As Russia continues to brazenly barrage Ukraine, cybersecurity has come to the forefront as one aspect of U.S. national security that is not fully prepared for the threats facing the United States. It should come as no surprise, then, that the U.S. Senate acted quickly to pass one of the most critical pieces of cybersecurity legislation since 9/11: the Strengthening American Cybersecurity Act (SACA). And Congress may be ready to include these provisions in the spending bill about to hit the floor. The act, which includes cyber incident reporting, Federal Information Security Management Act (FISMA) updates, and regulations on federal agencies’ purchases of cloud services, is a compilation of leftover to-do items that were not included in last year’s National Defense Authorization Act (NDAA).
On the whole, reception to the legislation has been positive, with 93 percent of cybersecurity experts approving, but there are still some constituencies with reservations. Concerns center around three issues: necessity of mandates, structure of reporting of cybersecurity incidents, and jurisdictional control within the federal government. Looking at each of these concerns, we can show why none should be a barrier to passing the SACA.
The changes proposed in the SACA are urgently needed, and it now seems clear that Congress is viewing these requirements through the lens of current cybersecurity needs and threats. Increased cyberattacks from Russia loom, ransomware continues to plague public and private entities, and a March 8 Mandiant report discovered that six state governments were hacked by China in May 2021.
The United States has recently made significant strides in breaking down barriers, organizing for success, and setting up smart, bounded requirements for the new era of threats. But these steps have not been enough. Clear, nationwide cyber incident reporting standards are the next structural pillar to enable the federal government and the private sector to identify threats, track patterns, and become more resilient against cyber threats.
But not everyone is on board. The first main critique of proposed cybersecurity requirements is that there are unanswered questions about whether mandates for standards and reporting are necessary. Should companies (and/or subsets of companies) be required through regulation or law to meet certain cybersecurity standards? And should they be required to report cybersecurity incidents to the government? Cyber incident reporting has faced an uphill battle from both industry and cybersecurity groups, as well as officials in both the Trump and Biden administrations.
Some argue that voluntary reporting is effective, whereas others question the appropriateness of regulation. However, the most fundamental building block of defending networks and systems is understanding the full threat picture, which is what incident reporting will accomplish. The Cybersecurity and Infrastructure Security Agency (CISA) has been building capacity for years through tools like binding operational directives (BODs) for federal agencies, some of which went into effect as early as 2018. Standards such as the National Institute of Standards and Technology (NIST) cybersecurity framework and regulations from the North American Electric Reliability Corporation (NERC), Federal Energy Regulatory Commission (FERC), and Securities and Exchange Commission (SEC) have improved cybersecurity standards and best practices for both federal agencies and the private sector. In the sectors that are the most regulated with the greatest amount of resources devoted to cybersecurity, such as financial services and energy, there is evidence of fewer incidents and breaches. In fact, on March 9, the SEC issued a notice of a proposed rule to require a four-day notification deadline for hacks for firms in the financial services sector.
The structure of reporting is another area that critics have attacked in the SACA. The questions of which companies must report, which incidents must be reported, and what timeframe incidents should be reported within (as well as the appropriate federal standards under FISMA) continue to crop up as reasons to tank the bill. While the merits of twenty-four-hour versus seventy-two-hour reporting were debated vigorously last year, at this point, any required reporting is better than none. Longer periods provide companies time to investigate incidents, analyze the extent of damage and provide a fuller threat picture to government agencies. Shorter periods provide the government with the ability to send out alerts to the entire ecosystem, making it less likely that hackers have time to infect more systems. The spending bill includes the provision for seventy-two-hour reporting, but, either way, some requirement is necessary. Moreover, timing often isn’t really the problem. This discussion is commonly used as a guise for other concerns such as the need for regulations in the first place, or who holds authority to receive such information.
Jurisdictional control is perhaps the least important factor but is currently the issue receiving the most attention. In the federal government, a number of agencies could feasibly control cybersecurity regulations, rules, and laws. Over the past decade, the roles and responsibilities of federal agencies have been the fodder for extensive debate and agency tussles. Particular concerns from the Department of Justice (DOJ) and the Federal Bureau of Investigation (FBI) arose recently over the control of cyber incident reporting, disputing where each agency currently plays a role and what authority each agency believes they should hold. However, for the last decade, agency fights have left the private sector wondering “who’s on first.” After the establishment of the CISA in 2018, the government began to organize around the concept that CISA, rather than other agencies, would lead federal efforts on cybersecurity.
Mark Montgomery, the former executive director of the Cyberspace Solarium Commission put it very succinctly: “the DOJ and FBI can’t seem to understand that we all benefit from CISA being the lead agency for collaboration and cooperation with the private sector. The FBI has an important role to play - it’s just not as the front door to the US government.”
And this is the main point of the SACA—to set the United States up for success, the government needs to be organized, have clear roles and responsibilities, and create an easy system through which they coordinate with the private sector to address cybersecurity incidents. Updating FISMA, requiring the reporting of all incidents—particularly through a single government agency—and streamlining other standards will do just that. And finally, it’s poised to happen.
While Russia is committing unprovoked atrocities across Ukraine, it is worth remembering that Russia’s cyber capabilities are dangerous, and both the European Union and the United States are two of Russia’s top targets. The cybersecurity standards and requirements laid out in the SACA are the tools we’ll need to build resilient defenses and enable the United States to fight back when those inevitable attacks come.
Tatyana Bolton is the policy director for the R Street Institute’s Cybersecurity and Emerging Threats program. She previously served as the senior policy director for the U.S. Cybersecurity Solarium Commission as well as the cyber policy lead in the Office of Strategy, Policy, and Plans at the Cybersecurity and Infrastructure Security Agency.