Login | May 24, 2022

Critical industries hack reporting signed into law

Technology for Lawyers

Published: April 22, 2022

Critical industries will now have to report computer system hacks to CISA within three days of the security breach, following a new law signed as a part of the government’s recent $1.5 trillion spending package.
The new law, called the Cyber Incident Reporting for Critical Infrastructure Act of 2022, was a part of a proposed three-law package which included updating federal agency information security and updating cloud computing security rules. Those are still pending.
The bipartisan bill was passed overwhelmingly by the Senate. Its co-sponsors were Homeland Security Committee Chairman Gary Peters of Michigan and Ohio’s Rob Portman (by bipartisan, we mean, of course, cooperation between Michigan and Ohio). It is the most extensive cybersecurity requirements that the federal government has ever placed on the private sector.
Statements by both co-sponsors noted that the Russian attack on Ukraine and the U.S. response to that war potentially put the U.S. at greater risk for Russian cyberattacks on critical infrastructure.
Although Congress was overwhelmingly in favor of this bill, federal law enforcement was not so thrilled. In fact, Deputy Attorney General Lisa Monaco stated that the bill would make us “less safe” because law enforcement was not a part of the reporting or investigation process. FBI Director Christopher Wray said the bill had some “serious flaws.”
The White House, for its part, both then endorsed the new law and responded to the criticism.
CISA Director Jen Easterly said that any critical infrastructure hacks reports would be shared “immediately” with the FBI, tweeting that “we have a terrific operational partnership w/our #FBI teammates & will continue to do so, to include always ensuring that cyber incident reporting received by @CISAgov is immediately shared with them.”
National Cyber Director Chris Inglis also endorsed the law.
National Security Council spokesperson Emily Horne stated ““The Administration supports final passage of Cyber Incident Reporting for Critical Infrastructure Act of 2022 and appreciates Congress’s bipartisan work to draft the legislation.” She also said that the agency was interested in any tweaks to the law that Justice might recommend.
But for now, at least, the three-day reporting requirement is in place.