最后更新于2022年3月10日星期四21:00:19 GMT
美国国会准备通过 《2022年关键基础设施法案网络事件报告. 一旦总统签署,它将成为法律. 的 law will require 关键基础设施所有者和运营商 to report cyber incidents 和 ransomware payments. 这项立法是在事件之后制定的 SolarWinds supply chain attack 和 recently gained additional momentum from the Russia-Ukraine conflict. 这篇文章将介绍法律的要点.
Rapid7 supports efforts to increase transparency 和 information sharing in order to strengthen awareness of the cybersecurity threat l和scape 和 prepare for cyberattacks. We applaud passage of the Cyber Incident Reporting for Critical Infrastructure Act.
这条法律是关于什么的?
的 Cyber Incident Reporting for Critical Infrastructure Act will require 关键基础设施所有者和运营商 — such as water 和 energy utilities, health care organizations, some IT providers, etc. — to submit reports to the Cybersecurity 和 Infrastructure Security Agency (CISA) for cybersecurity incidents 和 ransomware payments. 的 law will provide liability protections for submitting reports to encourage compliance, 但不遵守规定可能会导致民事诉讼. 该法律还将要求政府进行分析, 匿名化, 并分享报告中的信息,提供给各机构, 国会, 公司, 公众对网络威胁有了更好的了解.
An important note about the timeline: 的 requirements do not take effect until CISA issues a clarifying regulation. 法律将要求中钢协发布这一规定 42个月内 (though CISA may take less time), so the requirements may not be imminent. 与此同时, the Cyber Incident Reporting for Critical Infrastructure Act provides information on what CISA’s future rule must address.
我们从下面的法律中详细说明这些条款.
要求报告网络事件和支付赎金
- 报告要求. Critical infrastructure owners 和 operators must report substantial cybersecurity incidents to CISA, 还有所有的赎金. (然而, 如下所述, this requirement does not come into effect until CISA issues a regulation.)
- 事故类型. 的 types of cyber incidents that must be reported shall include actual breaches of sensitive information 和 attacks that disrupt business or operations. 单纯的威胁或失败的攻击不需要报告.
- 报告时间. 对于网络事件,必须提交报告 72小时内 after the affected organization determines the incident is substantial enough that it must be reported. 要支付赎金,必须提交报告 24小时内 在付款之后.
- 报告内容. 的 reports must include a list of information, including attacker tactics 和 techniques. Information related to the incident must be preserved until the incident is fully resolved.
- 执行. 如果一个实体不遵守报告要求, CISA may issue a subpoena to compel entities to produce the required information. 的 Justice Department may initiate a civil lawsuit to enforce the subpoena. Entities that do not comply with the subpoena may be found in contempt of court.
CISA规则详细填写
- 规则要求. CISA is required to issue a regulation that will establish details on the reporting requirements. 的 reporting requirements do not take effect until this regulation is final.
- 规则的时间表. 中国钢铁工业协会已 最长42个月 最终确定规则(但机构可以选择花更少的时间).
- 规则内容. 的 rule will establish the types of cyber incidents that must be reported, 必须报告的关键基础设施实体的类型, 要包含在报告中的内容, 提交报告的机制, 以及保存报告相关数据的细节.
提交报告的保护
- 不用于监管. 报告 submitted to CISA cannot be used to regulate the activities of the entity that submitted the report.
- 权限保存. 的 covered entity may designate the reports as commercial 和 proprietary information. Submission of a report shall not be considered a waiver of any privilege or legal protection.
- 无提交责任. No court may maintain a cause of action against any person or entity on 的唯一基础 依照本法规定提交报告.
- 不能作为证据. 报告, 以及准备报告所用的材料, cannot be received as evidence or used in discovery proceedings in any federal or state court or regulatory body.
政府将如何处理这些报告信息
- 授权的目的. 的 federal government may use the information in the reports cybersecurity purposes, 应对安全或严重的经济威胁, 防止儿童被剥削.
- 快速反应. 关于持续威胁的报道, CISA must rapidly disseminate cyber threat indicators 和 defensive measures with stakeholders.
- 信息共享. CISA must analyze reports 和 share information with other federal agencies, 国会, 私营机构持份者, 公众. CISA’s information sharing must include assessment of the effectiveness of security controls, 对手战术和技术, 以及国家网络威胁形势.
Rapid7对法律的看法是什么?
Rapid7 views the Cyber Incident Reporting for Critical Infrastructure Act as a positive step. Cybersecurity is essential to ensure critical infrastructure is safe, 和 this law would give federal agencies more insight into attack trends, 和 would potentially help provide early warnings of major vulnerabilities or attacks in progress before they spread. 的 law carefully avoids requiring reports too early in the incident response process 和 provides protections to encourage 公司 to be open 和 transparent in their reports.
仍然, the Cyber Incident Reporting for Critical Infrastructure Act does little to ensure critical infrastructure has safeguards that prevent cyber incidents from occurring in the first place. This law is unlikely to change the fact that many critical infrastructure entities are under-resourced 和, 在某些情况下, have security maturity that is not commensurate with the risks they face. 的 law’s enforcement mechanism (a potential contempt of court penalty) is not especially strong, 最终报告规则可能在未来3年内不会实施.5年. 最终, 该法律的效力可能类似于各州的违约通知法, which raised awareness but did not prompt widespread adoption of security safeguards for personal information until 各州实施了数据安全法.
So, the Cyber Incident Reporting for Critical Infrastructure Act is a needed 和 helpful improvement — but, 一如既往地, 还有更多工作要做.
