Posted on Sep 28, 2021
On August 27, 2021, the US House Homeland Security Committee released a draft bill that would update the Homeland Security Act of 2002. This proposed bill seeks to establish a Cyber Incident Review Office and publish an interim rule that would outline procedures for reporting cybersecurity incidents. On Wednesday, September 2, 2021, the committee held a hearing titled, “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021.” SecurityScorecard supports the bill, but we hope that the committee will consider adding requirements for DHS to conduct non-intrusive continuous monitoring of critical infrastructure companies to help companies identify vulnerabilities before they are exploited.
With cybercriminals targeting the critical infrastructure sector, the government must work together with the private sector to secure these vital industries. Without improved information sharing an attack on one company can quickly cascade into an attack on an entire industry. Creating standardized reporting requirements and a set of processes overseen by a single agency office will help centralize information and ensure consistent responses to attacks.
The legislation creates, within the Department of Homeland Security, a new Cyber Incident Review Office (CIRO) that would:
As part of the hearing, several industry experts provided testimony to help inform additional refinements to the legislation. Several themes emerged from witness testimony:
Witnesses all generally agreed that companies would need some time to review potential incidents internally before drafting and submitting a report to the CIRO, arguing that a minimum threshold should be 72 hours, which would give organizations time to conduct their own internal investigation of the incident.
In order to appropriately share information, the witnesses all discussed at least one of the following issues:
Several witnesses pointed to the need for ensuring that reporting requirements must be harmonized within currently existing regulatory requirements to avoid duplication and additional burdens.
SecurityScorecard strongly supports the Cyber Incident Reporting for Critical Infrastructure Act of 2021. We believe that incident reports submitted to the Cyber Incident Review Office can help organizations and federal government security agencies conduct data-driven analysis and develop insights that can inform future policy decisions.
SecurityScorecard also believes that the Department of Homeland Security (DHS) should take steps to support the cybersecurity efforts of critical infrastructure companies by working with them to identify and address vulnerabilities and reduce the likelihood of breaches. Specifically, we believe that giving critical infrastructure companies tools that enable 360-degree continuous monitoring of their cyber hygiene, they can spot red flags before they become exploited vulnerabilities. All companies should have “inside-out” monitoring capabilities, and security ratings companies have already developed tools that give DHS and the companies themselves the capabilities to have an outside-in, “hackers-eye view” of their vulnerabilities as well.
Cyber risk scores, like SecurityScorecard’s security rating, can also help create a more cooperative and collaborative relationship with critical infrastructure companies. DHS can leverage these capabilities to help companies spot issues before they are exploited by threat actors because these ratings provide outside-in, non-intrusive visibility of company vulnerabilities - the same information that threat actors often use to identify points of entry.
The committee should also consider requiring critical infrastructure companies to maintain a robust third-party risk management program. Nearly 60 percent of data breaches are linked to third-party vulnerabilities, so it is no longer sufficient for companies to maintain a high level of security of their own networks; they must have visibility into the security of their vendors and supply chain as well.
As the federal government and critical infrastructure entities work together to establish cyber-resilient programs, practices, and processes they can use continuous monitoring capabilities to help create proactive strategies for mitigating cyber risk. Cyber scores are continuous monitoring tools that provide visibility at a company-specific level, encourage public-private collaboration, and reduce systemic risk across the board.
Vendor management is the process an organization utilizes to assess and manage a third- or fourth-party vendor. Learn how SecurityScorecard can help.
Performing cybersecurity risk assessments is a key part of any organization’s information security management program. Read our guide.
Templates and vendor evaluations are needed to level that playing field, in a time efficient and fair way, so that the best vendors are chosen.
Co-founder and CEO, Alex Yampolskiy, speaks about the importance of measuring and acting on key indicators of cybersecurity risk.
You can’t manage what you can’t measure. Check out our list of the top 20 cybersecurity KPIs to track in 2021.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.