Congress is contemplating a bill that would require companies to report successful cyber attacks to the federal government. It would enshrine in law many of the requirements in a Biden administration executive order that applies to federal agencies. For analysis, Faegre Drinker law firm attorneys Jane Blaney and Jason Weiss joined the Federal Drive with Tom Temin.
Tom Temin: Ms. Blaney, good to have you on.
Jane Blaney: Thank you so much. Glad to be here.
Tom Temin: And Jason G. Weiss. Mr. Weiss, good to have you on.
Jason G. Weiss: Thank you, sir. Pleasure to be here.
Tom Temin: So this proposal sounds like it would up the notch of information sharing between industry and government to be a really almost a panic type of situation. What’s your take on it, and what it would require of industry?
Jason G. Weiss: Yeah, thanks, Tom. That’s a great question. The federal government has finally realized they’ve got a serious problem on their hands when it comes to cyber intrusions and cyber attacks. And it’s great to see effort being made to try and standardize response capabilities and the ability to deal with these attacks. The problem is, like everything else, it’s the government. And you know, when you’re dealing with the government, you deal with levels of bureaucracy. They have a couple of different pieces of legislation that are in Congress right now. You’ve got the Cyber Incident Notification Act of 2021, still being debated throughout the Senate, which will bring some well-needed consistency, if passed to cyber reporting. The problem is right now, Tom, is that you have 50 states with 50 different laws dealing with how you report a cyber attack. And that makes it very difficult for people in the private industry, and especially the government, to deal with cyber reporting requirements. And one of the things that at least I think would be really needed is some federal guidance and leadership, as it were, in terms of dealing with cyber attack notifications.
Tom Temin: And Ms. Blaney, you’ve written — the two of you have written — extensively about this. There’s also the need maybe to clarify what is a major incident, because something could happen that to the government seems major, to a company seems like we can deal with this. And they could get in trouble maybe for not reporting what should have been reported.
Jane Blaney: Absolutely. Jason and I talked about this extensively, and that the definition of a major incident is a little bit ambiguous. Still, of course, there has been some guidance given, but when there is that ambiguity over what can be considered a major incident, and what is not a major incident, and then the repercussions of something falling within that definition, is that the reporting requirement is an hour. That’s a pretty significant repercussion of finding that you fall within that definition.
Jason G. Weiss: Well, here’s the problem as I see it. Having spent 22 years in the FBI dealing with cyber and forensic and other types of technical problems, it takes time to kind of separate the wheat from the chaff. And when you’re having all these different federal agencies report stuff within an hour, they’re going to report everything, because they’re going to want to make sure they’re within the confines of the requirement. So what’s going to happen is you’re going to run people to the ground chasing down ghosts, because you’re not, I don’t believe for a second that of the 100 one-hour requirements, maybe five or six will be legitimate cyber intrusions. But now we’ve got to take what are already limited resources and limited personnel and spread them out much thinner. It’s like trying to butter bread, but no, you don’t you don’t have enough butter. And it’s just not going to get there. And what I’m worried about additionally is you’re having two agencies, both CISA and OMB, who are going to be the agencies to report these incidents to, but they have no investigative wing. These folks, these agencies don’t investigate anything. So then they got to decide, are we going to send that to the FBI, are we gonna send that to Homeland Security? What rules, what guidelines, what procedures are they using in terms of how they deal with who’s going to investigate this stuff. And what happens in the federal government is it takes time, nothing moves that quickly. And the problem is, you’re going to have now you’ve just created a whole extra layer of bureaucracy, instead of reporting a cyber incident to the FBI directly where they can then pass it down to the appropriate field office in the appropriate investigative squad. You now have to take your your investigative marching orders from another agency, and there’s time loss, and it’s inefficient, and I think it’s going to be ineffective.
Tom Temin: We’re speaking with Jason G. Weiss and Jane Blaney. They are attorneys with the Faegre Drinker law firm. And what about the issue of if a company does report something, and they do their duty in reporting it, and then it’s up to the government? Is there anything in the proposed legislation that would protect them from, say, having the government toss the case over the transom, as it were, to the Federal Trade Commission, and they get in trouble on that front? Because they didn’t protect personal information or whatever the case might be in trying to do the right thing under this new proposed law?
Jason G. Weiss: The problem is we don’t know the final legislation, and we don’t know what it’s going to say. Right now, we have an executive order, we have the directives from the OMB in the new memorandum, but those don’t have force of federal legislation. I mean, what I think we need to wait and see is we have the defense policy spending bill that Jane and I wrote about in our blog, and we have the Cyber Notification Act, and they talk about a lot, but neither one of these bills have even moved into conference committee. So we don’t even know if they’re going to pass or what they’re going to say. But the problem is when you try and measure that versus what is required in the executive order —President Biden’s executive order — and what’s required in the new memorandum, I think it’s just causing a lot of confusion out there. And it’s going to cause more confusion, because agencies are going to try and comply with it, but they’re going to do what most federal agencies do: Well, if they want us to report, we’re going to report everything. And so there, you’re going to get people reporting every single port scan, every single thing that happens in their network, and that goes on 24/7 anyway. It’s not illegal to port scan. It’s not done a lot of times for ethical reasons, because you probably have bad guys out there, trying to try to sniff it out. But it’s not illegal. But they’re gonna report it, and we’re gonna have to investigate it, and you’re gonna have a bunch of very tired people.
Tom Temin: Alright, and they’ll need some phone banks, I guess, to handle all of this. And Jane, what would you advise companies that are big enough to have a lobbying effort to tell Congress about what they ought to be doing in this particular proposal?
Jane Blaney: You know, I would second what Jason said here is that, currently, what we’re seeing with the proposed bill is there’s a lot of confusion. And one of the biggest points of confusion is that something that, you know, would come about from this bill is definitions of things that we haven’t seen at a federal level yet. So some of those big things are definitions of what a covered entity is according to this legislation, what a covered incident is, and then reporting timelines under this particular bill. And so when large organizations aren’t sure if they’re going to become a covered entity, if they’re not sure what a covered incident even is, those are really big questions — big question marks — to have when it comes to trying to figure out how to prepare for this,
Tom Temin: Any definition of covered entity is likely to include federal contractors, which are already under a regime coming with the Cybersecurity Maturity Model Certification program, CMMC. Does this collide with cmmc? Does it complement it? Or what’s the relationship here?
Jason G. Weiss: The CMMC is really only directed right now to defense industrial base contractors and subcontractors through the Department of Defense. So it’s focused on it, and so there’s hundreds of thousands — probably 300,000-400,000 of those folks. But I gotta say, I love what they tried to do with that, because they put their own framework in place with different probe requirements and sutff. I think the thought there was great, and I think it’s not developed like they hoped it would. And it’s been delayed because of COVID and other problems. But I think eventually, you’re going to have to come up with these DIB contractors or subcontractors are going to have to use some kind of cybersecurity framework to be able to connect. And I think that’s a good thing. I don’t think this legislation replaces that; I think it’s more in addition to. The problem comes down, Tom, to — the FBI had a great expression, I love to use it — is the only safe network is a network with no users. And as long as you have users on a network, there’s going to be risk. And the problem is, I really hope before they finalize any legislation or even administrative requirements, that they really sit down and think about this from a practical reality standpoint. You will have so many people and so much money and so many pieces of the pie to go around. If you start having people chase down every reported incident to see if it’s a cyberattack. I’m not sure that’s, that’s viable or possible to do efficiently and effectively. And I think you minimize your response capability as a whole.
Jane Blaney: I wanted to actually raise one other point related to that, Tom, and related to your question in regard to contractors. Something else that has been, that was brought up in the memo and that we’re seeing touched on in the legislation is this idea of working towards more automation in incident reporting. And I think that for contractors, that’s something to really consider going forward. In the memo released, you know, early in December, one of the things they talked about was that CISA plans to release information about working towards more machine-readable data formatting, and providing some guidelines and structures on how to create this machine-readable data. And they plan to release that around April of 2022 is when the memo says. And what’s significant about that is that contractors will also need to pay attention to those guidelines in creating that machine-readable data. And the reason that they want that is because they’re working towards having real-time reporting of data incidents or cybersecurity incidents. So whether it’s you don’t directly work with the agencies or working with contractors, when we’re talking about data, that’s something for companies to consider, that’s something for their lobbyists to consider, is how close are they to be able to wrangle their data in that way? Can they do that? What does that look like? Is that feasible? So that’s something also to consider.
Tom Temin: All right. Lots of things have to gel here, I guess, before any of this becomes reality. Attorneys Jane Blaney and Jason G. Weiss are with the Faegre Drinker law firm. Thanks so much for joining me.
Jason G. Weiss: Thank you for having us.
Jane Blaney: Thanks so much, Tom.