The SEC's cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.

CISA’s initiative to regulate critical infrastructure on incident reporting is just beginning. The focus on industry engagement by CISA and its director, Jen Easterly, could be about to pay off.

The SEC's cyberattack reporting rules are seeing fierce opposition. CISA is poised to do better.

CISA director Jen Easterly is focusing on cyber industry engagement.

Photo: Kevin Dietsch/Getty Images

As the chief information security officer of a large, publicly traded tech company, Drew Simonis has been keeping a close eye on the SEC's proposed rules to require reporting of major cyberattacks.

Simonis, who works at Juniper Networks, has some serious concerns shared by many executives in U.S. private industry. Some of the proposed cyber incident reporting rules seem like they'd be counterproductive to the goal of creating transparency, and would likely just increase confusion for corporate shareholders, he said. Overall, by requiring public disclosure of major cyber incidents within four business days, the approach seems to lack a basic understanding of the "fluid nature of security events," Simonis said.

"Often, you just don't know within four days what the real facts are," he said. As written, the proposed SEC rules essentially require companies to "make very important decisions with very little information."

Meanwhile, another federal agency — which has its own set of cyber incident reporting regulations in the works, separate from the SEC’s — has been carrying itself much differently, according to Simonis and numerous others in the security community. The Cybersecurity and Infrastructure Security Agency has brought a welcome change in approach compared to the way most federal agencies have engaged with companies around security issues in the past, security professionals told Protocol.

As a result, when comparing the two major federal efforts that are currently seeking to ramp up cyber incident reporting in the U.S., the difference between the approaches taken by CISA and the SEC becomes clear.

Security executives believe the efforts of CISA director Jen Easterly and the rest of the agency's leadership team have helped bring the public-private cybersecurity partnership to an all-time high in the U.S.

With the CISA-led rule-making process now set to kick off around cyber incident reporting for critical infrastructure providers, however, the strength of that partnership could be put to the test.

Improving threat tracking

Information sharing is pivotal in the cybersecurity space given the fast-changing nature of threats. The amount of data a security team has about the latest attacker tactics can make or break its defense strategy, and that information also helps government agencies decide how to respond.

Until now, CISA has had very little regulatory authority. Under the leadership of original director Chris Krebs, and now Easterly, much of the emphasis has been on getting government and industry more comfortable working together, but on a voluntary basis.

While there are signs those efforts have been helping increase the amount and speed of information sharing, it hasn't been nearly enough. The government is still hearing about only a “tiny fraction” of the ransomware breaches and other cyberattacks that are hitting businesses, which weakens threat-tracking efforts, a CISA official reportedly said in June.

That's what the forthcoming regulations seek to address. The Cyber Incident Reporting for Critical Infrastructure Act was passed by Congress and signed by President Biden in March. It paves the way for mandatory reporting of major cyber incidents by companies in 16 critical infrastructure sectors within 72 hours.

I've seen plenty of calls for [the SEC's] whole proposal to simply be set on fire and never discussed again.

Ransomware payments made by covered companies would need to be reported within 24 hours. Crucially though, unlike in the SEC proposal, details on cyberattacks disclosed to CISA would be anonymized before any public disclosure.

It'll be up to CISA to hammer out the specifics, such as which types of incidents would qualify for reporting.

Despite the goodwill that CISA has generated within the cybersecurity industry, companies will still have questions and concerns that need to be answered, said Marc Rogers, executive director of cybersecurity at Okta.

"You've got all these challenges around, 'How much do I want to share? What is risky for me to share? Is there a chance that a competitor could find out about this? Is there a chance that this could cause further brand damage or loss of confidence in us?'" Rogers said.

Those challenges will need to be overcome, and "the only way that that's going to happen is with an extended rule-making period where both parties sit down and talk," he said. Proposed rules are not due until March 2024, with the final regulations due by September 2025.

With the rule-making process just getting underway, critical infrastructure providers that would be subject to the regulations appear to be in "wait-and-see mode," said Ben Miller, vice president of services at industrial cybersecurity vendor Dragos. Still, he said, it's obvious that there hasn't been a major outcry against the idea either.

Industry opposition

The same can't be said about the SEC proposal. Released in March — just days before Biden signed the critical infrastructure reporting act — the SEC rules have gotten a mixed reception, according to public comments filed with the SEC.

While the opposition isn't unanimous, "I've seen plenty of calls for [the SEC's] whole proposal to simply be set on fire and never discussed again," said Harley Geiger, senior director of public policy at cybersecurity vendor Rapid7.

In late June, a coalition of 34 industry groups signed a letter to the SEC sharply criticizing the proposed incident reporting rules, saying the proposal "runs counter to sound cybersecurity policies and practices" because it could equip attackers with data that could be used against companies and law enforcement.

"Many in the business community strongly believe that the Commission's proposal should not be finalized in its current form," the groups — which include the Chamber of Commerce, the American Gas Association and USTelecom — wrote in the letter. Other groups that have separately filed critical comments with the SEC include the National Retail Federation and the National Association of Manufacturers.

Within tech, groups including the Information Technology Industry Council — which counts many of the largest tech companies as members — and the Internet Security Alliance each filed detailed criticisms of the proposed SEC rules. Both groups said the SEC proposal would lead to highly problematic public disclosure of vulnerability details prior to those vulnerabilities being fixed, which would only heighten cybersecurity risks for everyone. The proposed SEC regulations "will likely assist attackers more than investors," the Internet Security Alliance wrote.

Sen. Rob Portman wrote in comments submitted to the SEC that the agency should reconsider or “revise substantially” its proposal. Congress has intended the Critical Infrastructure Act to be “the primary mechanism for companies to report cyber incidents,” Portman, who co-authored the act, wrote.

The SEC did not respond to a request for comment.

Groups that have expressed support for the SEC proposal include Principles for Responsible Investment and Better Markets, the latter of which wrote to the SEC that its proposed rules "will better inform investors of the cybersecurity risks posed to companies."

The SEC’s rules differ from CISA's. Photo: Al Drago/Bloomberg via Getty Images

A bipartisan group of seven senators — Mark Warner, Ron Wyden, Jack Reed, Catherine Cortez Masto, Kevin Cramer, Angus King and Susan Collins — also expressed support. Among the benefits of the SEC proposal is that it provides "powerful incentives for public companies to bolster cybersecurity," the senators wrote.

The proposed regulations are now listed as being in the "final rule stage," and while the SEC declined to comment on the status of the rules, the agency's website indicates that "final action" on the proposal will be taken by April 2023.

A compromise between the supporters and opponents of the SEC proposal might be possible: one in which companies are still required to report major cyber incidents, but the reports are not disclosed publicly until the issues have been mitigated, Rapid7's Geiger said. "But I'm not confident that's going to occur because so much of the dialogue has been black or white: full transparency, or not having the [requirements] at all," he said.

Besides the SEC and CISA, nearly two dozen other federal agencies have their own proposed or finalized requirements around the reporting of cyber incidents, according to a tally by R Street. Plus, new ones keep surfacing at the federal level, while many U.S. states have breach-reporting requirements as well.

"I think that the government would even admit that there are a lot of challenges around the patchwork of cyber incident reporting requirements that are being imposed on industry," said Bill Wright, senior director for North American government affairs at Splunk, and former staff director for the Senate homeland security committee.

Indeed, Congress has taken notice. The March critical infrastructure bill also created a new council under the Department of Homeland Security, which is charged with harmonizing the different incident reporting requirements at the federal level. The Cyber Incident Reporting Council had its first meeting in late July.

The committee does include a member from the SEC, as well as representatives from the FBI and numerous other federal agencies and departments. DHS is also the parent agency of CISA.

CISA's leadership has also called this harmonization effort a top priority. It's "incumbent upon us to work out an agreement with [those] other federal agencies so that information would flow from them to CISA," said Brandon Wales, the agency's executive director, during a recent webinar.

On the whole, CISA is focused on "not overly burdening the private sector" around incident reporting, Easterly said during a panel at the RSA Conference in June. The agency wants to avoid making things worse for businesses "when they're trying to deal with an incident under duress," she said.

The Easterly effect

Appointed as director of CISA just over a year ago, Easterly has won praise from many in the cybersecurity community for her efforts to engage. Along with speaking on two panels at RSA, Easterly spent time on the show floor, chatting with visitors at the CISA booth and handing out autographed Rubik's cubes.

Easterly came to the role from a background in both the government and private sector. Prior to CISA, she ran Morgan Stanley's cyber threat response center. In the Obama administration, she held roles at the NSA and National Security Council, including as senior director for counterterrorism.

Cybersecurity executives say that the launch of the Joint Cyber Defense Collaborative shortly after the start of Easterly’s tenure has been instrumental in improving relations between the public and private sectors. The group brings together 21 major cybersecurity vendors with the FBI, NSA, DOJ, DOD and other federal agencies.

The trust has grown as the JCDC participants have spent more time with each other, said Splunk's Wright. "And along with the trust, I think that you move a little closer, you do a little bit more."

Easterly has done an "amazing" job at expanding the information sharing from the government to the private sector, said William MacMillan, a senior vice president at Salesforce and formerly the CISO for the CIA.

"There's a really broad recognition nowadays that the government has really helped close that gap," MacMillan said. "They're clearing information [for distribution] that's actionable and useful."

For instance, with the disclosure of the critical Log4Shell vulnerability in December 2021, CISA rapidly distributed practical information for defenders, said Wendi Whitmore, senior vice president in Palo Alto Networks' Unit 42 organization.

In her two decades in the field, “I haven’t seen this level of information sharing before between public and private partners,” said Whitmore, who is also a member of the Cyber Safety Review Board.

Still, looking ahead, CISA will "have to walk a tough line" as the agency transitions from just being a partner with private industry into being a regulator of it, said Dragos' Miller, who previously served as associate director at electricity regulator NERC.

Finding the balance

Wales, the CISA executive director, said in a statement provided to Protocol that the agency will focus on striking the right balance while implementing the legislation. "We will balance the need for information to be shared quickly, letting victims respond to an attack without imposing onerous requirements, and getting accurate information that enables CISA to protect the broader cyber ecosystem," he said.

The agency plans to issue a public request for information and host a series of "listening sessions" later this year to solicit feedback from industry, Wales said in the statement.

Among the concerns, at least for the security community, is that the incident reporting regulations may not be finalized for another three years.

Given how quickly things change in the world of cybersecurity — and the fact that better visibility on cyber threats is needed as soon as possible — "that is a really long time frame," said Chris Hallenbeck, CISO for the Americas at cybersecurity vendor Tanium. CISA might want to explore shortening that timeline, since the security payoff could be significant, said Hallenbeck, formerly the chief of operations for the U.S. Computer Emergency Readiness Team.

Tim Eades, CEO of cybersecurity vendor vArmour, said the lengthy time frame also raises the risk that changes in leadership in Congress or the White House could throw a wrench into the incident reporting initiative. To help reduce that risk, he suggested, CISA could look at rolling out the requirements gradually, in stages.

This would also help ensure that critical infrastructure providers are aligned and going in the right direction, Eades said.

Not that he, or anyone else in the security industry who spoke to Protocol, doubts that CISA will ultimately do a solid job implementing the regulations.

"We've heard this a lot from the government over the years: 'How can we collaborate better?' That's been a pretty consistent theme," said Juniper Networks’ Simonis, who's had a two-decade career in information security. But "CISA seems to be able to bring that collaborative spirit to life in a way that other agencies didn't quite accomplish.”


Steel decided World War II. Chips will decide whatever is next.

“Chip War: The Fight for the World’s Most Critical Technology” foreshadows the coming battle between nations over semiconductors.

“Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies.

Image: Scribner; Protocol

“World War II was decided by steel and aluminum, and followed shortly thereafter by the Cold War, which was defined by atomic weapons,” Chris Miller, a professor at Tufts University’s Fletcher School of Law and Diplomacy, writes in the introduction to his latest book. So what’s next? According to Miller, the next era, including the rivalry between the U.S. and China, is all about computing power.

That tech rivalry and the story of how the chip industry got from four to 11.8 billion transistors are all part of Miller’s book, “Chip War: The Fight for the World’s Most Critical Technology,” which comes out Oct. 4. “Chip War” outlines the nature of the coming battle over semiconductors, showing how the power to produce leading-edge chips fell into the hands of just five companies: three from the U.S., one from Japan, and one from the Netherlands.

Keep Reading Show less
Hirsh Chitkara

Hirsh Chitkara ( @HirshChitkara) is a reporter at Protocol focused on the intersection of politics, technology and society. Before joining Protocol, he helped write a daily newsletter at Insider that covered all things Big Tech. He's based in New York and can be reached at hchitkara@protocol.com.

Sponsored Content

Great products are built on strong patents

Experts say robust intellectual property protection is essential to ensure the long-term R&D required to innovate and maintain America's technology leadership.

Every great tech product that you rely on each day, from the smartphone in your pocket to your music streaming service and navigational system in the car, shares one important thing: part of its innovative design is protected by intellectual property (IP) laws.

From 5G to artificial intelligence, IP protection offers a powerful incentive for researchers to create ground-breaking products, and governmental leaders say its protection is an essential part of maintaining US technology leadership. To quote Secretary of Commerce Gina Raimondo: "intellectual property protection is vital for American innovation and entrepreneurship.”

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.

Musk’s texts reveal what tech’s most powerful people really want

From Jack Dorsey to Joe Rogan, Musk’s texts are chock-full of überpowerful people, bending a knee to Twitter’s once and (still maybe?) future king.

“Maybe Oprah would be interested in joining the Twitter board if my bid succeeds,” one text reads.

Photo illustration: Patrick Pleul/picture alliance via Getty Images; Protocol

Elon Musk’s text inbox is a rarefied space. It’s a place where tech’s wealthiest casually commit to spending billions of dollars with little more than a thumbs-up emoji and trade tips on how to rewrite the rules for how hundreds of millions of people around the world communicate.

Now, Musk’s ongoing legal battle with Twitter is giving the rest of us a fleeting glimpse into that world. The collection of Musk’s private texts that was made public this week is chock-full of tech power brokers. While the messages are meant to reveal something about Musk’s motivations — and they do — they also say a lot about how things get done and deals get made among some of the most powerful people in the world.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.


Circle’s CEO: This is not the time to ‘go crazy’

Jeremy Allaire is leading the stablecoin powerhouse in a time of heightened regulation.

“It’s a complex environment. So every CEO and every board has to be a little bit cautious, because there’s a lot of uncertainty,” Circle CEO Jeremy Allaire told Protocol at Converge22.

Photo: Circle

Sitting solo on a San Francisco stage, Circle CEO Jeremy Allaire asked tennis superstar Serena Williams what it’s like to face “unrelenting skepticism.”

“What do you do when someone says you can’t do this?” Allaire asked the athlete turned VC, who was beaming into Circle’s Converge22 convention by video.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.


Is Salesforce still a growth company? Investors are skeptical

Salesforce is betting that customer data platform Genie and new Slack features can push the company to $50 billion in revenue by 2026. But investors are skeptical about the company’s ability to deliver.

Photo: Marlena Sloss/Bloomberg via Getty Images

Salesforce has long been enterprise tech’s golden child. The company said everything customers wanted to hear and did everything investors wanted to see: It produced robust, consistent growth from groundbreaking products combined with an aggressive M&A strategy and a cherished culture, all operating under the helm of a bombastic, but respected, CEO and team of well-coiffed executives.

Dreamforce is the embodiment of that success. Every year, alongside frustrating San Francisco residents, the over-the-top celebration serves as a battle cry to the enterprise software industry, reminding everyone that Marc Benioff’s mighty fiefdom is poised to expand even deeper into your corporate IT stack.

Keep Reading Show less
Joe Williams

Joe Williams is a writer-at-large at Protocol. He previously covered enterprise software for Protocol, Bloomberg and Business Insider. Joe can be reached at JoeWilliams@Protocol.com. To share information confidentially, he can also be contacted on a non-work device via Signal (+1-309-265-6120) or JPW53189@protonmail.com.

Latest Stories