valuable information in return. The lack of guidance on how government will provide useful analytic products in return is concerning.”
One element of the EO is the authorization to create a Cybersecurity Safety Review Board following a significant incident that includes federal officials and representatives from the private sector. Algeier calls the provision “intriguing” and said “Identifying lessons learned and implementing corrective actions is a sound practice after any incident that responsible companies follow.”
Algeier said, “However, it is unclear as to what would trigger the activation of the NTSB-like review. Fortunately, catastrophic airline accidents are rare. However, cyber incidents occur on every network every day. It is important that this board only be activated for the most serious incidents with national level consequences.”
The IT-ISAC leader said, “In addition, unlike the traditional NTSB which has a slow, deliberative process, to be effective this cyber-Board must be fast and actionable. We also suggest the Board institute rules that protect confidential corporate information of companies who might be victims of the attack that is being investigated.” -- Sara Friedman (sfriedman@iwpnews.com)