User:JohnWyciskala/Cybersecurity and Infrastructure Security Agency Act

working draft

Lead
The Cybersecurity and Infrastructure Security Agency Act, 6 U.S.C.A. §652 (“Act”), was enacted by the Trump administration on November 16, 2018. The Cyber Security and Infrastructure Security Agency (CISA) is a branch of the Department of Homeland Security (DHS) tasked with fulfilling the provisions of the Cybersecurity Information Sharing Act of 2015[i], which mandates DHS to release a comprehensive list of cyber threat indicators to aid non-federal and federal entities.[ii] Following the high-profile security breaches known as SolarWinds[iii] and Colonial Pipeline[iv] which demonstrated how underprepared the US cyber infrastructure was in preventing and addressing these attacks, the Biden Administration was led to revise the statute in 2022 and address the shortcomings of the Act.[v] Authority of CISA

Acting as the Nation’s Cyber risk advisor, CISA exercises broad administrative subpoena power to gather necessary information for risk analysis.[1] CISA also develops binding operational and emergency directives that require action by relevant federal agencies.[2] However, because CISA only exercises power within the federal government and some critical infrastructure, it cannot effectively protect the whole of the nation that is similarly susceptible to these cybercrimes.[3] Furthermore, because they cannot mandate private entities to share their cyber threat indicators,[4] CISA relies heavily on voluntary reporting as the provisions 6 U.S.C. §6 provide liability protection to those who share cyber threat indicators and defensive measures with government and private entities.[5] While CISA was created to serve as the nation’s cyber risk advisor, the configuration of 6 U.S.C.A. §652 currently prevents them from becoming that, as many other federal agencies exercise jurisdiction depending on the nature of the attack, leading to a wholly decentralized threat monitoring system.[6]

Legislative Materials

After creating the Cybersecurity and Infrastructure Agency, little was done to address some of the glaring issues and deficiencies of the agency. However, when the Biden administration came into power in the aftermath of SolarWinds and Colonial Pipeline[7], a lot of legislation was proposed in order to bolster the nation’s cyber security centered around expanding the authority of CISA.[8]

Cybersecurity and Infrastructure Security Agency Act of 2017 was initiated by The House Committee on Homeland Security session on December 11, 2017, which sought to amend the Homeland Security Act of 2002 to redesignate the existing National Protection and Programs Directorate as the Cybersecurity and Infrastructure Security Agency which would assume responsibility over cybersecurity and critical infrastructure security programs, operations, and associated policies, to coordinate cybersecurity efforts with Federal and nonfederal entities, to secure Federal information systems, and to carry out emergency communications responsibilities.[9] This of course was signed into law on November 16, 2018.

Later, the House Committee on Homeland Security on August 30, 2019, recommended the passage of the Cybersecurity Vulnerability Remediation Act[10], which is an amendment to the Homeland Security Act of 2002. The purpose of the act is to authorize DHS, Cybersecurity and Infrastructure Security Agency to identify, develop, and disseminate to the public actionable protocols to mitigate cybersecurity vulnerabilities in software and hardware systems, and to permit DHS to establish an incentive based-program to allow industry, individuals, academia, and others to compete to provide remediation solutions for cybersecurity vulnerabilities.[11] This bill was essentially introduced to promote voluntary reporting[12] and set a minimum security threshold companies had to meet.[13] This of course was only the early draft as it was reintroduced on May 04, 2021 where it was passed in the house and was then received by the Senate on July 21, 2021.

One important step that indicates CISA’s growing authority came in January 2020, when the Senate Committee on Homeland Security and Governmental Affairs recommended the passage of the DOTGOV Online Trust in Government Act of 2019.[14] This amendment to the Homeland Security Act of 2002 directs GSA to transfer to CISA responsibility for the .gov Internet domain program to provide .gov Internet domain name registration services and supporting services to any Federal agency, State, local, tribal, and territorial (SLTT) government, or other publicly controlled entity.[15] This would include provisions to require CISA to publish registration and operation requirements for .gov domains necessary to minimize the risk of .gov names that may mislead or confuse the public.[16] Furthermore, CISA would be required to prohibit the use of .gov domains for commercial or campaign purposes, and to certify that .gov domains are registered and retained only by authorized people.[17] Direct CISA to develop an outreach strategy for SLTT governments with information explaining benefits of moving to the .gov domain, and a security enhancement strategy to improve cybersecurity benefits of the .gov domain and modernize information systems.[18] This bill was important, even though it has only been introduced, CISA has been given authority over these URLs per the current version of 6 U.S.C. §652, and supports the notion that the Agency’s role as the Nation’s Cyber Risk Advisor may eventually be attained.[19]

On June 1, 2020, the Senate recommended passage of the Cybersecurity State Coordinator Act of 2020.[20] If passed, would require DHS Cybersecurity and Infrastructure Security Agency (CISA) to appoint a Cybersecurity State Coordinator in each State to build strategic Federal and nonfederal relationships, serve as a federal cybersecurity risk advisor.[21] The state coordinator would facilitate the sharing of cyber threat information between Federal and nonfederal entities, would raise awareness of Federal resources available to assist nonfederal entities, and assist with developing vulnerability disclosure programs.[22] It is however important to note that involvement of nonfederal entities shall be on a voluntary basis.[23]

On July 29, 2020, the Senate recommended passage of the Cybersecurity Vulnerability Identification and Notification Act.[24] This amendment to the Homeland Security Act of 2002 would expand DHS Cybersecurity and Infrastructure Security Agency (CISA) functions to include detecting, identifying, and receiving information about cybersecurity vulnerabilities relating to Federal and nonfederal critical infrastructure, by authorizing CISA to issue administrative subpoenas for the production of information necessary to identify and notify an entity at risk in the event that CISA identifies a specific security vulnerability and has reason to believe that it relates to critical infrastructure.[25] Furthermore CISA would be empowered to incentivize disclosure by establishing liability protections for those who act in accordance with a subpoena.[26] In addition to providing training to personnel on subpoena procedures as well as acting in accord with the Justice Department to execute the subpoena which suggests that Congress has identified that CISA will not be able to fulfill its purpose without greater authority and mechanisms need to be put in place so that CISA could more adequately obtain information to give appropriate recommendations.[27] While this bill was not expressly enacted, it was however incorporated into H.R. 6395, the National defense authorization act for 2021.

The State and Local Cybersecurity Improvement Act[28] was recommended by the House Committee on Homeland Security on May 12, 2021 and was passed in the house and currently awaits senate aproval.[29]  This would direct DHS, acting through Cybersecurity and Infrastructure Security Agency (CISA), to establish the State and local cybersecurity grant program to make grants to States to address cybersecurity risks and threats to information systems of State, local, tribal, or territorial governments.[30] The main premise of this is to require States applying for a grant to submit a cybersecurity plan and to establish a cybersecurity planning committee to oversee development and implementation of such plan and determine funding priorities for the grant.[31] Under this CISA would be required to develop a resource guide for use by State, local, tribal, and territorial governments to detect, protect against, and respond to cybersecurity risks, threats, and incidents. Under this act, CISA’s responsibilities would extend to improving cybersecurity of State and local governments and require CISA to conduct a study to assess feasibility of implementing a short-term rotational program for the detail of approved State, local, tribal, and territorial government employees in cyber workforce positions to CISA.[32]

A popular theme among a lot these recommendations is to broaden CISA’s regulatory authority over reporting so that they may be able to analyze more data which would lead to a better ability to address cyber incidents when they arise.[33] On September 9, 2020, the Senate Committee on Homeland Security and Governmental Affairs recommended Cybersecurity Advisory Committee Authorization Act of 2020 and was established in June 2021 pursuant to the National Defense Authorization act of 2021.[34] This would establish within CISA to be comprised of State, local, and tribal government representatives and subject matter experts to advise, consult with, report to, and make recommendations to CISA on development, refinement, and implementation of policies, programs, planning, and training pertaining to the cybersecurity mission of CISA[35].[36] This would include provisions to require the Cybersecurity Advisory Committee to make recommendations for improvements to advance CISA cybersecurity mission and strengthen U.S. cybersecurity.[37]

Another important step for CISA happened on October 18, 2022, where the Senate recommended passage, of the Healthcare Cybersecurity Act of 2022[38], which would enable CISA to coordinate with HHS to improve cybersecurity in the health care and public health sector.[39] The important provisions center around protecting the Healthcare industry from cyberattack, should the act get Senate approval, CISA would be required to coordinate with, and make resources available to, information sharing and analysis organizations, information sharing and analysis centers, and nonfederal entities that receive information shared through programs managed by HHS, including products specific to the needs of health care and public health sector and sharing information on cyber threat indicators.[40] HHS would be obligated to provide training to health care and public health owners and operators on cybersecurity risks and mitigation measures.[41] Seeing as though the nations healthcare is categorized as critical infrastructure, bolstering cyber practices in these industries would prevent catastrophic loss in the event that a hospital is infected by ransomware or some other type of malicious software.[42]

Naturally, government entities are not the only one’s affected by malicious actor’s as many small businesses who likely do not have the resources to invest in a secure cyber network.[43] On December 5, 2022, the senate recommended passage of the Improving Cybersecurity of Small Businesses, Nonprofits, and Local Governments Act of 2021.[44] While the bill was not expressly enacted, it may become law pursuant to multiple bills, but it would require CISA to publish an annual report for small businesses, small governmental jurisdictions, and small nonprofit organizations (small entities) that documents and promotes evidence-based cybersecurity policies and controls for use by such small entities and provides recommendations to improve cybersecurity.[45] More specifically, CISA, SBA, and Minority Business Development Agency to make available to employees of small entities voluntary training and technical assistance on how to implement recommendations of the annual cybersecurity report.[46] Considering the increased concerns of the effect that cyber attacks have had on small businesses and other small entities, it would be logical for this bill to be re-introduced as CISA is likely the most appropriate agency to regulate these groups.

To further CISA’s ability to obtain relevant data in regard to data breaches, and in connection to the current problems posed by ransomware, Congress recommended passage of the Cyber Incident Reporting Act of 2021[47] on December 13, 2022, but this bill was mainly covered by CIRCIA which was enacted in 2022. This proposed to establish the Cyber Incident Review Office in DHS Cybersecurity and Infrastructure Security Agency (CISA) to receive, aggregate, and analyze reports related to substantial cyber incidents submitted by entities that own or operate critical infrastructure and reports related to ransom payments made by entities in response to ransomware attacks.[48] This act would require CISA to issue rules requiring specified entities to report to CISA on cyber incidents within 72 hours of the occurrence and ransom payments within 24 hours of making a payment, and to conduct an outreach and education campaign to inform affected entities about such requirements.[49] Furthermore, CISA would be able to obtain information if an entity fails to comply with cyber incident or ransom payment reporting requirements and to prohibit Federal contractors from failing to comply with subpoenas.[50] More importantly, likely to combat some of the issues with information sharing amongst different agencies, this would establish an intergovernmental Cyber Incident Reporting Council to coordinate, deconflict, and harmonize Federal incident reporting requirements.[51]

Next, on December 14, 2022 the senate recommended passage of the Response and Recovery Act of 2021, which certain provisions were enacted by President Biden via H.R. 3648, the Infrastructure Investment and Jobs Act.[52] This proposed change basically allows CISA to set the standard for when a significant cyber incident has occurred that would likely to result in demonstrable harm to U.S. national security interests, foreign relations, or economy, public confidence, civil liberties, or public health and safety, and to establish the authorities under such declaration to respond to and recover from the significant incident.[53] Aside from requiring CISA to coordinate between various branches of the government to respond to these sorts of threats, it also sought to establish the Cyber Response and Recovery Fund to assist Federal, State, local, Tribal, public, and private entities to respond to and recovery from significant incidents.[54] When significant incidents do arise DHS is required to notify the National Cyber Director to determine the most appropriate remedy.[55]

SolarWinds Hack of 2020 and Colonial Pipeline Hack of 2021

As is demonstrated in the previous sections, the bulk of the relevant legislation was proposed between 2020 and 2022, as law makers identified the importance of bolstering our rather weak cyber security and the necessity of a single entity to direct the U.S. down the right path.[56] This is not to say that this legislation was done out of precaution and foresight, rather they were responses to a series of major cyber incidents occurred in late 2020 that effected thousands of constituents and deeply effected critical infrastructure.[57] For example, ransomware (one type of malicious malware that disables a victims network unless a specified ransom is paid) prevalence has increased drastically in recent years due to its capacity for harm, where in 2015 the costs associated were 325 million dollars, by the year 2020 that number increased to 20 billion dollars, and experts estimate that the number will increase to 265 billion dollars by 2031.[58]

The first major incident that appears to have influenced the recent legislation is known as the SolarWinds hack.[59] SolarWinds is a network performance monitoring software that enables users to detect, diagnose, and resolve performance problems and outages.[60] For the company’s network monitoring system to properly function, it deploys a program named “Orion” that would scan the various portions of the company’s network for vulnerabilities.[61] This software enabled the users IT department to check the entire network all at once.[62] At some point around March 2020, malicious actors who were believed to have been directed by the SVR, slipped malware into the Orion software that infected SolarWinds consumer populations when they downloaded a routine system update.[63] It was estimated that roughly 18,000 users were effected by the hack, however it also impacted large corporations such as Microsoft and Intel, as well as federal agencies including the Treasury, Justice, Energy departments; the Pentagon and even CISA.[64] While the damages were estimated to be in the millions, what SolarWinds best demonstrates is that cyberthreats can move across infrastructures and industries.[65] What is more damaging is that had CISA been given a broader sense of authority to monitor software programs the hack might have been detected earlier.[66] Instead, some several months later, all CISA released an emergency directive which outlined security measures that would prevent further exploitation of the federal systems that were affected by the breach.[67] However, in relation to the thousands of other entities affected by this breach, all CISA could really do was mandate the SEC to investigate the hack who was also severely limited in its investigation as they are only permitted jurisdiction over designated areas.[68] The very unfortunate part of this incident, is that had CISA been given more broad authority to regulate the cyberthreat landscape as a whole, the simple defensive measure of having a firewall blocking outgoing connections to the internet would have thwarted the malware in SolarWinds.[69]

A few short months after the SolarWinds incident, came a series of ransomware[70] attacks that halted critical infrastructure and resulted in millions being paid to the malicious actors.[71] For example, CNA financial corporation paid around forty million in ransom during this time and meat producer, JBS paid upwards of eleven million in bitcoin.[72] While these incidents were large in scale, the damaging effects of these pale in comparison to Colonial Pipeline who was hacked sometime in May of 2021.[73] The Colonial Pipeline incident led to an increased focus on bolstering the nations critical infrastructure when the 5,500 mile pipeline, that carries 45% of the East Coast’s gas, had to shut down due to an attack by ransomware actors.[74] This incident arose when bad actors gained access to the company’s business network, however the bad actors were also able to access the company’s operational network due to the lack of segmentation between the two networks.[75] This was of course the first time the pipeline ever had to be shut down, and until the 4.4 million dollar ransom was paid, the ransomware attack had the effect of disabling society’s ability to operate.[76] While it is obvious that a company of that size should have implemented more robust cybersecurity, as does other pipelines, it fostered a new appreciation and focus in fortifying the nations critical infrastructure by the Biden administration.[77]

Biden Administration Response to SolarWinds and Colonial Pipeline

Aside from all the recent legislation, in the aftermath of these incidents, President Biden released a series of executive orders (“Order”) and responses related to improving the nations cybersecurity.[78] In the May 12, 2021, Order, President Biden acknowledged that restrictions limit information sharing between executive departments and agencies like CISA who are responsible for investigating the incidents.[79] It was acknowledged that removing the barriers is of the extreme importance as information sharing is necessary to deter these threats and enables more effective cyber defense.[80] The order essentially greatly increased CISA’s role in acting as the nations cyber risk advisor as they were given broader authority over critical infrastructure, but they were also tasked with developing “the playbook” which is a standard set of operational procedures that the federal government would follow when conducting vulnerability and incident response.[81]

In December 2022, 6 U.S.C. §652 was broadened to include three specified areas, (i) cybersecurity, (ii) infrastructure security, and (iii) security risk management.[82] The main differences between the current version and the 2018 version is responsibility over “.gov” internet domains, and holds CISA responsible for coordinating with federal entities and international entities to carry out cybersecurity and critical infrastructure activities of the agency.[83] Another main difference does not really stem from the act, rather it stems from the mandate to “carry out such other duties and powers prescribed by law or delegated by the secretary.”[84] Naturally, as lawmakers have been rigorous in drafting new legislation that broadens CISA’s authority, it is likely that CISA will eventually be the cyber risk advisor it was created to be.

Protection of critical infrastructure is a popular theme that has run through the recent legislation, as was demonstrated by Colonial Pipeline, and in March 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).[85] This act requires CISA to develop and implement regulations requiring covered entities to report specified cyber incidents and ransomware payments.[86] The increasing reporting requirement would have a profound effect on CISA’s ability to spot trends and rapidly share information with network defenders, and would enable CISA to rapidly respond to incidents and assist victims.[87] CIRCIA essentially mandates two things, that covered entity must report within 72 hours after a covered cyber incident occurs, and that covered incident also includes ransomware attacks, and if ransomware is paid it must be reported within 24 hours.[88] While the law is in effect, some requirements are still pending as CISA was given 42 months to issue the new rules, CISA can of course bring new regulatory rules into effect a lot sooner and will ultimately aid in CISA’s ability to handle cyber incidents.[89]

As it currently sits, cybersecurity is a rapidly growing field as 157 pieces of legislation have been drafted in order to bolster the nation’s defense.[90] Furthermore, a lot of this legislation is aimed at expanding the current cyber workforce, increasing capacity as well as funding.[91] Where the bulk of legislation comes from however is risk assessment (102 bills have been created) which is the primary focus of CISA.[92] With more destined to be created in the future, CISA may eventually be able to serve as the risk advisor it was created to be.[93] [i] 6 U.S.C. §6

[ii] See id.

[iii] See infra note 60 and accompanying text

[iv]  See infra note 73 and accompanying text

[v] See infra note 78; see also infra note 82 and accompanying text.

[1] See Graham Streich, (Re-)configuring Federal Cybersecurity Regulation: From Critical Infrastructures to the Whole-of-the-Nation, 55 Ind. L. Rev. 733, 747 (2022)

[2] See Graham at 747

[3] https://www.washingtonpost.com/politics/2021/05/05/cybersecurity-202-lawmakers-want-greater-resources-authorities-cisa-protect-critical-infrastructure/

[4] See Graham supra note 1 at 739.

[5] Alice M. Porch, Spoiling for A Fight: Hacking Back with the Active Cyber Defense Certainty Act, 65 S.D. L. Rev. 467, 474 (2020)

[6] See Graham supra note 1 at 758

[7] See infra note 52; see also infra note 66 and accompanying text

[8] See infra notes 9-55

[9] 115 H. Rpt. 454, Part 1

[10] See 116 H.R. 3710

[11] 116 H. Rpt. 193

[12] See Graham supra note 1 at 739

[13] See e.g., id., 116 H.R. 3710

[14] 116 S. 2749

[15] S. Rpt. 116-192

[16] Id.

[17] Id.

[18] Id.

[19] See id.; see also infra note 89

[20] 116 S. 3207

[21] S. Rpt. 116-227

[22] Id.

[23] Id.

[24] 116 S. 3045; 116 H.R. 5680

[25] S. Rpt. 116-242

[26] Id., see also supra note 3

[27] See infra note 24; See also Graham supra Note 1.

[28] 116 H.R. 5823; See also 116 H.R. 3138

[29] H. Rpt. 116-478

[30] Id.

[31] Id.

[32] Id.

[33] See supra note 77

[34] 116 S.4024; see also H.R. 1975

[35] See supra note i and accompanying text.

[36] See S. Rpt. 116-265

[37] Id.

[38] 117 S. 3904

[39] S. Rpt. 117-177

[40] Id.

[41] Id.

[42] See id., see also https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html (This article highlights the affects of Colonial Pipeline which signals the necessity for increased oversight of critical infrastructure.)

[43] See Braue infra note 63 (This article contains a graphic that highlights how ransomware attacks these groups heavily.)

[44] 117 S. 2483

[45] S. Rpt. 117-217

[46] Id.

[47]  See 117 S. 2587; See also Braue infra note 58.

[48] S. Rpt. 117-249

[49] Id.

[50] Id.

[51] See S. Rpt. 117-249; see also supra note 6 (focus primarily on the different agencies that exercise jurisdiction over the investigation of cybercrimes depending on the occupation of the victim.)

[52] 117 S. 1316

[53] S. Rpt. 117-257

[54] Id.

[55] Id.

[56] See Graham supra note 1 at 758.

[57] See infra note 76 and accompanying text.

[58] David Braue, Global Ransomware Damage Costs Predicted to Exceed $265 Billion by 2031, CyberCrime Magazine (Jun. 2, 2022), https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-250-billion-usd-by-2031/

[59] https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

[60] https://www.solarwinds.com/orion-platform#:~:text=SolarWinds%20Network%20Performance%20Monitor%20is,network%20performance%20problems%20and%20outages.

[61] See https://www.npr.org/2021/04/16/985439655/a-worst-nightmare-cyberattack-the-untold-story-of-the-solarwinds-hack

[62] Id.

[63] Id.

[64] Id.

[65] See Graham supra note 1 at 752

[66] Id.

[67] See https://www.gao.gov/blog/solarwinds-cyberattack-demands-significant-federal-and-private-sector-response-infographic

[68] See e.g., 6 U.S.C.A. §652; https://www.sec.gov/oig/final-management-letter-review-sec-compliance-cisa-ed-21-01-and-initial-response ; see also 16 C.F.R. § 314 (2016).

[69] https://www.securitymagazine.com/articles/95479-cisa-believes-solarwinds-attack-could-have-been-prevented-with-simple-countermeasures#:~:text=CISA%20believes%20SolarWinds%20attack%20could%20have%20been%20prevented%20with%20simple%20countermeasures,-June%2023%2C%202021&text=The%20Department%20of%20Homeland%20Security,a%20decade%2Dold%20security%20recommendation.

[70] See Braue supra note 58 and accompanying text.

[71] Oversight finds 'small lapses' in security led to Colonial Pipeline, JBS hacks, 2021 WL 5314607

[72] Id.

[73] Zachary Cohen et al., Biden Administration Officials Privately Frustrated with Colonial Pipeline's Weak Security Ahead of Crippling Cyberattack, CNN, https://www.cnn.com/2021/05/11/politics/biden-administration-ransomware-frustration/index.html (May 11, 2021, 9:25 PM) (outlining Colonial Pipeline's unpreparedness and failure to notify the Cybersecurity and Infrastructure Security Agency)

[74] Id.

[75] https://www.nytimes.com/2021/05/14/us/politics/pipeline-hack.html

[76] Id.

[77] See e.g.,  id., Executive Order on Improving the Nations Cybersecurity (May 12, 2021)( https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/ ) [hereinafter “Biden Executive Order] ; 87 FR 77971-01 (this final rule highlights changes made to 6 CFR part 29 which mandates regulations of Protected critical infrastructure and bolsters the presumption of increased regulatory authority being given to CISA.)

[78]See e.g.,  Biden Executive Order supra note 77; https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4/

[79] Biden Executive Order supra note 77.

[80] Id.

[81] Id. at sec. 6.

[82] 6 U.S.C. 652 (Current).

[83] Compare Id. at (c)(2), with 6 U.S.C. 652 (2018 Main Ed.) (Which illustrates the lack of regulatory authority that CISA had in the former version of the statute.).

[84] 6 USC 652(c)(14)

[85] https://www.cisa.gov/topics/cyber-threats-and-advisories/information-sharing/cyber-incident-reporting-critical-infrastructure-act-2022-circia

[86] Id.

[87] Id.

[88] https://securityintelligence.com/articles/what-cisos-should-know-circia-incident-reporting/

[89] Id.

[90] Georgia Wood, Cybersecurity Legislation in the 117th Congress, Center for Strategic & International Studies (Dec. 6, 2021), https://www.csis.org/blogs/strategic-technologies-blog/cybersecurity-legislation-117th-congress

[91] Id.

[92] Id.

[93] See id.