What is Cyber Incident Reporting for Critical Infrastructure Act of 2021?

By Charlie Moskowitz

Posted on Sep 28, 2021

On August 27, 2021, the US House Homeland Security Committee released a draft bill that would update the Homeland Security Act of 2002. This proposed bill seeks to establish a Cyber Incident Review Office and publish an interim rule that would outline procedures for reporting cybersecurity incidents. On Wednesday, September 2, 2021, the committee held a hearing titled, “Stakeholder Perspectives on the Cyber Incident Reporting for Critical Infrastructure Act of 2021.” SecurityScorecard supports the bill, but we hope that the committee will consider adding requirements for DHS to conduct non-intrusive continuous monitoring of critical infrastructure companies to help companies identify vulnerabilities before they are exploited.

What are the fundamental components of the Cyber Incident Reporting for Critical Infrastructure Act of 2021?

With cybercriminals targeting the critical infrastructure sector, the government must work together with the private sector to secure these vital industries. Without improved information sharing an attack on one company can quickly cascade into an attack on an entire industry. Creating standardized reporting requirements and a set of processes overseen by a single agency office will help centralize information and ensure consistent responses to attacks.

Cyber Incident Review Office

The legislation creates, within the Department of Homeland Security, a new Cyber Incident Review Office (CIRO) that would:

  • Serve as the point of contact for all information about covered security incidents;
  • Share information across the targeted critical infrastructure sector and intelligence community;
  • Review the details of any covered cybersecurity incidents or set of incidents;
  • Review incident reports submitted by the victimized company to see what information can be anonymized and shared as part of coordinating responses;
  • Publish a quarterly report of anonymized findings and recommendations; and
  • Identifying ways to use cybersecurity incident data to strengthen cybersecurity research.

Overview of Stakeholder Perspectives

As part of the hearing, several industry experts provided testimony to help inform additional refinements to the legislation. Several themes emerged from witness testimony:

1. Timing

    Witnesses all generally agreed that companies would need some time to review potential incidents internally before drafting and submitting a report to the CIRO, arguing that a minimum threshold should be 72 hours, which would give organizations time to conduct their own internal investigation of the incident.

    2. Information Sharing

      In order to appropriately share information, the witnesses all discussed at least one of the following issues:

      • Protecting current relationships by maintaining incident report information confidentiality;
      • Permitting organizations to use existing mechanisms and industry-specific threat analysts;
      • Limiting reporting to the impacted entity and not expanding it to third-party service providers;
      • Maintaining the protections and definitions in the Cybersecurity and Information Sharing Act of 2015; and
      • Preventing information from being used to punish organizations for non-compliance.

      3. Harmonization

        Several witnesses pointed to the need for ensuring that reporting requirements must be harmonized within currently existing regulatory requirements to avoid duplication and additional burdens.

        SecurityScorecard Supports Cyber Incident Reporting for Critical Infrastructure

        SecurityScorecard strongly supports the Cyber Incident Reporting for Critical Infrastructure Act of 2021. We believe that incident reports submitted to the Cyber Incident Review Office can help organizations and federal government security agencies conduct data-driven analysis and develop insights that can inform future policy decisions.

        SecurityScorecard also believes that the Department of Homeland Security (DHS) should take steps to support the cybersecurity efforts of critical infrastructure companies by working with them to identify and address vulnerabilities and reduce the likelihood of breaches. Specifically, we believe that giving critical infrastructure companies tools that enable 360-degree continuous monitoring of their cyber hygiene, they can spot red flags before they become exploited vulnerabilities. All companies should have “inside-out” monitoring capabilities, and security ratings companies have already developed tools that give DHS and the companies themselves the capabilities to have an outside-in, “hackers-eye view” of their vulnerabilities as well.

        Cyber risk scores, like SecurityScorecard’s security rating, can also help create a more cooperative and collaborative relationship with critical infrastructure companies. DHS can leverage these capabilities to help companies spot issues before they are exploited by threat actors because these ratings provide outside-in, non-intrusive visibility of company vulnerabilities - the same information that threat actors often use to identify points of entry.

        The committee should also consider requiring critical infrastructure companies to maintain a robust third-party risk management program. Nearly 60 percent of data breaches are linked to third-party vulnerabilities, so it is no longer sufficient for companies to maintain a high level of security of their own networks; they must have visibility into the security of their vendors and supply chain as well.

        As the federal government and critical infrastructure entities work together to establish cyber-resilient programs, practices, and processes they can use continuous monitoring capabilities to help create proactive strategies for mitigating cyber risk. Cyber scores are continuous monitoring tools that provide visibility at a company-specific level, encourage public-private collaboration, and reduce systemic risk across the board.

        No waiting, 100% Free

        Get your personalized scorecard today

        Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

        Get Your Free Score

        Get In Touch

        Thank you for contacting us!