At a glance.
- More on new US cyberincident reporting measures.
- What the US appropriations bill means for cybersecurity.
- The cybersecurity challenges of the US water system.
- UK Kleptocracy Cell searches for Russian assets.
- Cooley’s take on Biden’s crypto executive order.
More on new US cyberincident reporting measures.
On Tuesday, US President Joe Biden officially signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 into law, and the measure signals a shift from the industry-specific incident reporting rules of the past to a more comprehensive approach that will impact nearly every business in the country. As PWC notes, the law not only ensures that the federal government will have a better understanding of the cyber threats the nation is facing, but it also incentivizes reporting by offering liability protection, privacy and civil liberties protections for covered entities that report an incident, and an exemption under the Freedom of Information Act to protect company secrets and attorney-client privilege. However, the Wall Street Journal explains, the law’s verbiage leaves much to interpretation, as it’s unclear exactly which companies will be impacted by the law, and what will be required of company and federal civilian agency security teams. Furthermore, Tech.co adds that the Federal Bureau of Investigation (FBI) has already expressed concerns about not being included in the reporting chain. FBI Director Christopher Wray says, “What’s needed is not a whole bunch of different reporting but real-time access by all the people who need to have it to the same report.” Meanwhile, last week the Securities and Exchange Commission proposed new rules regarding required cybersecurity disclosures in 8K filings, and Cooley offers a breakdown of the information that must be reported and how the new measures define “cybersecurity incident,” “cybersecurity threat” and “information systems.”
Padraic O'Reilly, Co-Founder of cybersecurity risk management firm, CyberSaint, offered his views on the timing of the legislation and the SEC's proposed rules:
"The timing of Biden signing the cyber reporting legislation and the two proposals from the SEC are interesting as the SEC is out in front of the wider issue of transparency vs. the Cyber Reporting Bill signed today focuses more on the nuts and bolts of reporting these attacks to DHS.
"The SEC is going to address several incidents that weren't reported correctly and showing tailwinds around where future cybersecurity legislation will be heading in terms of public disclosure of cyber posture.
"In terms of how critical infrastructure should be responding today to the signing, the Board of Directors, Legal Counsel and CISO should be meeting this morning to discuss what constitutes a reportable incident. In line with the SEC proposals, critical infrastructure should prioritize having some cybersecurity reporting in the governance structure with a cyber background or these entities will have to create a process within governance and define managing risk. Eventually, critical infrastructure will have to show how they are handling cyber generally in the organization. This all needs to be transparent to investors and key stakeholders, as well as the public."
Tim Erlin, VP of Strategy at Tripwire, also sees the timing as significant, and thinks organizations would do well to look into rapid disclosure:
“With the SEC, FDIC, and the US government all proposing or passing cybersecurity incident reporting requirements, there’s a clear trend and focus on the value of rapid disclosure. Tight timeframes for reporting incidents will drive increased visibility into incidents as they are occurring, but we should all be prepared for the inevitable disappointment in how little we know about an incident in the first 36, 48, or 72 hours. The emphasis on timely reporting should be coupled with requirements on completeness of investigations. If we want greater transparency into incidents, we need both faster and better reporting.”
What the US appropriations bill means for cybersecurity.
US Congress passed an appropriations bill allocating $1.5 trillion in funding, and Nextgov.com offers a detailed breakdown of how much of that funding will go to IT and cybersecurity. Overall, the bill highlights the important role IT plays in the success of the government’s mission, and recognizes the essential need to enhance the power of the chief information officer in departmental management. Highlights include $84.8 million to the Department of Agriculture’s Office of the Chief Information Officer (OCIO), $80 million toward enhanced cybersecurity for the Department of Treasury, and $72 million to the Department of Energy’s OCIO for cybersecurity and supply chain issues.
The cybersecurity challenges of the US water system.
As part of the Biden administration’s focus on the cybersecurity of critical infrastructure, the nation’s water supply operators have been granted funding to better secure their systems against attack. Ilan Barda, CEO of operational technology security firm Radiflow, spoke with Digital Journal to discuss how American water utility companies are impacted by these federal cybersecurity initiatives. “The Industrial Control Systems Cybersecurity Initiative – Water and Wastewater Sector Action Plan concentrates on high-impact activities that can be surged within 100 days to protect water resources by improving cybersecurity across the water sector,” Barda explains. He notes that while the decentralized nature of the nation’s water infrastructure allows individual communities more operational autonomy, it also leads to more disparate regulation and a lack of universal standards, making the water supply an easy target for cybercrime. “This is especially true at a time when these facilities are facing the need for remote access and operations to remain resilient during natural disasters and pandemics, beyond cyberattacks,” Barda notes.
UK Kleptocracy Cell searches for Russian assets.
As the war between Russia and Ukraine rages on, the Mirror reports that the UK’s new kleptocracy unit is working on hunting down and freezing Russian President Vladimir Putin’s hidden assets. When Russia launched its invasion of Ukraine, UK Prime Minister Boris Johnson addressed the House of Commons, promising that the new ‘Kleptocracy Cell’ would “target sanctions evasion and corrupt Russian assets hidden in the UK.” The National Crime Agency will work with intelligent services to identify any wealth Putin has stashed in the UK that he could use to circumvent sanctions imposed by the West.
Cooley’s take on Biden’s crypto executive order.
Last week US President Joe Biden issued his long-awaited executive order regarding the US government’s approach to cryptocurrency, and Cooley offers an overview of what the EO could mean. Experts have noted that while the EO makes it clear the Biden administration is prioritizing the consolidation of the nation’s currently fragmented regulatory framework, the order does not detail any specific regulatory changes. The order reinforces initiatives that are already in place, and emphasizes the importance of making the US a global leader in crypto innovation. While experts predict the EO will not likely lead to any significant legislation that would be approved by both houses of Congress, the reporting requirements outlined could affect additional oversight from the congressional committees of jurisdiction.