最后更新于2023年6月20日星期二20:15:58 GMT
2022年3月,拜登总统 签署成为法律 关键基础设施网络事件报告法案(CIRCIA), a bipartisan initiative that empowers 中钢协 to require cyber incident reporting from critical infrastructure owners 和 operators. Rapid7总体上支持CIRCIA和网络事件报告, but we also encourage regulators to ensure reporting rules are streamlined 和 do not impose unnecessary burdens on companies that are actively recovering from cyber intrusions.
Although a l和mark legislative change, CIRCIA is just one highly visible example of a broader trend. Incident reporting has emerged as a predominant cybersecurity regulatory strategy across government. Numerous federal 和 state agencies are implementing their own cyber 事故报告要求s under their respective rulemaking authorities – such as 证券交易委员会, 联邦贸易委员会, 美联储, OCC, NCUA, NERC, 运输安全管理局, NYDFS,以及其他. 美国法律中已经有几条这样的规定, 至少还有三个可能在明年生效.
这种趋势并不局限于美国. Several international governing bodies have proposed similar cyber incident reporting rules, 比如欧盟(EU) NIS-2指令.
Raising the bar for security transparency through incident reporting is a productive step in a positive direction. 事件报告要求可以帮助政府管理部门风险, 鼓励私营部门提高网络卫生水平, 增强入侵补救和预防能力. 但是,对这种新法律范式的迅速接受可能已经创造了太多的好东西, 新兴的监管环境有变得难以管理的风险.
当前状态
Cyber incident reporting rules that enforce overlapping or contradictory requirements can impose undue compliance burdens on organizations that are actively responding to cyberattacks. 为了说明这个问题, 假设有一家公司,我们叫它Energy1. Energy1是一家美国公司, 拥有并经营能源发电厂的上市公用事业公司, 电力传输系统, 以及天然气输送管道. 如果Energy1遭受重大网络攻击, 它可能被要求提交以下报告:
- 一小时内,提供给 NERC -根据NERC CIP规则 – a report with preliminary details about the incident 和 its functional impact on operations.
- 24小时内,提供给 运输安全管理局 -在 管道安全指令 -一份完整描述事件的报告, 它对业务运营的功能影响, 以及补救步骤的细节.
- 72小时内,提供给 中钢协 - - -下 CIRCIA -对事件的完整描述, 补救步骤的详细信息, 以及可能识别罪犯的威胁情报信息.
- 96小时内,提供给 证券交易委员会 ——在证券交易委员会的监管下 拟议的规则 -对事件及其影响的完整描述, 包括客户数据是否被泄露.
在我们假设的场景中, Energy1 may need to rapidly compile the necessary information to comply with each different reporting rule or statute, 与此同时,还需要平衡从网络入侵中修复和恢复的迫切需要. 此外, 如果Energy1也在非美国市场运营的话, 它可能受制于几个更多的报告要求, 例如欧盟的NIS-2指令草案或欧盟的 、规则 在印度. Many of these regulations would also require subsequent status updates after the initial report.
The example above demonstrates the complexity of the emerging patchwork of 事故报告要求s. Legal compliance in this new environment creates a number of challenges for the private sector 和 the government. 例如:
- 冗余的要求: Unnecessarily duplicative compliance requirements imposed in the wake of a cyber incident can draw critical resources away from incident remediation, 可能导致报告中提交的数据质量较低.
- 公众对. 私人信息披露: 大多数报告由监管机构私下持有, but the 证券交易委员会’s 拟议的规则 would require companies to file public reports within 96 hours of determining that an incident is significant. Public disclosure before the incident is contained or mitigated may expose the affected company to further risk of cyberattack. 除了, premature public reporting of incidents prior to mitigation may not provide an accurate reflection of the affected company’s cyber incident response capabilities.
- 不一致的要求: 各机构规则对报告内容的定义并不一致. 例如, 美国证交会要求报告对理性投资者来说“重大”的网络事件, 而NERC要求报告几乎所有的网络事件, 包括失败的网络入侵尝试. The lack of a uniform definition of reportability adds another layer of complexity to the compliance process.
- 过程不一致: 如Energy1示例所示, 所有事件报告规则和拟议规则都有不同的截止日期. 除了, each rule 和 拟议的规则 has different required reporting formats 和 methods of submission. 这些过程的不一致性给遵从性过程增加了摩擦.
建议
The key issues outlined above may be addressed by the Cyber Incident Reporting Council (CIRC), 由国土安全部(DHS)领导的跨部门工作组. This Council was established under CIRCIA 和 is tasked with harmonizing existing 事故报告要求s into a more unified regulatory regime. A 读出 理事会第一次会议的记录, 7月25日召开, stated CIRC’s intent to “reduce [the] burden on industry by advancing common st和ards for incident reporting.”
除了国土安全部, 中国保监会包括来自政府各部门的代表, 包括司法部, 商务, 财政部, 和能源等. It is not yet clear from the Council’s initial meeting how exactly CIRC will reshape cyber incident reporting regulations, or whether such changes will be achievable through executive action or whether new legislation will be needed. 该委员会将在2022年底之前发布一份包含建议的报告.
Rapid7 urges CIRC to consider several harmonization strategies intended to streamline compliance while maintaining the benefits of cyber incident reporting, 如:
- 统一过程: 在可能的情况下, develop a single intake point for all incident reporting submissions with a universal format accepted by multiple agencies. This would help eliminate the need for organizations to submit several reports to different agencies with different formats 和 on different timetables.
- Deconflicted要求: 就什么是可报告网络事件达成更统一的定义, 和 build toward more consistent reporting requirements that satisfy the needs of multiple agency rules.
- 延迟公开披露: Releasing incident reports publicly before affected organizations have time to contain the breach may put the security of the company 和 its customers at unnecessary risk. 涉及公开披露的要求, 比如美国证券交易委员会和美国联邦贸易委员会提出的规则, 是否应考虑与受影响的公司延迟和协调披露时间.
Some agencies in the Federal government are already designing incident reporting rules with harmonization in mind. 美联储, 联邦存款保险公司, 和OCC, 而不是为每个机构制定三个单独的规则, 设计了一个单一的宇宙 事故报告要求 对于这三个机构. The rule requires only one report be submitted to whichever of the three agencies is the affected company’s “primary regulator.“各机构之间的报告共享是在内部处理的, 减轻公司向多个机构提交多份报告的负担. Rapid7 supports this approach 和 would encourage the CIRC to pursue a similarly streamlined strategy in its harmonization efforts where possible.
保持平衡
Rapid7支持日益普及的网络事件报告. Greater cybersecurity transparency between government 和 industry can deliver considerable benefits. 然而, unnecessarily overlapping or contradictory reporting requirements may cause harm by detracting from the critical work of incident response 和 recovery. We encourage regulators to streamline 和 simplify the process in order to capture the full benefits of incident reporting without exposing organizations to unnecessary burden or risk in the process.
更多阅读:
