Imagine you are a corporate CEO. Your chief information security officer tells you that malicious cyber actors—possibly from China—are inside the company’s networks. Whom must you notify? The answer is complicated.
- If the breach involves your customers’ personally identifiable information (PII), you may be required by 50 different state laws to notify the affected individuals.
- If your company is publicly traded, you face vague requirements from the Securities and Exchange Commission (SEC). Under SEC guidance issued in 2011, public companies must file a notice regarding “material” cybersecurity risks and incidents. In 2018, the SEC attempted to explain that materiality turns on the “nature, extent, and potential magnitude” of cybersecurity risks and incidents, but it also acknowledged that ‘“no single fact or occurrence’ is determinative as to materiality, which requires an inherently fact-specific inquiry.”
- On top of those requirements, if your company operates in certain industries—including finance and energy—you must notify your federal regulator of the breach.
- If the breach involved personal health records, you must notify the Federal Trade Commission, the individuals whose records were affected, and the media.
- Even in the absence of a statutory requirement to do so, law enforcement should also be notified. Otherwise, you may find yourself facing federal charges as Uber Technologies’ former Chief Security Officer and Deputy General Counsel Joe Sullivan did. The charges against Sullivan related to his failure to report a 2016 data breach to federal investigators—without any allegation that Sullivan provided false testimony or that federal investigators even asked him about the breach.
Underreporting of Cyber Breaches
These overlapping and vague requirements, combined with the natural disinclination of companies to share bad news with markets and the public, have led to the significant underreporting of cyber breaches. According to one study, only 37 percent of cybersecurity breaches involving Russell 3000 companies between 2011 and 2017 were disclosed in SEC filings. Companies may also be reluctant to share information related to a cyber breach with federal regulators for fear of enforcement penalties.
Chronic underreporting of cyber breaches leads to several problems. For example:
- Without information from the private sector, the federal government is poorly positioned to provide meaningful assistance, either to the company that suffered the breach or to other potential victims. To be effective, experts have long recognized that this sharing must occur broadly and rapidly: Companies will be able to address common vulnerabilities only if they can patch their networks faster than attacks can exploit them.
- When foreign adversaries like China or Russia are responsible for malicious cyber activity, underreporting threatens foreign policy interests. The U.S. government can deter future attacks only if it learns of past attacks in a timely fashion.
- Policymakers cannot make informed decisions about cybersecurity risks without access to accurate data on the breadth and severity of the threat.
Even when a company reports a cyber breach, information-sharing restrictions within the government frequently lead to delays and stovepipes. Take, for instance, the recent ransomware attack against Colonial Pipeline, which disrupted nearly half of the East Coast’s fuel supplies. Colonial notified the Federal Bureau of Investigation (FBI), but five days after the attack, the federal entity responsible for critical infrastructure security—the Cybersecurity and Infrastructure Security Agency (CISA) within the Department of Homeland Security (DHS)—had not received technical information on the hack.
Law enforcement agencies like the FBI are a natural starting point for a company that suffers a breach, but the FBI’s primary focus is investigating crimes, not identifying and addressing cybersecurity vulnerabilities. If other pipelines were susceptible to the same ransomware attack that Colonial suffered, it might have been days before they received the information from the federal government that would allow them to close the vulnerability. Additionally, restrictions on sharing information collected through a law enforcement investigation limit the ability of other government agencies to act on information that is reported solely to the FBI.
Congress should cut through the regulatory thicket by requiring that companies report significant cyber breaches to the federal government without fear of punishment. These reports should be minimized and anonymized to protect privacy and civil liberties and shared widely within the government in real time.
Clarifying Companies’ Reporting Obligations
Federal legislation will be needed to clarify companies’ reporting obligations and help the government to limit the damage from breaches. On May 12, 2021, President Joseph Biden signed an executive order recommending that the Federal Acquisition Regulation (FAR) Council consider updating the FAR to require that information technology and operational technology service providers that contract with the federal government report cybersecurity incidents related to their work with the government. While a good first step, however, the executive order fails to cover most U.S. companies, including many companies in critical sectors of the U.S. economy. The recent ransomware attack against Colonial Pipeline, for example, did not involve a federal contractor. Similarly, North Korea’s 2014 hack of Sony Pictures had significant consequences for U.S. cybersecurity and foreign policy, and the 2013 breach of Target’s point-of-sale systems compromised the credit card information of tens of millions of Americans. Neither breach involved a federal contractor. Without additional legislative authority, President Biden’s executive action will not be sufficient.
Similarly, the bipartisan recommendations of the 2020 Cyberspace Solarium Commission provide a commendable starting point for legislative proposals. The commission offered two legislative proposals, one focused on breaches of PII, the second on incident reporting for critical infrastructure. A disclosure requirement for breaches of PII would help to preempt the patchwork of state data notification laws and clarify companies’ reporting obligations, but like the Biden Administration’s possible executive order, it does not go far enough. Standing alone, the proposal would do little to stop hacks of systems that do not handle customers’ personal data. Many high-profile cyber breaches involve PII, but some of the incidents with the greatest possibility of causing catastrophic harm—like attacks against industrial control systems—do not. For instance, no PII was at issue either in the April 2020 cyberattack that, according to press reports, nearly disrupted the control systems of Israeli water treatment plants or in the recent ransomware attack against Colonial Pipeline’s networks.
The commission’s proposed reporting requirement for critical infrastructure—a broad category that includes hotels, shopping malls, and health care—is sufficiently broad in scope. Under it, the Secretary of Homeland Security, in consultation with the heads of certain sector-specific agencies (for example, the Secretary of Energy for the energy sector), must craft criteria to identify what kind of companies must report cyber incidents, what type of incidents those companies must report, and how the companies should report incidents to the federal government. In drafting these criteria, DHS should be careful to impose the smallest possible burden on the private sector by focusing on which critical infrastructure sectors and what kinds of cybersecurity incidents merit disclosure; reporting will become useless if companies report trillions of spear-phishing emails. Incident reports would be provided to CISA, which could then share the reports with other federal departments and agencies for certain purposes, including for identifying the source of the malicious activity and taking action to defend against the threat.
What Congress Should Do
Congress should go further to ensure that cyber incident reports can be used to stop future attacks before they occur. Specifically:
Any legislation should require that information is shared within the federal government in a real-time, automated fashion. A report on a hack of power plants or water treatment facilities that arrives at CISA on a Friday evening should not wait until Monday morning to be shared with experts at the National Security Agency (NSA) and FBI who may be able to spot additional victims of the attack and advise them on how to mitigate the harm.
CISA’s Automated Indicator Sharing (AIS) system, which was authorized by the Cybersecurity Act of 2015, already enables the sharing of machine-readable cyber threat indicators, and any legislation should build on that work and establish a process in which incident reports are submitted to the government confidentially but in real time. Legislation should also mirror the Cybersecurity Act’s framework by requiring companies to remove extraneous personal information before they share reports with CISA, protecting companies’ proprietary and privileged information, and exempting reports from federal and state open records laws. Additionally, as long as information is used for an appropriate purpose—which should include identifying and preventing cybersecurity threats—there should be no restrictions on which agencies of the U.S. government can receive reports from CISA.
Legislation should require that DHS’s procedures include mandatory reporting of hardware compromises and industrial control systems, not just hacks of companies’ information networks. Adversaries can manipulate the supply chain for a particular product to add malicious components, or they can introduce components into a victim’s network to gain access. A company that discovers a malicious chip on a server’s motherboard or falls victim to a ransomware attack on industrial control systems for critical infrastructure should be subject to the same disclosure requirements that apply to one that discovers malware on its networks.
Legislation should not penalize companies for reporting cyber incidents. The commission’s proposal prohibits private-sector reports from serving as the basis for regulation of a company, including enforcement action. Legislation should go further and eliminate existing sector-specific requirements to report breaches to regulatory agencies. For example, legislation should eliminate the Federal Energy Regulatory Commission’s mandate for electric power companies to report breaches, as well as its vague requirement to report attempted breaches, and obviate the need for financial services companies to notify their regulators of breaches. A company that is victimized by a hack should not be required to report both to its regulators and to DHS; rather, it should file one report with DHS, which can then provide the information to all appropriate federal agencies, including regulatory agencies.
Given recent data breach class action cases, legislation should also ensure that companies are not subject to additional tort liability for reports that they make in good faith under DHS procedures. The underlying cybersecurity incident may still expose a company to liability—after all, the filing of a report should not be an excuse for negligence—but a company should not have to fear that a report to CISA would constitute evidence that the underlying cybersecurity incident resulted in material harm to the company or its customers.
The fact of a cybersecurity incident should also not be evidence that the company failed to take reasonable precautions to defend itself against cyberattacks. Even the best-prepared company will have trouble defending itself against a sophisticated nation-state adversary. To this end, companies’ reports to CISA should also be protected from disclosure in any future civil litigation. Only strong incentives to report will lead companies to disclose key information about a cybersecurity incident to the government quickly enough for it to be useful.
Finally, like the Cybersecurity Act of 2015, any legislation should require independent reviews of the effectiveness of a disclosure mandate, as well as a sunset date to force Congress to evaluate whether the benefits of mandatory disclosure continue to outweigh the compliance cost for the private sector.
A federal requirement to disclose cybersecurity incidents will be only a first step toward the improvement of cybersecurity defense. Cybersecurity is a complex problem that will require creative thinking, significant resources, and stronger partnership between the public and private sectors in the years ahead. Congress can start down that path and help to clarify the private sector’s responsibilities by enacting a single federal disclosure requirement, eliminating confusing and overlapping regulatory requirements, and providing incentives for companies to report hacks when there is still time for the government to help.
Michael Ellis is Visiting Fellow for Technology and Law in the Edwin Meese III Center for Legal and Judicial Studies, of the Institute for Constitutional Government, at The Heritage Foundation.