DHS Convenes Regulators, Law Enforcement Agencies on Cyber Incident Reporting

Yuichiro Chino/Getty Images

The Department of Homeland Security started the clock on a report to Congress for streamlining requirements, amid industry dissatisfaction with the Cybersecurity and Infrastructure Security Agency’s pending reporting regime.

Homeland Security Department Secretary Alejandro Mayorkas has less than 180 days to provide Congress with recommendations for harmonizing cyber incident reporting requirements across the federal government, now that a new council—including officials from regulatory and law enforcement agencies—has met for the first time. 

“The [Cyber Incident Reporting Council] will meaningfully improve cybersecurity, reduce burden on industry by advancing common standards for incident reporting and inform a report [to Congress] from the Secretary,” according to a readout DHS released on the meeting Monday.

The 180-day deadline was laid out in legislation that became law in March. It will ultimately require critical infrastructure entities to report details of qualifying cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours—36 hours in the case of ransomware—lest they be subpoenaed for the information, which could then be shared with regulators for an enforcement action.

The law gives CISA up to three and a half years from enactment to finalize specific rules for its implementation, including on key factors, such as which entities count as critical infrastructure and the threshold for reporting incidents. Such factors—and the window for reporting incidents—vary across federal agencies for federal contractors. And the Securities and Exchange Commission is among others proposing its own incident reporting rules, which would apply to publicly traded companies. 

The SEC, FBI, Federal Communications Commission, Federal Trade Commission, the Office of the National Cyber Director, and departments of the Treasury, Defense, Justice, Agriculture, Commerce, Health and Human Services, Transportation and Energy are included on the council, according to the readout. In a tweet, DHS Undersecretary for Policy Rob Silvers said independent regulators were among more than 20 federal agencies at the meeting.  

Administration officials at Treasury and Justice have promised to take proactive disclosures into consideration when determining civil penalties for potential sanctions violations that could result from paying a ransomware perpetrator and the misrepresentation of cybersecurity practices, respectively. And lawmakers touted the cyber incident reporting law for providing liability protections that would encourage companies to report their incidents without fear of the information being used against them in civil lawsuits. The law also bans the use of disclosures made to CISA—not under a subpoena—from being used for regulatory enforcement actions.

Policymakers reasoned that the incident reporting law would help CISA share information about active threats with the larger community, to prevent cascading impacts of an attack and protect potential victims. But according to a report the Atlantic Council released Tuesday with industry consultants, the private sector is still unsatisfied.

“To increase trust further,” one report contributor said, “law enforcement agencies themselves need to put ‘skin in the game’ … and show how they will be held accountable if the information provided is misused in some way.”