-proposed- Bipartisan Cyber Incident Reporting for Critical Infrastructure Act of 2021
Amending the Homeland Security Act of 2002. Which established: Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security
Cyber Security isn’t a set it & forget it endeavor…
Those that know. Just Know. To be clear this is an intensive article and when possible I’ll include/embed links to documents/reports. After all sharing is caring.
In the the context of cyber security - it is also a constant game of whack-a-mole. And when any quasi decent hacker is inside your network. It is truly Game Over - Crash Overdrive (double entendre, absolutely intended). Which is especially pernicious when cyber criminal(s) have likely spent months burrowed deep inside;
watching your network,
passively collecting data (such as credentials, keystrokes…)
mapping out your entire network
scoping out places to hide
It does seem kind of shocking that there is a lack of a codified requirement that would require mandatory disclosure. If you are a publicly traded company, you are required to disclose. Conversely this proposed legislation would rely less on the voluntary disclosure and addresses the loophole that prevented interagency disclosure (some of the IT Government contractors are prohibited from disclosing intrusion detection—it’s literally in the fine print of numerous Federal Contracts. Before we delve deeper into the October 1, 2021 Announcement -I do think it might be quasi beneficial for you to reread this June Article
And then maybe reread this article too -and should you be inclined you can read several previously published articles concerning our Nation’s cyber security -found here
SEC Fun-Fact-Files:
…in February of 2018 the SEC formally adopted guidance Commission Statement and Guidance on Public Company Cybersecurity Disclosures - SEC.gov -which requires publicly traded companies to disclose cyber related breaches/attacks. See the SEC’s September 2017 Press Release — also see recent SEC enforcement action taken by the SEC. Which targeted eight firms;
Collective Cetera Entities includes; Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC
Cambridge entities includes: Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc, and
KMS Financial Services Inc.
…for their failure to comply with the timely disclosure of cyber incidents, which is in violation of Rule 30(a) of Regulation S-P, also known as the Safeguards Rule and for violations of Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients
Cetera Entities, from November 2017 and June 2020;
…cloud-based email accounts of over 60 Cetera Entities' personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of at least 4,388 customers and clients. During the course of the SEC investigation they made the following assessments;
None of the taken over accounts were protected in a manner consistent with the Cetera Entities' policies.
SEC's order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms' clients which included misleading language —which falsely portrayed Cetera’s notifications were issued much sooner than they actually were after discovery of the incidents.
Cambridge, from January 2018 and July 2021;
..cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties. Which resulted in the PII exposure of at least 2,177 Cambridge customers and clients. The SEC's order finds;
… it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
KMS Financial Services Inc from September 2018 and December 2019
During the SEC’s investigation -it was determined that at least fifteen KMS financial adviser email accounts were accessed by unauthorized third parties resulting in the exposure of customer records and information, including PII of approximately 4,900 KMS customers.
The aforementioned parties agreed to settle the charges levied by the SEC concerning their statutory authority to enforce mandatory reporting;
SEC Order - Cetera Entities -see pages 2 thru 7
SEC Order - Cambridge see pages 2 thru 4
Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty.
Cetera Entities will pay a $300,000 penalty,
Cambridge will pay a $250,000 penalty, and
KMS will pay a $200,000 penalty.
What is Critical Infrastructure -according to CISA:
Pursuant to Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience which details the various policies of how the federal government builds trusted partnerships and “advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.”
CISA identified the 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
Below are a few links/resources to the various critical infrastructure sectors;
Chemical Sector… designated as the Sector Risk Management Agency for the Chemical Sector. Chemical Sector is an integral component of the U.S. economy that manufactures, stores, uses, and transports potentially dangerous chemicals upon which a wide range of other critical infrastructure sectors rely.
Securing these chemicals against growing and evolving threats requires vigilance from both the private and public sector.
Communications Sector …as an integral component of the U.S. economy, the communications sector underlying the operations of all businesses, public safety organizations, and government.
“…evolved from predominantly a provider of voice services into a diverse, competitive, and interconnected industry using terrestrial, satellite, and wireless transmission systems. The transmission of these services has become interconnected; satellite, wireless, and wireline providers depend on each other to carry and terminate their traffic and companies routinely share facilities and technology to ensure interoperability”
Dams Sector …designated as the Sector Risk Management Agency for the Dams Sector. The Dams Sector comprises dam projects, navigation locks, levees, hurricane barriers, mine tailings impoundments, and other similar water retention and/or control facilities.
…hydroelectric power generation, municipal and industrial water supplies, agricultural irrigation, sediment and flood control, river navigation for inland bulk shipping, industrial waste management, and recreation. Its key services support multiple critical infrastructure sectors and industries. Dams Sector assets irrigate at least 10% of U.S. cropland, help protect more than 43% of the U.S. population from flooding, and generate about 60% of electricity in the Pacific Northwest.
The U.S. energy infrastructure fuels the economy of the 21st century. The Department of Energy is the Sector Risk Management Agency for the Energy Sector.
…Presidential Policy Directive 21 identifies the Energy Sector as uniquely critical because it provides an “enabling function” across all critical infrastructure sectors. More than 80% of the country's energy infrastructure is owned by the private sector, supplying fuels to the transportation industry, electricity to households and businesses, and other sources of energy that are integral to growth and production across the nation
Nuclear Reactors, Materials, and Waste Sector ..designated as the Sector Risk Management Agency for the Nuclear Reactors, Materials, and Waste Sector.
From the power reactors that provide electricity to millions of Americans, to the medical isotopes used to treat cancer patients, the Nuclear Reactors, Materials, and Waste Sector covers most aspects of America’s civilian nuclear infrastructure. The Nuclear Sector Risk Management Agency within the Department of Homeland Security is responsible for coordinating the security and resilience of the Nuclear Sector.
Legislation; Cyber Incident Reporting for Critical Infrastructure Act
..the bipartisan legislation 1 would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to establish requirements and procedures for covered critical infrastructure owners and operators to report covered cybersecurity incidents to a new Cyber Incident Review Office, to be established within CISA. Cyber Incident Reporting for Critical Infrastructure Act of 2021 - because beyond the recent SEC guidance —disclosure of cyber related incidents are largely “voluntary”… some critically important legislative language; DHS Cybersecurity and Infrastructure Security Agency (CISA);
must establish requirements and procedures for critical infrastructure owners and operators to report covered cybersecurity incidents to a new Cyber Incident Review Office, to be established within CISA.
Creates a new Cyber Incident Review Office;
receiving, aggregating, analyzing, and securing cyber incident reports to understand adversary trends over time, publishing quarterly reports with anonymized findings, and
identifying any actionable threat intelligence that should be shared rapidly and confidentially with cyber ‘first responders’ to prevent or respond to other attacks.
Directs CISA, after a 270-day period with mandatory windows for stakeholder consultation and comment, to issue an interim final rule setting forth which CI owners and operators are subject to the reporting requirement
which cyber incidents need to be reported,
the mechanism for submitting reports, and
other details necessary for implementation.
publish quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cybersecurity incident reports under subsection
The proposed legislation would also preserve “the integrity of CISA’s voluntary partnerships and programs by:
1) directing incident reports to a new Cyber Incident Review Office that is separate and distinct from CISA’s voluntary programs; and
2) providing CISA with multiple avenues to obtain information about the incident (instead of traditional regulatory tools such as fines and penalties) that graduates to subpoenaing the information, but only after exhausting other options to bring the entity into complianc
Department of Homeland Security Measures
As noted in the National Defense Authorization Act for Fiscal Year 2022 (H.R. 4350) incorporated dozens of provisions which seek to bolster our Nation’s cyber defense(s)…also see Public Law 114–113; 6 U.S.C. 4 1501
Passed through a bipartisan amendment sponsored by Rep. Thompson and Katko. Important - bipartisanship and is comprised of 19 House-passed legislative provisions to strengthen and improve DHS, research and development, cybersecurity, transportation security, and other matters. Legislation included:
Defense Authorization Act for Fiscal Year 2022 H.R. 4350
Cyber Incident Reporting for Critical Infrastructure. Passed through a bipartisan amendment sponsored by Rep. Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, Chairman Thompson (D-MS), Rep. John Katko (R-NY), Ranking Member of the Homeland Security Committee, and Rep. Andrew Gabarino (R-NY), Ranking Member of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee.
CISA’s CyberSentry Program. Passed through a bipartisan amendment sponsored by Reps. Clarke, Thompson, Katko, and Gabarino. This provision authorizes the DHS Cybersecurity and Infrastructure Security Agency’s (CISA) CyberSentry program. CyberSentry is a critical Industrial Control System (ICS) cybersecurity program that allows CISA to enter into strategic, voluntary partnerships with priority ICS owners and operators to provide enhanced cyber threat monitoring and detection.
Department of Homeland Security Measures;
Passed through a bipartisan amendment sponsored by Rep. Thompson and Katko. This provision is comprised of 19 House-passed legislative provisions to strengthen and improve DHS, research and development, cybersecurity, transportation security, and other matters. Legislation included:
H.R. 490 – the DHS MORALE, sponsored by Rep. Bennie G. Thompson (D-MS)
H.R. 370 – the Quadrennial Homeland Security Review Technical Corrections Act of 2021, sponsored by Rep. Bonnie Watson-Coleman (D-NJ)
H.R. 367 – the Homeland Security Acquisition Professional Career Program Act, sponsored by Rep. Dina Titus (D-NV)
H.R. 1850 — the Supporting Research and Development for First Responders Act, sponsored by Rep. Kathleen M. Rice (D-NY)
H.R. 2795 — the DHS Blue Campaign Enhancement Act, sponsored by Rep. Peter Meijer (R-MI)
H.R. 408— the Department of Homeland Security Mentor-Protégé Program Act of 2021, sponsored by Rep. A. Donald McEachin (D-VA)
H.R. 3263 — the DHS Medical Countermeasures Act, sponsored by Rep. Mariannette Miller-Meeks (R-IA)
H.R. 3264 — the Domains Critical to Homeland Security Act, sponsored by Rep. John Katko (R-NY)
H.R. 3138 — the State and Local Cybersecurity Improvement Act, sponsored by Rep. Yvette Clarke (D-NY)
H.R. 1833 — the DHS Industrial Control Systems Capabilities Enhancement Act of 2021, sponsored by Rep. John Katko (R-NY)
H.R. 2980 — the Cybersecurity Vulnerability Remediation Act, sponsored by Rep. Sheila Jackson-Lee (D-TX)
H.R. 3223 — the CISA Cyber Exercise Act, sponsored by Rep. Elissa Slotkin (D-MI)
H.R. 1893 — the Transportation Security Preparedness Act of 2021, sponsored by Rep. Bonnie Watson-Coleman (D-NJ)
H.R. 1895 — the Transportation Security Public Health Threat Preparedness Act of 2021, sponsored by Rep. Carlos A. Gimenez (R-FL)
H.R. 1877 — the Security Screening During COVID-19 Act, sponsored by Rep. Emanuel Cleaver (D-MO)
H.R. 473 — the Trusted Traveler Reconsideration and Restoration Act of 2021, sponsored by Rep. John Katko (R-NY)
H.R. 1870 — the Strengthening Local Transportation Security Capabilities Act of 2021, sponsored by Rep. Nannette Diaz Barragán (D-CA)
H.R. 396 — the Transit Security Grant Program Flexibility Act, sponsored by Rep. Andrew R. Garbarino (R-NY)
H.R. 1871 — the Transportation Security Transparency Improvement Act, sponsored by Rep. Dan Bishop (R-NC)
Other Resources:
Also on October 1, 2021 the Department of Energy’s (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) press release announcing the DOE release of the CyOTE: Cybersecurity for the Operational Technology Environment methodology.
CyOTE methodology will enable electricity, oil, and natural gas companies to better identify malicious indicators by correlating anomalies in their operational environments (e.g., SCADA operations 2, alerts in relays, etc.) with cyber activity.
This methodology will help energy sector owners and operators identify, detect, and protect against cyber threats to OT networks. This CESER initiative was developed in partnership with Idaho National Laboratory (INL) with input from U.S. energy sector owners and operators. CyOTE methodology and read more about DOE’s CyOTE program.
And with that -I bid you adieu because one of the contractors is scheduled to arrive in a few moments. And he’s going to try and convince me to replace all of the decking of our various decks. Apparently this past Spring’s Widows peak project wasn’t enough… for the record the prices on lumber have skyrocketed since Feb 2021 and I swear it might be cheaper to use gold leaf… I’m kidding, sort of…
….the standalone legislation was also included as a bipartisan amendment to H.R. 4350, the National Defense Authorization Act for FY 2022, which passed the U.S. House of Representatives on September 23.
SCADA Supervisory control and data acquisition (SCADA) is a system of software and hardware elements that allows industrial organizations to;
Control industrial processes locally or at remote locations
Monitor, gather, and process real-time data
Directly interact with devices such as sensors, valves, pumps, motors, and more through human-machine interface (HMI) software
Record events into a log file
See DOE 2006 SCADA Test Bed introduction to managers and operators in the field- To establish a National capability to support industry and government in addressing control system cyber security and vulnerabilities in the energy sector
Just WOW!!
Awesome. I'm guessing this will be going through the Congress Senate meat grinder, yes?👀
Thank you Files. A lot I don't understand, but it makes me feel like our government is taking care of business. I wish we could count on Congress and the Senate. I'm looking forward to midterm elections. We need a true majority in all three branches of government. The drama playing out right now is very uncomfortable. I believe nothing will pass in the Senate until we have a real majority. I hope Americans are paying attention. Everything is on the ballot in 2022.