Tuesday, September 7, 2021

Review - Cyber Incident Reporting – Lessons from CFATS

With all the talk on Capitol Hill about cybersecurity incident reporting, perhaps Congress ought to take a look at the Chemical Facility Anti-Terrorism Standards (CFATS) program. That program has had a mandatory requirement for reporting ‘significant cyber events’ since 2009. Lessons learned from that program may provide valuable insight into how a cyber event reporting program should be crafted.

Over the years the CFATS program has been one of the most cooperative regulatory programs around. DHS and industry organizations have worked together to make the program successful and individual facilities have worked with chemical security inspectors to ensure that their facilities are in compliance with the regulations. In short, if mandatory reporting requirements are going to be effective, this is the program where we would expect them to be most effective.

The recent change in the reporting guidance from CISA would seem to indicate that they are questioning the efficacy of the existing CFATS reporting requirements. CISA is removing some of the ambiguity that would allow facilities an excuse to not report cyber incidents. While only time will tell if this change does actually increase the reporting rate, I do not expect that it will. Industry has little reason to expect that a minor cyber incident will ever come to the attention of the government, so why should they be reported and expose the company to the potential attention of federal cyber investigators. And reporting a major attack that has not yet come to the attention of the public (and investors) would seem to be self-defeating.

Any cyber reporting mandate from Congress has to take these realities into effect. Congress needs to learn the rule I was taught as a young Sergeant; never give an order you know will not be obeyed. It makes you look stupid and undermines your authority.

For more detailed discussion about the background of the CFATS program and how it impacts the less than effective cyber incident reporting requirement, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/cyber-incident-reporting - subscription required.

No comments:

/* Use this with templates/template-twocol.html */