Last updated at Tue, 20 Jun 2023 20:15:58 GMT

2022年3月,拜登总统 签署成为法律 the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), 这是一项两党倡议,授权中钢协要求关键基础设施所有者和运营商报告网络事件. Rapid7 is supportive of CIRCIA and cyber incident reporting in general, 但我们也鼓励监管机构确保报告规则得到精简,不要给正在积极从网络入侵中恢复过来的公司带来不必要的负担.

尽管这是一项具有里程碑意义的立法改革,但CIRCIA只是更大趋势中一个非常明显的例子. 事件报告已成为整个政府的主要网络安全监管策略. 许多联邦和州机构都在各自的规则制定机构下实施自己的网络事件报告要求,例如 证券交易委员会, 联邦贸易委员会, 美联储, OCC, NCUA, NERC, 运输安全管理局, NYDFS,以及其他. Several such rules are already in force in US law, with at least three more likely to become effective within the next year.

这种趋势并不局限于美国. Several international governing bodies have proposed similar cyber incident reporting rules, 比如欧盟(EU) NIS-2指令.

通过事件报告提高安全透明度是朝着积极方向迈出的富有成效的一步. Incident reporting requirements can help the government to manage sectoral risk, encourage a higher level of private-sector cyber hygiene, and enhance intrusion remediation and prevention capabilities. But the rapid embrace of this new legal paradigm may have created too much of a good thing, and the emerging regulatory environment risks becoming unmanageable.

当前状态

执行重叠或矛盾要求的网络事件报告规则可能会给积极响应网络攻击的组织带来不必要的合规负担. 为了说明这个问题, consider the potential experience of a hypothetical company – let’s call it Energy1. Energy1是一家美国公司, publicly traded utility company that owns and operates energy generation plants, 电力传输系统, 以及天然气输送管道. If Energy1 experiences a significant cyber attack, it may be required to submit the following reports:

  • 一小时内,提供给 NERC -根据NERC CIP规则 -载有事故初步详情及其对营运的功能影响的报告.
  • 24小时内,提供给 运输安全管理局 -在 管道安全指令 – a report with a complete description of the incident, its functional impact on business operations, and the 补救步骤的详细信息.
  • 72小时内,提供给 中钢协 - - -下 CIRCIA – a complete description of the incident, 补救步骤的详细信息, and threat intelligence information that may identify the perpetrator.
  • 96小时内,提供给 证券交易委员会 ——在证券交易委员会的监管下 拟议的规则 – a complete description of the incident and its impact, including whether customer data was compromised.

在我们假设的场景中, Energy1可能需要快速编译必要的信息,以遵守每个不同的报告规则或法规, all while balancing the urgent need to remediate and recover from a cyber intrusion. 此外, if Energy1 operates in non-US markets as well, it may be subject to several more reporting requirements, such as those proposed under the draft NIS-2指令 in the EU or the 、规则 在印度. 其中许多法规还要求在初始报告之后进行后续状态更新.

上面的示例展示了事件报告需求拼凑的复杂性. 在这种新环境下,遵守法律给私营部门和政府带来了许多挑战. 例如:

  • 冗余的要求: 在网络事件之后强加的不必要的重复遵从性要求可能会从事件补救中抽走关键资源, potentially leading to lower-quality data submitted in the reports.
  • 公众对. 私人信息披露: Most reports are held privately by regulators, 但美国证券交易委员会提出的规则将要求公司在确定事件重大后的96小时内提交公开报告. 在事件得到控制或缓解之前公开披露可能会使受影响的公司进一步面临网络攻击的风险. 除了, 在缓解之前过早地公开报告事件可能无法准确反映受影响公司的网络事件响应能力.
  • 不一致的要求: The definition of what is reportable is not consistent across agency rules. 例如, the 证券交易委员会 requires reporting of cyber incidents that are “material” to a reasonable investor, whereas NERC requires reporting of almost any cyber incident, including failed “attempts” at cyber intrusion. 缺乏统一的可报告性定义给遵从性过程增加了另一层复杂性.
  • 过程不一致: As demonstrated in the Energy1 example, all incident reporting rules and 拟议的规则s have different deadlines. 除了, 每个规则和建议规则都有不同的报告格式和提交方法. These process inconsistencies add friction to the compliance process.

建议

上述关键问题可由网络事件报告委员会(CIRC)解决。, an interagency working group led by the Department of Homeland Security (DHS). 该委员会是根据中国事故监察委员会成立的,其任务是协调现有的事故报告规定,使其成为更统一的监管制度. A 读出 理事会第一次会议的记录, 7月25日召开, 中国保监会表示,打算“通过推进事故报告的共同标准,减轻行业负担”.”

除了国土安全部, CIRC includes representatives from across government, including from the Departments of Justice, 商务, 财政部, 和能源等. 从该委员会的首次会议来看,目前尚不清楚中国保监会将如何重塑网络事件报告规定, 或者这些改变是否可以通过行政行动实现,或者是否需要新的立法. The Council will release a report with recommendations by the end of 2022.

Rapid7敦促中国保监会考虑几种协调策略,旨在简化合规性,同时保持网络事件报告的优势, 如:

  • 统一过程: 在可能的情况下, 为所有提交的事件报告制定一个单一的接收点,并采用多个机构接受的通用格式. 这将有助于消除各组织以不同格式和不同时间表向不同机构提交若干份报告的需要.
  • Deconflicted要求: Agree on a more unified definition of what constitutes a reportable cyber incident, 建立更加一致的报告要求,以满足多个机构规则的需要.
  • 延迟公开披露: 在受影响的组织有时间控制漏洞之前公开发布事件报告可能会使公司及其客户的安全面临不必要的风险. Requirements that involve public disclosure, such as 拟议的规则s from the 证券交易委员会 and 联邦贸易委员会, should consider delaying and coordinating disclosure timing with the affected company.

联邦政府的一些机构已经在设计事件报告规则时考虑到了协调. 美联储, 联邦存款保险公司, 和OCC, rather than building out three separate rules for each agency, 设计了一个单一的宇宙 事故报告要求 对于这三个机构. 该规定要求,受影响公司的“主要监管机构”只需向这三家机构中的任何一家提交一份报告.” The sharing of reports between agencies is handled internally, removing from companies the burden of submitting multiple reports to multiple agencies. Rapid7支持这种方法,并将鼓励中国保监会在可能的情况下采取类似的简化策略.

保持平衡

Rapid7 supports the growing adoption of cyber incident reporting. 政府和行业之间更大的网络安全透明度可以带来相当大的好处. 然而, 不必要的重叠或相互矛盾的报告要求可能会损害事件响应和恢复的关键工作. 我们鼓励监管机构精简和简化流程,以便充分利用事件报告的好处,同时又不会使组织在此过程中承担不必要的负担或风险.

更多阅读:

不要错过任何一个博客

Get the latest stories, expertise, and news about security today.