White House Policy Gives Agencies 24 Hours to Report AttacksRequires Agencies to Relay Consequential Incidents to National Security Council
A new memo issued by the U.S. National Security Council within the Biden White House requires critical cybersecurity agencies to relay cyber incidents rising to national security threats to the council within 24 hours. The move is reportedly an effort to get cybersecurity advisers close to the president to assess incidents targeting critical infrastructure.
The NSC's policy, which will incorporate federal agencies such as the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, and the Office of the Director of National Intelligence, tasks analysts with reporting incidents considered a major threat - including cyberespionage - within 24 hours, as first reported by CNN.
"The document … is a process and a common methodology to help the U.S. government speak with one voice - nothing more and nothing less," a U.S. official tells ISMG. "It gives the NSC the framework to make an initial assessment of whether a cyber incident rises to the level of a national security concern. In many incidents, that assessment will change with time."
This comes on the heels of broader incident reporting considerations at the congressional level - including for critical infrastructure providers and some private sector organizations. Last week, Congress nixed an incident reporting mandate from its must-pass, annual defense spending bill, which passed the Senate on Wednesday.
A consensus version of the reporting mandate would have found critical infrastructure owners and operators reporting cyberattacks within 72 hours of detection, and payments to ransomware gangs would have been reported within 24 hours (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
More Resources Required?
This new measure enacted by the NSC aims to determine whether additional resources may be needed to recover from a cyberattack, much like the May ransomware hit on Colonial Pipeline Co. In the wake of the attack, the company temporarily shut down its pipelines, spurring panic buying among consumers.
On the new policy, White House officials say findings relayed by the cyber agencies could prompt the creation of a working group within the NSC charged with remediating any economic fallout, according to CNN.
The NSC will reportedly adopt a color-coded system for reporting and incident severity, a system it first rolled out during the Obama administration.
Grant Schneider, a former federal CISO and currently senior director for cybersecurity services at the Washington, D.C.-based law firm Venable, tells ISMG that he has not seen a copy of the memo, but believes incidents representing a significant threat were already reported immediately.
“When I was at the White House, I felt that significant incidents [including] those with a potential impact on national security, were generally brought to our attention in a timely manner,” Schneider, who is an ISMG contributor, adds.
With regard to the memo, the unnamed U.S. official also tells ISMG: "Our process is not driven by one country or one incident, rather a commitment to have an efficient process that will protect the American people and our critical infrastructure."
Incident Reporting Saga
Despite a failure to get broader incident reporting requirements across the finish line via the 2022 National Defense Authorization Act, the measure continues to dominate cyber policy discussions within Congress. While Democrats placed initial blame for the NDAA shortcomings on GOP legislators for bumping the mandate at the eleventh hour, key congressional leaders hope to pass the provision separately, citing bipartisan support and a recent consensus on 72 hours for reporting.
Last week, Christopher Painter, the former coordinator for cybersecurity issues at the Department of State in both the Obama and Trump administrations, tweeted about the "disappointing" outcome: "This is long overdue and I had hoped the conversation had changed given Colonial Pipeline & other incidents. An unfortunate status of an untenable status quo."
Demand for Reporting Standards
Talks around reporting standards, particularly for the private sector, have been a cyclical process. On one hand, officials say the standards provide visibility and help them understand cybercrime patterns, including around ransomware. Conversely, adding reporting requirements - on a short timeline - is viewed by some in the private sector as burdensome, especially while security teams are still actively engaged in incident response.
For months now, government officials, private sector professionals and trade groups have gone back and forth about a reasonable time frame for reporting, and while many of the latter have called mandatory reporting onerous, individuals and organizations are calling for some type of federal action.
For example, in a rule imposed by banking regulators in November, and set to take effect in April 2022, financial institutions will be required to report incidents within 36 hours of discovery.
Is the Policy Needed?
Other experts say they are puzzled by the new White House policy aimed at requiring federal cybersecurity agencies to actively report national security threats.
"The biggest takeaway from this requirement is: Why in the world does it need to be codified as a requirement in the first place? You would think anyone in the federal government would understand facing an attack with a national security threat means getting the three-letter agencies involved. If you require a policy for your IT executive staff to have common sense, you’ve already lost," says John Bambenek, principal threat hunter at the firm Netenrich.
"Clearly there would be no policy if agencies were universally doing this on their own."
When reached for comment on Tuesday, CISA declined to comment on the memo's specifics and directed ISMG to the NSC press office.
ISMG Staff Writer Dan Gunderman contributed to this report.