The SEC's cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.

CISA’s initiative to regulate critical infrastructure on incident reporting is just beginning. The focus on industry engagement by CISA and its director, Jen Easterly, could be about to pay off.

The SEC's cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.

CISA director Jen Easterly is focusing on cyber industry engagement.

Photo: Kevin Dietsch/Getty Images

As the chief information security officer of a large, publicly traded tech company, Drew Simonis has been keeping a close eye on the SEC's proposed rules to require reporting of major cyberattacks.

Simonis, who works at Juniper Networks, has some serious concerns shared by many executives in U.S. private industry. Some of the proposed cyber incident reporting rules seem like they'd be counterproductive to the goal of creating transparency, and would likely just increase confusion for corporate shareholders, he said. Overall, by requiring public disclosure of major cyber incidents within four business days, the approach seems to lack a basic understanding of the "fluid nature of security events," Simonis said.

"Often, you just don't know within four days what the real facts are," he said. As written, the proposed SEC rules essentially require companies to "make very important decisions with very little information."

Meanwhile, another federal agency — which has its own set of cyber incident reporting regulations in the works, separate from the SEC’s — has been carrying itself much differently, according to Simonis and numerous others in the security community. The Cybersecurity and Infrastructure Security Agency has brought a welcome change in approach compared to the way most federal agencies have engaged with companies around security issues in the past, security professionals told Protocol.

As a result, when comparing the two major federal efforts that are currently seeking to ramp up cyber incident reporting in the U.S., the difference between the approaches taken by CISA and the SEC becomes clear.

Security executives believe the efforts of CISA director Jen Easterly and the rest of the agency's leadership team have helped bring the public-private cybersecurity partnership to an all-time high in the U.S.

With the CISA-led rule-making process now set to kick off around cyber incident reporting for critical infrastructure providers, however, the strength of that partnership could be put to the test.

Improving threat tracking

Information sharing is pivotal in the cybersecurity space given the fast-changing nature of threats. The amount of data a security team has about the latest attacker tactics can make or break its defense strategy, and that information also helps government agencies decide how to respond.

Until now, CISA has had very little regulatory authority. Under the leadership of original director Chris Krebs, and now Easterly, much of the emphasis has been on getting government and industry more comfortable working together, but on a voluntary basis.

While there are signs those efforts have been helping increase the amount and speed of information sharing, it hasn't been nearly enough. The government is still hearing about only a “tiny fraction” of the ransomware breaches and other cyberattacks that are hitting businesses, which weakens threat-tracking efforts, a CISA official reportedly said in June.

That's what the forthcoming regulations seek to address. The Cyber Incident Reporting for Critical Infrastructure Act was passed by Congress and signed by President Biden in March. It paves the way for mandatory reporting of major cyber incidents by companies in 16 critical infrastructure sectors within 72 hours.

I've seen plenty of calls for [the SEC's] whole proposal to simply be set on fire and never discussed again.

Ransomware payments made by covered companies would need to be reported within 24 hours. Crucially though, unlike in the SEC proposal, details on cyberattacks disclosed to CISA would be anonymized before any public disclosure.

It'll be up to CISA to hammer out the specifics, such as which types of incidents would qualify for reporting.

Despite the goodwill that CISA has generated within the cybersecurity industry, companies will still have questions and concerns that need to be answered, said Marc Rogers, executive director of cybersecurity at Okta.

"You've got all these challenges around, 'How much do I want to share? What is risky for me to share? Is there a chance that a competitor could find out about this? Is there a chance that this could cause further brand damage or loss of confidence in us?'" Rogers said.

Those challenges will need to be overcome, and "the only way that that's going to happen is with an extended rule-making period where both parties sit down and talk," he said. Proposed rules are not due until March 2024, with the final regulations due by September 2025.

With the rule-making process just getting underway, critical infrastructure providers that would be subject to the regulations appear to be in "wait-and-see mode," said Ben Miller, vice president of services at industrial cybersecurity vendor Dragos. Still, he said, it's obvious that there hasn't been a major outcry against the idea either.

Industry opposition

The same can't be said about the SEC proposal. Released in March — just days before Biden signed the critical infrastructure reporting act — the SEC rules have gotten a mixed reception, according to public comments filed with the SEC.

While the opposition isn't unanimous, "I've seen plenty of calls for [the SEC's] whole proposal to simply be set on fire and never discussed again," said Harley Geiger, senior director of public policy at cybersecurity vendor Rapid7.

In late June, a coalition of 34 industry groups signed a letter to the SEC sharply criticizing the proposed incident reporting rules, saying the proposal "runs counter to sound cybersecurity policies and practices" because it could equip attackers with data that could be used against companies and law enforcement.

"Many in the business community strongly believe that the Commission's proposal should not be finalized in its current form," the groups — which include the Chamber of Commerce, the American Gas Association and USTelecom — wrote in the letter. Other groups that have separately filed critical comments with the SEC include the National Retail Federation and the National Association of Manufacturers.

Within tech, groups including the Information Technology Industry Council — which counts many of the largest tech companies as members — and the Internet Security Alliance each filed detailed criticisms of the proposed SEC rules. Both groups said the SEC proposal would lead to highly problematic public disclosure of vulnerability details prior to those vulnerabilities being fixed, which would only heighten cybersecurity risks for everyone. The proposed SEC regulations "will likely assist attackers more than investors," the Internet Security Alliance wrote.

Sen. Rob Portman wrote in comments submitted to the SEC that the agency should reconsider or “revise substantially” its proposal. Congress has intended the Critical Infrastructure Act to be “the primary mechanism for companies to report cyber incidents,” Portman, who co-authored the act, wrote.

The SEC did not respond to a request for comment.

Groups that have expressed support for the SEC proposal include Principles for Responsible Investment and Better Markets, the latter of which wrote to the SEC that its proposed rules "will better inform investors of the cybersecurity risks posed to companies."

The SEC’s rules differ from CISA's. Photo: Al Drago/Bloomberg via Getty Images

A bipartisan group of seven senators — Mark Warner, Ron Wyden, Jack Reed, Catherine Cortez Masto, Kevin Cramer, Angus King and Susan Collins — also expressed support. Among the benefits of the SEC proposal is that it provides "powerful incentives for public companies to bolster cybersecurity," the senators wrote.

The proposed regulations are now listed as being in the "final rule stage," and while the SEC declined to comment on the status of the rules, the agency's website indicates that "final action" on the proposal will be taken by April 2023.

A compromise between the supporters and opponents of the SEC proposal might be possible: one in which companies are still required to report major cyber incidents, but the reports are not disclosed publicly until the issues have been mitigated, Rapid7's Geiger said. "But I'm not confident that's going to occur because so much of the dialogue has been black or white: full transparency, or not having the [requirements] at all," he said.

Besides the SEC and CISA, nearly two dozen other federal agencies have their own proposed or finalized requirements around the reporting of cyber incidents, according to a tally by R Street. Plus, new ones keep surfacing at the federal level, while many U.S. states have breach-reporting requirements as well.

"I think that the government would even admit that there are a lot of challenges around the patchwork of cyber incident reporting requirements that are being imposed on industry," said Bill Wright, senior director for North American government affairs at Splunk, and former staff director for the Senate homeland security committee.

Indeed, Congress has taken notice. The March critical infrastructure bill also created a new council under the Department of Homeland Security, which is charged with harmonizing the different incident reporting requirements at the federal level. The Cyber Incident Reporting Council had its first meeting in late July.

The committee does include a member from the SEC, as well as representatives from the FBI and numerous other federal agencies and departments. DHS is also the parent agency of CISA.

CISA's leadership has also called this harmonization effort a top priority. It's "incumbent upon us to work out an agreement with [those] other federal agencies so that information would flow from them to CISA," said Brandon Wales, the agency's executive director, during a recent webinar.

On the whole, CISA is focused on "not overly burdening the private sector" around incident reporting, Easterly said during a panel at the RSA Conference in June. The agency wants to avoid making things worse for businesses "when they're trying to deal with an incident under duress," she said.

The Easterly effect

Appointed as director of CISA just over a year ago, Easterly has won praise from many in the cybersecurity community for her efforts to engage. Along with speaking on two panels at RSA, Easterly spent time on the show floor, chatting with visitors at the CISA booth and handing out autographed Rubik's cubes.

Easterly came to the role from a background in both the government and private sector. Prior to CISA, she ran Morgan Stanley's cyber threat response center. In the Obama administration, she held roles at the NSA and National Security Council, including as senior director for counterterrorism.

Cybersecurity executives say that the launch of the Joint Cyber Defense Collaborative shortly after the start of Easterly’s tenure has been instrumental in improving relations between the public and private sectors. The group brings together 21 major cybersecurity vendors with the FBI, NSA, DOJ, DOD and other federal agencies.

The trust has grown as the JCDC participants have spent more time with each other, said Splunk's Wright. "And along with the trust, I think that you move a little closer, you do a little bit more."

Easterly has done an "amazing" job at expanding the information sharing from the government to the private sector, said William MacMillan, a senior vice president at Salesforce and formerly the CISO for the CIA.

"There's a really broad recognition nowadays that the government has really helped close that gap," MacMillan said. "They're clearing information [for distribution] that's actionable and useful."

For instance, with the disclosure of the critical Log4Shell vulnerability in December 2021, CISA rapidly distributed practical information for defenders, said Wendi Whitmore, senior vice president in Palo Alto Networks' Unit 42 organization.

In her two decades in the field, “I haven’t seen this level of information sharing before between public and private partners,” said Whitmore, who is also a member of the Cyber Safety Review Board.

Still, looking ahead, CISA will "have to walk a tough line" as the agency transitions from just being a partner with private industry into being a regulator of it, said Dragos' Miller, who previously served as associate director at electricity regulator NERC.

Finding the balance

Wales, the CISA executive director, said in a statement provided to Protocol that the agency will focus on striking the right balance while implementing the legislation. "We will balance the need for information to be shared quickly, letting victims respond to an attack without imposing onerous requirements, and getting accurate information that enables CISA to protect the broader cyber ecosystem," he said.

The agency plans to issue a public request for information and host a series of "listening sessions" later this year to solicit feedback from industry, Wales said in the statement.

Among the concerns, at least for the security community, is that the incident reporting regulations may not be finalized for another three years.

Given how quickly things change in the world of cybersecurity — and the fact that better visibility on cyber threats is needed as soon as possible — "that is a really long time frame," said Chris Hallenbeck, CISO for the Americas at cybersecurity vendor Tanium. CISA might want to explore shortening that timeline, since the security payoff could be significant, said Hallenbeck, formerly the chief of operations for the U.S. Computer Emergency Readiness Team.

Tim Eades, CEO of cybersecurity vendor vArmour, said the lengthy time frame also raises the risk that changes in leadership in Congress or the White House could throw a wrench into the incident reporting initiative. To help reduce that risk, he suggested, CISA could look at rolling out the requirements gradually, in stages.

This would also help ensure that critical infrastructure providers are aligned and going in the right direction, Eades said.

Not that he, or anyone else in the security industry who spoke to Protocol, doubts that CISA will ultimately do a solid job implementing the regulations.

"We've heard this a lot from the government over the years: 'How can we collaborate better?' That's been a pretty consistent theme," said Juniper Networks’ Simonis, who's had a two-decade career in information security. But "CISA seems to be able to bring that collaborative spirit to life in a way that other agencies didn't quite accomplish.”


Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep ReadingShow less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep ReadingShow less
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep ReadingShow less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep ReadingShow less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.


Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep ReadingShow less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories