最后更新于2023年6月20日星期二20:15:58 GMT
In March 2022, President Biden signed into law 关键基础设施网络事件报告法案(CIRCIA), a bipartisan initiative that empowers CISA to require cyber incident reporting from critical infrastructure owners and operators. Rapid7总体上支持CIRCIA和网络事件报告, but we also encourage regulators to ensure reporting rules are streamlined and do not impose unnecessary burdens on companies that are actively recovering from cyber intrusions.
Although a landmark legislative change, CIRCIA is just one highly visible example of a broader trend. Incident reporting has emerged as a predominant cybersecurity regulatory strategy across government. Numerous federal and state agencies are implementing their own cyber incident reporting requirements under their respective rulemaking authorities – such as SEC, FTC, the Federal Reserve, OCC, NCUA, NERC, TSA, NYDFS, and others. 美国法律中已经有几条这样的规定, 至少还有三个可能在明年生效.
The trend is not limited to the US. Several international governing bodies have proposed similar cyber incident reporting rules, such as the European Union’s (EU) NIS-2 Directive.
Raising the bar for security transparency through incident reporting is a productive step in a positive direction. 事件报告要求可以帮助政府管理部门风险, 鼓励私营部门提高网络卫生水平, 增强入侵补救和预防能力. 但是,对这种新法律范式的迅速接受可能已经创造了太多的好东西, 新兴的监管环境有变得难以管理的风险.
Current state
Cyber incident reporting rules that enforce overlapping or contradictory requirements can impose undue compliance burdens on organizations that are actively responding to cyberattacks. To illustrate the problem, 假设有一家公司,我们叫它Energy1. Energy1 is a US-based, 拥有并经营能源发电厂的上市公用事业公司, electrical transmission systems, and natural gas distribution lines. 如果Energy1遭受重大网络攻击, 它可能被要求提交以下报告:
- Within one hour, provide to NERC – under NERC CIP rules – a report with preliminary details about the incident and its functional impact on operations.
- Within 24 hours, provide to TSA – under the pipeline security directive -一份完整描述事件的报告, 它对业务运营的功能影响, and the details of remediation steps.
- Within 72 hours, provide to CISA – under CIRCIA -对事件的完整描述, details of remediation steps, 以及可能识别罪犯的威胁情报信息.
- Within 96 hours, provide to SEC – under the SEC’s proposed rule -对事件及其影响的完整描述, 包括客户数据是否被泄露.
In our hypothetical scenario, Energy1 may need to rapidly compile the necessary information to comply with each different reporting rule or statute, 与此同时,还需要平衡从网络入侵中修复和恢复的迫切需要. Furthermore, 如果Energy1也在非美国市场运营的话, 它可能受制于几个更多的报告要求, 例如欧盟的NIS-2指令草案或欧盟的 CERT-IN rule in India. Many of these regulations would also require subsequent status updates after the initial report.
The example above demonstrates the complexity of the emerging patchwork of incident reporting requirements. Legal compliance in this new environment creates a number of challenges for the private sector and the government. For example:
- Redundant requirements: Unnecessarily duplicative compliance requirements imposed in the wake of a cyber incident can draw critical resources away from incident remediation, 可能导致报告中提交的数据质量较低.
- Public vs. private disclosure: 大多数报告由监管机构私下持有, but the SEC’s proposed rule would require companies to file public reports within 96 hours of determining that an incident is significant. Public disclosure before the incident is contained or mitigated may expose the affected company to further risk of cyberattack. In addition, premature public reporting of incidents prior to mitigation may not provide an accurate reflection of the affected company’s cyber incident response capabilities.
- Inconsistent requirements: 各机构规则对报告内容的定义并不一致. For example, 美国证交会要求报告对理性投资者来说“重大”的网络事件, 而NERC要求报告几乎所有的网络事件, 包括失败的网络入侵尝试. The lack of a uniform definition of reportability adds another layer of complexity to the compliance process.
- Process inconsistencies: 如Energy1示例所示, 所有事件报告规则和拟议规则都有不同的截止日期. In addition, each rule and proposed rule has different required reporting formats and methods of submission. 这些过程的不一致性给遵从性过程增加了摩擦.
Recommendations
The key issues outlined above may be addressed by the Cyber Incident Reporting Council (CIRC), 由国土安全部(DHS)领导的跨部门工作组. This Council was established under CIRCIA and is tasked with harmonizing existing incident reporting requirements into a more unified regulatory regime. A readout of the Council’s first meeting, convened on July 25, stated CIRC’s intent to “reduce [the] burden on industry by advancing common standards for incident reporting.”
In addition to DHS, 中国保监会包括来自政府各部门的代表, 包括司法部, Commerce, Treasury, and Energy among others. It is not yet clear from the Council’s initial meeting how exactly CIRC will reshape cyber incident reporting regulations, or whether such changes will be achievable through executive action or whether new legislation will be needed. 该委员会将在2022年底之前发布一份包含建议的报告.
Rapid7 urges CIRC to consider several harmonization strategies intended to streamline compliance while maintaining the benefits of cyber incident reporting, such as:
- Unified process: When practically possible, develop a single intake point for all incident reporting submissions with a universal format accepted by multiple agencies. This would help eliminate the need for organizations to submit several reports to different agencies with different formats and on different timetables.
- Deconflicted requirements: 就什么是可报告网络事件达成更统一的定义, and build toward more consistent reporting requirements that satisfy the needs of multiple agency rules.
- Public disclosure delay: Releasing incident reports publicly before affected organizations have time to contain the breach may put the security of the company and its customers at unnecessary risk. 涉及公开披露的要求, 比如美国证券交易委员会和美国联邦贸易委员会提出的规则, 是否应考虑与受影响的公司延迟和协调披露时间.
Some agencies in the Federal government are already designing incident reporting rules with harmonization in mind. The Federal Reserve, FDIC, and OCC, 而不是为每个机构制定三个单独的规则, designed a single universal incident reporting requirement for all three agencies. The rule requires only one report be submitted to whichever of the three agencies is the affected company’s “primary regulator.“各机构之间的报告共享是在内部处理的, 减轻公司向多个机构提交多份报告的负担. Rapid7 supports this approach and would encourage the CIRC to pursue a similarly streamlined strategy in its harmonization efforts where possible.
Striking the right balance
Rapid7支持日益普及的网络事件报告. Greater cybersecurity transparency between government and industry can deliver considerable benefits. However, unnecessarily overlapping or contradictory reporting requirements may cause harm by detracting from the critical work of incident response and recovery. We encourage regulators to streamline and simplify the process in order to capture the full benefits of incident reporting without exposing organizations to unnecessary burden or risk in the process.
Additional reading:
