Philosophy of Cybersecurity Legislation – Part 3: Information Sharing

This is part of a continuing series on the Philosophy of
Cybersecurity Legislation. With all of the calls for improving cybersecurity
and the increasing sense that legislation is necessary this series will try to
define the necessary parameters for effective cybersecurity legislation. The
earlier posts in the series were:

Part
1: What to Regulate

Part
2: How to Regulate

Crime to Breach 3C Systems

We will start the information sharing discussion from an
unusual angle, making it illegal to breach a critical cyber component (3C) of a
critical operation (CO) at a private sector critical infrastructure (PSCI)
facility as those three terms were defined in the previous two posts. For a
definition of the term ‘breach’ we will use some sort of variation of the
revised 6 USC 659(a) definition of the term ‘incident’ that I proposed
in 2019.

Thus, when a covered PSCI discovers an indicator of compromise
as part of their monitoring for compromise process described in the previous
post in this series, they will report that occurrence to the FBI for criminal
investigation. They will be required to include in that initial report to the
FBI that they are a designated PSCI (inevitably with some sort of facility
identification number) and that the breach affected a 3C of a regulated CO at
the facility.

Breach Reporting Requirement

The reason for that notification is that the FBI would then
be required to report the incident to an established reporting agency at the Sector Specific Agency
(SSA) responsible for the regulation of 3Cs at that facility, as well as
providing that SSA with ongoing information about the progress of the
investigation. In order to not compromise the integrity of the investigation or
possible future criminal prosecutions for the breach the FBI would only be
required to report the following information to the SSA:

• The date of the report of
compromise,

• The facility reporting the
compromise,

• The 3C components affected by the
compromise, and

• The indicators of compromise on
each of the affected components.

The SSA responsible for the cybersecurity regulation of the
facility would be expected to provide appropriate subject matter expert
assistance to the FBI throughout the investigation of the incident. Those
experts would be prohibited from sharing any information with the SSA beyond
that delineated above without the express consent of the FBI until the Director
of the FBI declared the investigation closed.

SSA Breach Information Sharing

The SSA would be responsible for reporting attack
information to the National Cybersecurity and Communications Integration Center
(NCCIC). Any information reported that contained the company name, facility
name, SSA identification, or the name of any of the persons involved in the
incident {facility identification information (FII)} would be protected as Protected
Critical Infrastructure Information (PCII).

As soon as an SSA received actionable indicators of
compromise (AIOC) the SSA would be required to report that information to NCCIC.
When reporting AIOC, the SAA would not include any FII in the reported
information. The AIOC would not be protected as PCII or any other sensitive but
unclassified data protection program. The NCCIC would be required to publicly
share AIOC and specifically send notice to each registered PSCI facility.

The reasons for using the FBI as a reporting cut-out in the
information reporting process is two-fold. First, since the SAA is acting as a
regulatory agent, there is an unintentional yet very real hinderance to
voluntary reporting of timely reporting of security breaches. This criminal
reporting process disconnects the breach reporting process from that of
regulatory oversight. It also ensures that the initial investigation is done
with all of the requisite forensic and evidentiary safeguards necessary to
ensure that prosecution of the attackers (if/when identified and arrested) can
proceed with some semblance of surety that convictions can be made.

Similarly, the use of NCCIC as the means of reporting AIOC
is two-fold. Again, it helps maintain the regulatory relationship between the
SAA and the covered facilities. More importantly, it ensures that information is
shared in a timely manner with PSCI that are not regulated by the immediately
affected SAA.

Reporting to Congress

The FBI would be required to periodically report to Congress
on all reported cybersecurity incidents at PSCI. Because the protection of PSCI
is a national security imperative, those reports to Congress would be
classified with unclassified summary data being included for the purposes of public
discussion and potential legislative action.

Each SSA would be responsible for periodically reporting to
Congress on the cybersecurity issues identified in reports from FBI investigations.
For each reported incident, the SAA would be required to inform Congress what
actions had been taken to ensure that other PSCI overseen by that SAA were not
affected by similar attacks.

In Part 4, I will look at vulnerability reporting as part of
this cybersecurity legislation.