Sunday, March 7, 2021

Philosophy of Cybersecurity Legislation – Part 3: Information Sharing

This is part of a continuing series on the Philosophy of Cybersecurity Legislation. With all of the calls for improving cybersecurity and the increasing sense that legislation is necessary this series will try to define the necessary parameters for effective cybersecurity legislation. The earlier posts in the series were:

Part 1: What to Regulate

Part 2: How to Regulate

Crime to Breach 3C Systems

We will start the information sharing discussion from an unusual angle, making it illegal to breach a critical cyber component (3C) of a critical operation (CO) at a private sector critical infrastructure (PSCI) facility as those three terms were defined in the previous two posts. For a definition of the term ‘breach’ we will use some sort of variation of the revised 6 USC 659(a) definition of the term ‘incident’ that I proposed in 2019.

Thus, when a covered PSCI discovers an indicator of compromise as part of their monitoring for compromise process described in the previous post in this series, they will report that occurrence to the FBI for criminal investigation. They will be required to include in that initial report to the FBI that they are a designated PSCI (inevitably with some sort of facility identification number) and that the breach affected a 3C of a regulated CO at the facility.

Breach Reporting Requirement

The reason for that notification is that the FBI would then be required to report the incident to an established reporting agency at the Sector Specific Agency (SSA) responsible for the regulation of 3Cs at that facility, as well as providing that SSA with ongoing information about the progress of the investigation. In order to not compromise the integrity of the investigation or possible future criminal prosecutions for the breach the FBI would only be required to report the following information to the SSA:

• The date of the report of compromise,

• The facility reporting the compromise,

• The 3C components affected by the compromise, and

• The indicators of compromise on each of the affected components.

The SSA responsible for the cybersecurity regulation of the facility would be expected to provide appropriate subject matter expert assistance to the FBI throughout the investigation of the incident. Those experts would be prohibited from sharing any information with the SSA beyond that delineated above without the express consent of the FBI until the Director of the FBI declared the investigation closed.

SSA Breach Information Sharing

The SSA would be responsible for reporting attack information to the National Cybersecurity and Communications Integration Center (NCCIC). Any information reported that contained the company name, facility name, SSA identification, or the name of any of the persons involved in the incident {facility identification information (FII)} would be protected as Protected Critical Infrastructure Information (PCII).

As soon as an SSA received actionable indicators of compromise (AIOC) the SSA would be required to report that information to NCCIC. When reporting AIOC, the SAA would not include any FII in the reported information. The AIOC would not be protected as PCII or any other sensitive but unclassified data protection program. The NCCIC would be required to publicly share AIOC and specifically send notice to each registered PSCI facility.

The reasons for using the FBI as a reporting cut-out in the information reporting process is two-fold. First, since the SAA is acting as a regulatory agent, there is an unintentional yet very real hinderance to voluntary reporting of timely reporting of security breaches. This criminal reporting process disconnects the breach reporting process from that of regulatory oversight. It also ensures that the initial investigation is done with all of the requisite forensic and evidentiary safeguards necessary to ensure that prosecution of the attackers (if/when identified and arrested) can proceed with some semblance of surety that convictions can be made.

Similarly, the use of NCCIC as the means of reporting AIOC is two-fold. Again, it helps maintain the regulatory relationship between the SAA and the covered facilities. More importantly, it ensures that information is shared in a timely manner with PSCI that are not regulated by the immediately affected SAA.

Reporting to Congress

The FBI would be required to periodically report to Congress on all reported cybersecurity incidents at PSCI. Because the protection of PSCI is a national security imperative, those reports to Congress would be classified with unclassified summary data being included for the purposes of public discussion and potential legislative action.

Each SSA would be responsible for periodically reporting to Congress on the cybersecurity issues identified in reports from FBI investigations. For each reported incident, the SAA would be required to inform Congress what actions had been taken to ensure that other PSCI overseen by that SAA were not affected by similar attacks.

In Part 4, I will look at vulnerability reporting as part of this cybersecurity legislation.

No comments:

/* Use this with templates/template-twocol.html */