The New US Cybersecurity Act & What it Means

If you face a major cyber attack or pay ransom to attackers, you may have to report it to the Cybersecurity and Infrastructure Security Agency (CISA) within a certain timeframe under the new cybersecurity law . 

The Strengthening American Cybersecurity Act of 2022, which became law in March 2022, imposes strict reporting obligations on critical infrastructure owners/operators: Entities operating and/or owning critical infrastructure have to notify the CISA of the ransomware payment within 24 hours and of the major cyber incidents within 72 hours. 

Who is covered by the new requirements? When and how are cyber incidents reported under the new law? Keep reading to find out more. 

What is Strengthening American Cybersecurity Act of 2022?  

Although the new requirements on incident-reporting makes the headlines, the new cyber security law is composed of three separate regulations: 

1. The Cyber Incident Reporting for Critical Infrastructure Act of 2022: This regulation imposes on critical infrastructure operators the obligation to notify the CISA of “covered cyber incidents” and “ransom payments” within a certain timeframe. 
2. The Federal Information Security Modernization Act of 2022: This regulation contains requirements on federal information security management and on reporting of cyber attacks and how these attacks will be remedied  
3. The Federal Secure Cloud Improvement and Jobs Act of 2022: This regulation deals with the security requirements for the use of cloud products. 

What Entities Are Covered in the Cybersecurity Act?

Under the new law, the CISA will have the power to decide what types of entities will be subject to the new incident-reporting requirements. 

While the CISA is provided with wide discretion, the law requires the CISA to consider the following three factors when determining the “covered entities”: 

• How would national security, public safety, and public health be affected if an entity’s operations are disrupted or compromised
• What is the likelihood that a malicious actor, such as a foreign country may target the entity?
• “the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.” 

Considering that these criteria refer to “national security”, “public safety” and also to the possibility of being targeted by foreign state actors, the 16 critical infrastructure sectors defined by the Presidential Directive 21 will likely be declared as “covered entity”. 

These sectors include, but are not limited to: 

• Defense Industrial Base 
• Emergency Services 
• Energy 
• Financial Services 
• Healthcare and Public Health 

While it is reasonable to expect that these sectors will be defined as “covered entities,” the CISA will likely go further and determine additional sectors as falling under the new law. 

What Incidents Should Be Reported 

Under the Act, there are two categories of attacks that needs to be reported: 

Cyber incidents

The Act does not require all incidents to be reported to the CISA and provides CISA with the power to determine the criteria and threshold for cyber incidents to be covered by the Cybersecurity Act. 

However, the Act lists three types of high-impact cyber incidents that is covered by the Act.  For example, incidents that involves “unauthorized access or disruption of business or industrial operations” due to a “compromise of a cloud service provider, managed service provider, or other third-party data hosting provider or by a supply chain compromise” must be reported under the Act. 

A recent example of such a cyber attack is the SolarWinds attack. After Russia-backed hackers inserted a malicious code into the SolarWinds’ network monitoring software, they gained access to thousands of companies’ networks, including electricity, oil and manufacturing companies. 

Ransom payments

“Ransomware Attacks” are defined broadly under the Act: Use or threatened use of all techniques aimed at hindering an entity’s information processing operations falls under the definition of “ransomware attack”. Alongside the traditional ransomware technique, encryption of data, the following types of mechanisms are also subject to the Cybersecurity Act: 

• Distributed denial of service attacks 
• Insertion of malicious code. 

When to Report the Incidents?  

The Act sets out two different deadlines for the reporting of incidents:

1. Incidents falling under the “ransom attack” category must be reported to the CISA within 24 hours after the entity operating/owning the critical infrastructure makes a ransom payment.
2. “Covered entity” must report cyber incidents within 72 hours after it “reasonably believes that the covered cyber incident has occurred” 

Criticisms Against the Law

Though the new law is welcomed by many in light of the growing numbers of cyber attacks targeting critical infrastructure and the rising geopolitical tension in Eastern Europe, it is also criticized for not addressing a few critical issues: 

• No reporting to the FBI: The Department of Justice publicly opposed the new law for not requiring “covered entities” to report the incidents to the FBI. Some agree that direct notification of incidents to the FBI would enable the FBI to provide support to affected entities promptly and warn the other potential vulnerable entities against the risks. 
• DNS: Another criticism directed at the new Act is that DNS information is not included in the reporting requirements. Some argue that DNS information is critical to law enforcement agencies and investigations and it would make it easier for the law enforcement to carry out investigations and determine the origin of the attacks. 

What Should “Covered Entities” Do?

Monitor new developments 

It is far from certain what entities will be covered by the new reporting requirements, what the contents of the report will include or what types of incidents will fall under the applicability of the new Cybersecurity Act. The CISA will have the power to issue directives in these critical issues and organizations should closely monitor new directives and opinions issued by the CISA. 

Establish and Implement an Incident-Response Plan 

Given that the new Act sets 24-hour and 72-hour notification requirements and defines the minimum content the reporting must include, organizations must put in place a robust incident response plan.