Last updated at Thu, 30 Nov 2023 19:04:02 GMT
The US Congress is poised to pass the Cyber Incident Reporting for Critical Infrastructure Act of 2022. Once signed by the President, it will become law. 该法律将要求关键基础设施所有者和运营商报告网络事件和勒索软件支付. The legislation was developed in the wake of the SolarWinds 最近,俄罗斯和乌克兰的冲突又增加了这种势头. This post will walk through highlights from the law.
Rapid7支持提高透明度和信息共享的努力,以加强对网络安全威胁形势的认识,并为网络攻击做好准备. 我们赞赏《pg电子》的通过.
What’s this law about?
The Cyber Incident Reporting for Critical Infrastructure Act will require critical infrastructure owners and operators -例如水和能源公用事业公司、医疗保健组织、一些IT提供商等. -向网络安全和基础设施安全局(CISA)提交有关网络安全事件和勒索软件付款的报告. 该法律将为提交报告提供责任保护,以鼓励遵守, but noncompliance can result in a civil lawsuit. The law will also require the government to analyze, anonymize, and share information from the reports to provide agencies, Congress, companies, and the public with a better view of the cyber threat landscape.
关于时间表的重要说明:在中钢协发布澄清规定之前,这些要求不会生效. The law will require CISA to issue this regulation within 42 months (尽管CISA可能需要更少的时间),所以要求可能不会迫在眉睫. In the meantime, 《pg电子》提供了CISA未来规则必须解决的问题.
We detail these items from the law below.
Requiring reporting of cyber incidents and ransom payments
- Report requirement. 关键基础设施所有者和运营商必须向CISA报告重大网络安全事件, as well as any ransom payments. (However, as described below, 这一要求在中钢协发布规定后才会生效.)
- Type of incident. 必须报告的网络事件类型应包括实际泄露敏感信息和破坏业务或运营的攻击. Mere threats or failed attacks do not need to be reported.
- Report timeline. For a cyber incident, the report must be submitted within 72 hours 在受影响的组织确定事件足够严重,必须报告之后. For ransom payments, the report must be submitted within 24 hours after the payment is made.
- Report contents. 报告必须包括一系列信息,包括攻击者的战术和技术. 在事件完全解决之前,必须保留与事件有关的信息.
- Enforcement. If an entity does not comply with reporting requirements, CISA可以发出传票,迫使实体提供所需的信息. 司法部可以提起民事诉讼来强制执行传票. 不遵守传票的实体可能被认定为藐视法庭罪.
CISA rule to fill in details
- Rule requirement. 中钢协需要发布一项规定,详细说明报告要求. 在本条例最终确定之前,报告要求不生效.
- Rule timeline. CISA has up to 42 months to finalize the rule (but the agency can choose to take less time).
- Rule contents. 该规则将确定必须报告的网络事件类型, the types of critical infrastructure entities that must report, the content to be included in the reports, the mechanism for submitting the reports, and the details for preserving data related to the reports.
Protections for submitting reports
- Not used for regulation. 提交给CISA的报告不能用于规范提交报告的实体的活动.
- Privileges preserved. 受保实体可以将报告指定为商业和专有信息. 提交报告不应被视为放弃任何特权或法律保护.
- No liability for submitting. 任何法院不得维持对任何人或实体的诉因 the sole basis of submitting a report in compliance with this law.
- Cannot be used as evidence. Reports, and material used to prepare the reports, 不得在任何联邦或州法院或监管机构作为证据或在发现程序中使用.
What the government will do with the report information
- Authorized purposes. 联邦政府可将报告中的信息用于网络安全目的, responding to safety or serious economic threats, and preventing child exploitation.
- Rapid response. For reports on ongoing threats, CISA必须迅速向利益相关者传播网络威胁指标和防御措施.
- Information sharing. CISA必须分析报告并与其他联邦机构共享信息, Congress, private sector stakeholders, and the public. CISA的信息共享必须包括对安全控制有效性的评估, adversary tactics and techniques, and the national cyber threat landscape.
What’s Rapid7’s view of the law?
Rapid7认为《pg电子》是积极的一步. Cybersecurity is essential to ensure critical infrastructure is safe, 这项法律将使联邦机构更深入地了解攻击趋势, 并且可能有助于在主要漏洞或正在进行的攻击扩散之前提供早期预警. 该法律小心翼翼地避免在事件响应过程中过早要求报告,并提供保护措施,鼓励公司在报告中公开透明.
Still, 《pg电子》在确保关键基础设施具备防范网络事件发生的保障措施方面收效甚微. 这项法律不太可能改变许多关键基础设施实体资源不足的事实, in some cases, 安全成熟度与他们所面临的风险不相称. 法律的执行机制(潜在的藐视法庭处罚)并不是特别强大, and the final reporting rules may not be implemented for another 3.5 years. Ultimately, the law’s effect may be similar to state breach notification laws, 这提高了人们的意识,但在各州实施数据安全法之前,并没有促使人们广泛采用对个人信息的安全保护措施.
So, 《pg电子》是一项必要且有益的改进——但是, as always, there is more to be done.
