SEC, CISA push dueling cyberattack incident reporting rules
As the chief information security officer of a large, publicly traded tech company, Drew Simonis has been keeping a close eye on the SEC’s proposed rules to require reporting of major cyberattacks.
Simonis, who works at Juniper Networks, has some serious concerns shared by many executives in U.S. private industry. Some of the proposed cyber incident reporting rules seem like they’d be counterproductive to the goal of creating transparency, and would likely just increase confusion for corporate shareholders, he said. Overall, by requiring public disclosure of major cyber incidents within four business days, the approach seems to lack a basic understanding of the “fluid nature of security events,” Simonis said.
“Often, you just don’t know within four days what the real facts are,” he said. As written, the proposed SEC rules essentially require companies to “make very important decisions with very little information.”
Meanwhile, another federal agency — which has its own set of cyber incident reporting regulations in the works, separate from the SEC’s — has been carrying itself much differently, according to Simonis and numerous others in the security community. The Cybersecurity and Infrastructure Security Agency has brought a welcome change in approach compared to the way most federal agencies have engaged with companies around security issues in the past, security professionals told Protocol.
As a result, when comparing the two major federal efforts that are currently seeking to ramp up cyber incident reporting in the U.S., the difference between the approaches taken by CISA and the SEC becomes clear.
Security executives believe the efforts of CISA director Jen Easterly and the rest of the agency’s leadership team have helped bring the public-private cybersecurity partnership to an all-time high in the U.S.
With the CISA-led rule-making process now set to kick off around cyber incident reporting for critical infrastructure providers, however, the strength of that partnership could be put to the test.
Improving threat tracking
Information sharing is pivotal in the cybersecurity space given the fast-changing nature of threats. The amount of data a security team has about the latest attacker tactics can make or break its defense strategy, and that information also helps government agencies decide how to respond.
Until now, CISA has had very little regulatory authority. Under the leadership of original director Chris Krebs, and now Easterly, much of the emphasis has been on getting government and industry more comfortable working together, but on a voluntary basis.
While there are signs those efforts have been helping increase the amount and speed of information sharing, it hasn’t been nearly enough. The government is still hearing about only a “tiny fraction” of the ransomware breaches and other cyberattacks that are hitting businesses, which weakens threat-tracking efforts, a CISA official reportedly said in June.
That’s what the forthcoming regulations seek to address. The Cyber Incident Reporting for Critical Infrastructure Act was passed by Congress and signed by President Biden in March. It paves the way for mandatory reporting of major cyber incidents by companies in 16 critical infrastructure sectors within 72 hours.
I’ve seen plenty of calls for [the SEC’s] whole proposal to simply be set on fire and never discussed again.
Ransomware payments made by covered companies would need to be reported within 24 hours. Crucially though, unlike inthe SEC proposal, details on cyberattacks disclosed to CISA would be anonymized before any public disclosure.
It’ll be up to CISA to hammer out the specifics, such as which types of incidents would qualify for reporting.
Despite the goodwill that CISA has generated within the cybersecurity industry, companies will still have questions and concerns that need to be answered, said Marc Rogers, executive director of cybersecurity at Okta.
“You’ve got all these challenges around, ‘How much do I want to share? What is risky for me to share? Is there a chance that a competitor could find out about this? Is there a chance that this could cause further brand damage or loss of confidence in us?'” Rogers said.
Those challenges will need to be overcome, and “the only way that that’s going to happen is with an extended rule-making period where both parties sit down and talk,” he said. Proposed rules are not due until March 2024, with the final regulations due by September 2025.
With the rule-making process just getting underway, critical infrastructure providers that would be subject to the regulations appear to be in “wait-and-see mode,” said Ben Miller, vice president of services at industrial cybersecurity vendor Dragos. Still, he said, it’s obvious that there hasn’t been a major outcry against the idea either.
The same can’t be said about the SEC proposal. Released in March — just days before Biden signed the critical infrastructure reporting act — the SEC rules have gotten a mixed reception, according to public comments filed with the SEC.
While the opposition isn’t unanimous, “I’ve seen plenty of calls for [the SEC’s] whole proposal to simply be set on fire and never discussed again,” said Harley Geiger, senior director of public policy at cybersecurity vendor Rapid7.
In late June, a coalition of 34 industry groups signed a letter to the SEC sharply criticizing the proposed incident reporting rules, saying the proposal “runs counter to sound cybersecurity policies and practices” because it could equip attackers with data that could be used against companies and law enforcement.
“Many in the business community strongly believe that the Commission’s proposal should not be finalized in its current form,” the groups — which include the Chamber of Commerce, the American Gas Association and USTelecom — wrote in the letter. Other groups that have separately filed critical comments with the SEC include the National Retail Federation and the National Association of Manufacturers.
Within tech, groups including the Information Technology Industry Council — which counts many of the largest tech companies as members — and the Internet Security Alliance each filed detailed criticisms of the proposed SEC rules. Both groups said the SEC proposal would lead to highly problematic public disclosure of vulnerability details prior to those vulnerabilities being fixed, which would only heighten cybersecurity risks for everyone. The proposed SEC regulations “will likely assist attackers more than investors,” the Internet Security Alliance wrote.
Sen. Rob Portman wrote in comments submitted to the SEC that the agency should reconsider or “revise substantially” its proposal. Congress has intended the Critical Infrastructure Act to be “the primary mechanism for companies to report cyber incidents,” Portman, who co-authored the act, wrote.
The SEC did not respond to a request for comment.
Groups that have expressed support for the SEC proposal include Principles for Responsible Investment and Better Markets, the latter of which wrote to the SEC that its proposed rules “will better inform investors of the cybersecurity risks posed to companies.”
The SEC’s rules differ from CISA’s.
Photo: Al Drago/Bloomberg via Getty Images
A bipartisan group of seven senators — Mark Warner, Ron Wyden, Jack Reed, Catherine Cortez Masto, Kevin Cramer, Angus King and Susan Collins — also expressed support. Among the benefits of the SEC proposal is that it provides “powerful incentives for public companies to bolster cybersecurity,” the senators wrote.
The proposed regulations are now listed as being in the “final rule stage,” and while the SEC declined to comment on the status of the rules, the agency’s website indicates that “final action” on the proposal will be taken by April 2023.
A compromise between the supporters and opponents of the SEC proposal might be possible: one in which companies are still required to report major cyber incidents, but the reports are not disclosed publicly until the issues have been mitigated, Rapid7’s Geiger said. “But I’m not confident that’s going to occur because so much of the dialogue has been black or white: full transparency, or not having the [requirements] at all,” he said.
Besides the SEC and CISA, nearly two dozen other federal agencies have their own proposed or finalized requirements around the reporting of cyber incidents, according to a tally by R Street. Plus, new ones keep surfacing at the federal level, while many U.S. states have breach-reporting requirements as well.
“I think that the government would even admit that there are a lot of challenges around the patchwork of cyber incident reporting requirements that are being imposed on industry,” said Bill Wright, senior director for North American government affairs at Splunk, and former staff director for the Senate homeland security committee.
Indeed, Congress has taken notice. The March critical infrastructure bill also created a new council under the Department of Homeland Security, which is charged with harmonizing the different incident reporting requirements at the federal level. The Cyber Incident Reporting Council had its first meeting in late July.
The committee does include a member from the SEC, as well as representatives from the FBI and numerous other federal agencies and departments. DHS is also the parent agency of CISA.
CISA’s leadership has also called this harmonization effort a top priority. It’s “incumbent upon us to work out an agreement with [those] other federal agencies so that information would flow from them to CISA,” said Brandon Wales, the agency’s executive director, during a recent webinar.
On the whole, CISA is focused on “not overly burdening the private sector” around incident reporting, Easterly said during a panel at the RSA Conference in June. The agency wants to avoid making things worse for businesses “when they’re trying to deal with an incident under duress,” she said.
The Easterly effect
Appointed as director of CISA just over a year ago, Easterly has won praise from many in the cybersecurity community for her efforts to engage. Along with speaking on two panels at RSA, Easterly spent time on the show floor, chatting with visitors at the CISA booth and handing out autographed Rubik’s cubes.
Easterly came to the role from a background in both the government and private sector. Prior to CISA, she ran Morgan Stanley’s cyber threat response center. In the Obama administration, she held roles at the NSA and National Security Council, including as senior director for counterterrorism.
Cybersecurity executives say that the launch of the Joint Cyber Defense Collaborative shortly after the start of Easterly’s tenure has been instrumental in improving relations between the public and private sectors. The group brings together 21 major cybersecurity vendors with the FBI, NSA, DOJ, DOD and other federal agencies.
The trust has grown as the JCDC participants have spent more time with each other, said Splunk’s Wright. “And along with the trust, I think that you move a little closer, you do a little bit more.”
Easterly has done an “amazing” job at expanding the information sharing from the government to the private sector, said William MacMillan, a senior vice president at Salesforce and formerly the CISO for the CIA.
“There’s a really broad recognition nowadays that the government has really helped close that gap,” MacMillan said. “They’re clearing information [for distribution] that’s actionable and useful.”
For instance, with the disclosure of the critical Log4Shell vulnerability in December 2021, CISA rapidly distributed practical information for defenders, said Wendi Whitmore, senior vice president in Palo Alto Networks’ Unit 42 organization.
In her two decades in the field, “I haven’t seen this level of information sharing before between public and private partners,” said Wendi Whitmore, senior vice president in Palo Alto Networks’ Unit 42 organization and a member of the Cyber Safety Review Board.
Still, looking ahead, CISA will “have to walk a tough line” as the agency transitions from just being a partner with private industry into being a regulator of it, said Dragos’ Miller, who previously served as associate director at electricity regulator NERC.
Finding the balance
Wales, the CISA executive director, said in a statement provided to Protocol that the agency will focus on striking the right balance while implementing the legislation. “We will balance the need for information to be shared quickly, letting victims respond to an attack without imposing onerous requirements, and getting accurate information that enables CISA to protect the broader cyber ecosystem,” he said.
The agency plans to issue a public request for information and host a series of “listening sessions” later this year to solicit feedback from industry, Wales said in the statement.
Among the concerns, at least for the security community, is that the incident reporting regulations may not be finalized for another three years.
Given how quickly things change in the world of cybersecurity — and the fact that better visibility on cyber threats is needed as soon as possible — “that is a really long time frame,” said Chris Hallenbeck, CISO for the Americas at cybersecurity vendor Tanium. CISA might want to explore shortening that timeline, since the security payoff could be significant, said Hallenbeck, formerly the chief of operations for the U.S. Computer Emergency Readiness Team.
Tim Eades, CEO of cybersecurity vendor vArmour, said the lengthy time frame also raises the risk that changes in leadership in Congress or the White House could throw a wrench into the incident reporting initiative. To help reduce that risk, he suggested, CISA could look at rolling out the requirements gradually, in stages.
This would also help ensure that critical infrastructure providers are aligned and going in the right direction, Eades said.
Not that he, or anyone else in the security industry who spoke to Protocol, doubts that CISA will ultimately do a solid job implementing the regulations.
“We’ve heard this a lot from the government over the years: ‘How can we collaborate better?’ That’s been a pretty consistent theme,” said Juniper Networks’ Simonis, who’s had a two-decade career in information security. But “CISA seems to be able to bring that collaborative spirit to life in a way that other agencies didn’t quite accomplish.”