Corporate and public America has been the victim of more than its fair share of major cyber attacks in recent months – from the high profile ransomware attack on the Colonial Pipeline in May, to the hack targeting Kaseya (and ultimately spreading through thousands of corporate networks using its software) in July. Worryingly, an increasing number of these attacks have been targeting assets of national importance, such as the notorious attack on SolarWinds, through which hackers were able to spy on organisations including the Department of Homeland Security and the Treasury Department.
It has been suggested that one of the (admittedly many) reasons for the targeting of US institutions is a lacking regulatory framework. Whilst other parts of the developed world have already put in place, or are developing, enhanced regulatory frameworks to require important institutions to respond effectively to cyber attacks (and thereby, encouraging those institutions to invest more in cyber defences), the patchwork regulatory landscape in the US has not encouraged consistency in cyber capabilities across the board. This creates vulnerability gaps, or ‘weak links’, in the cyber chain that hackers are ready and willing to exploit.
It seems, though, that US politicians may have had enough. In a display of bipartisan effort, Democratic Senator Mark Warner and Republican Senators Marco Rubio and Susan Collins have tabled (as a bill) the Cyber Incident Notification Act of 2021 (CINA), pursuant to which federal agencies, government contractors and critical infrastructure owners and operators would be required to notify the US federal government within 24 hours of experiencing a cyber attack. Once notified, the intention is that the US government would then be able to mobilise to protect critical industries across the country. To incentivise information sharing, the proposal is that affected organisations would be granted limited immunity, and the US government would be required to implement data protection procedures to anonymise personal information and safeguard privacy.
While the CINA is the first proposed law of its kind in the US, it is not unique globally. Back in July 2016, the European Union issued its Directive (EU) 2016/1148 on Security of Network and Information Systems (NIS Directive). More recently, on 9 November 2020 Australia tabled the Security Legislation Amendment (Critical Infrastructure) Bill (2020) (the Critical Infrastructure Bill) which is still subject to review by the Parliamentary Joint Committee on Intelligence and Security (the Committee heard oral submissions from industry participants in July). (For more information on the Critical Infrastructure Bill, click here). Together, we refer to these three laws as the Critical Infrastructure Laws.
This article details some of the key obligations in the CINA, and looks at how these align with the requirements under the NIS Directive and the Critical Infrastructure Bill. The most important obligation in the CINA relates to the mandatory reporting of cyber incidents; we look at how the mandatory reporting obligations in the three Critical Infrastructure Laws compare, in addition to considering the more general mandatory data breach notification provisions under the Privacy Act 1988 (Cth) (the Privacy Act). To conclude, we provide some thoughts on why the CINA may be relevant to Australian companies, and set out the anticipated timeline for its passage.
Key Requirements under the Critical Infrastructure Laws
The following table sets out the key requirements under each of the Critical Infrastructure Laws. Note that the laws in Australia and the US are not yet settled and, therefore, the requirements may still change as a result of industry consultation or the legislative process.
|
|
Australia |
EU |
US |
|---|---|---|---|
|
Mandatory reporting of cyber incidents |
✓ |
✓ |
✓ |
|
Government power to intervene in event of serious cyber incidents |
✓ |
✖ |
✖ |
|
Identifying and/or implementing a register of critical infrastructure assets or similar |
✓ |
✓ |
✖ |
|
Enhanced cyber security obligations |
✓ |
✓ |
✖ |
What the above table demonstrates, at a glance, is that whilst the Critical Infrastructure Laws all ultimately seek to achieve the same end (i.e. to improve the overall cyber security of the relevant nation with a focus on critical infrastructure assets), the scope of each law is quite different. The Australian law (as currently proposed) is by some distance the most far-reaching, with the US law adopting a relatively narrow focus on reporting of incidents only.
Mandatory Reporting Requirements under the Critical Infrastructure Laws
Whilst each of the Critical Infrastructure Laws approaches ensuring the cyber-security of critical infrastructure assets in different ways, they each contain a baseline requirement on affected organisations to notify relevant government authorities upon the occurrence of a cyber-attack.
The table below compares the mandatory reporting requirements in each of the Critical Infrastructure Laws. In Australia, organisations may separately be subject to mandatory data breach notification obligations under the Privacy Act (for more information, click here), as well as under sector-specific laws and regulations. For completeness, the table below also summarises the key obligations under the Privacy Act notification scheme.
It is important to note that in the context of the Critical Infrastructure Bill, the mandatory notification requirements (and, in particular, the timeframes within which notifications must be made) have been the subject of intense industry scrutiny and comment – with a number of organisations pushing for an extension of the timeframes to 72-plus hours. As a result of this industry feedback, it is possible that the requirements in the Critical Infrastructure Bill may change before they become law.
|
|
Australia |
EU |
US |
Privacy Act |
|---|---|---|---|---|
|
Who is required to report |
Responsible entities for critical infrastructure assets. ‘Responsible entities’ are sector-specific, but generally refer to the entity with ultimate control of the critical infrastructure asset. |
Operators of essential services, being private businesses or public entities that provide a service which is essential for the maintenance of critical societal and economic activities. |
Federal agencies and ‘covered entities’ The definition of ’covered entities’ remains unsettled, but at a minimum will include federal contractors and owners or operators of critical infrastructure assets. |
Commonwealth Government agencies, and private sector organisations with annual turnover of greater than AUD3 million (with some exceptions for small businesses) |
|
What should be reported |
“Critical” incidents that have a significant impact on the availability of a critical infrastructure asset. Other incidents likely to have any impact on the availability, integrity, reliability or confidentiality of a critical infrastructure asset. |
Significant incidents that affect the continuity of essential services |
A range of cyber-security incidents - e.g. those that result in demonstrable harm to national security interests and ransomware attacks |
An ‘eligible data breach’, a data breach which is likely to result in serious harm to an individual whose personal information is involved |
|
Timeframe within which incidents are to be reported |
Critical incidents: 12 hours Other incidents: 24 hours |
Without undue delay |
24 hours |
As soon as practicable (unless the entity only suspects an eligible data breach, in which case an “expeditious” assessment is to be carried out within 30 days) |
|
Who should incidents be reported to |
Australian Signals Directorate |
A competent authority / the computer security incident response team in each Member State |
Cybersecurity and Infrastructure Security Agency |
Office of the Australian Information Commissioner and affected individuals |
|
What details must be provided |
A report regarding the incident (further details to be prescribed in future rules) |
Member State-specific, but at a minimum must include information regarding potential cross-border impact of incident |
Description of the intrusion and related activities (e.g. tactics used) Information to identify the actor Contact details of reporting entity Details of actions taken to mitigate intrusion |
Reporting entity’s name and contact details Description of the data breach Kind(s) of personal information involved Recommended steps for affected individuals |
|
Maximum penalties for non-compliance |
2 years imprisonment and/or a fine of AUD55,500 per breach (for a body corporate) |
Member State-specific |
0.5% per day of the entity’s gross revenue from the prior year |
AUD2.22 million for serious or repeated offences (for a body corporate) |
What next?
Whilst the CINA appears to have broad bipartisan support in the US Senate, it is still in its infancy and it is unlikely that a final version will make its way through the legislative process and into law this year.
However, a number of recent developments in the US indicate that this is a legislative priority for the Biden government, and that the CINA may be pushed through more quickly than expected. On 28 July, the White House released a national security memorandum directing two federal agencies to develop and issue cybersecurity performance goals for critical infrastructure sectors. On the same day, President Biden issued an Executive Order aimed at preventing cyber-attacks on America’s critical infrastructure. Concurrent discussions within the Senate around how to better prevent and respond to ransomware attacks in the US, as well as the release of a joint cybersecurity advisory memo that highlights the top vulnerabilities exploited by malicious cyber actors, all demonstrate how important cyber readiness is to US State security.
Why is this relevant to Australian organisations?
New developments such as these add to an already substantial, and increasingly complex, regulatory landscape that businesses need to comply with.
Any Australian businesses that operate in the US in the critical infrastructure sector (either as suppliers, subcontractors or owners and operators) will need to be aware of the requirements of the CINA, as will Australian businesses engaging with US-based suppliers or contractors who are subject to the obligations (and who may look to flow these down into the contractual arrangements with the Australian business).
What is apparent is that organisations that operate globally will increasingly find themselves faced with a matrix of different compliance obligations, potentially all triggered by the one event and to a different standard. Addressing this may require organisations to adopt a “gold standard” approach to compliance.
Authors: Lesley Sutton, Nikhil Shah, Edward Zheng
Visit SmartCounsel
