Protection of critical infrastructure  

The US Federal Government will continue to work towards regulation of entities in sixteen critical infrastructure sectors as a matter of national security policy. A key driver of this regulation stems from the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which was signed into law by President Biden in March 2022, and establishes two key reporting requirements for 'covered entities' in critical infrastructure sectors, as defined in Presidential Directive 21. CIRCIA requires reporting of 'covered cyber incidents' to the Cybersecurity & Infrastructure Security Agency (CISA) within 72 hours after a covered entity reasonably believes that such an incident has occurred. CIRCIA also requires covered entities to report payment of ransom as a result of a ransomware attack within 24 hours of making such a payment. CIRCIA offers significant safeguards tied to report submissions including legal liability protections when entities comply with the law and final rule, prohibition of federal and state governments from using submitted data to regulate reporting entities, and protecting reported information as proprietary and exempt from disclosure laws. 

While CIRCIA establishes certain minimum statutory requirements, CIRCIA requires CISA to develop and implement regulations to further define certain terms, flesh out specific reporting content and formats, and clarify its enforcement mechanisms. CIRCIA also directs CISA to coordinate with sector-specific agencies to develop harmonized regulations^[1]. CIRCIA requires CISA to publish a Notice of Proposed Rulemaking (NPRM) within 24 months of CIRCIA's enactment, which would create a deadline of March 2024. CISA Director Jen Easterly has commented that the NPRM drafting is in process with likely publication in early 2024. Thereafter, CIRCIA will require CISA to issue a Final Rule within 18 months. Once the Final Rule is enacted, cybersecurity compliance requirements for covered entities in critical infrastructure sectors related to threat information sharing to, coordination with, and oversight by CISA will likely expand dramatically. 

Harmonization of divergent security safeguard and breach notification requirements 

Entities will continue to grapple with a patchwork of state and federal regulations of cybersecurity safeguards and breach reporting unless and until the US Federal Government successfully harmonizes such requirements.   

Currently, all US States and several US territories have enacted their own breach notification laws and regulations (e.g., the National Conference of State Legislatures Security Breach Notification Laws). These state laws differ significantly in terms of the definition of personal or private information, what constitutes a breach, what triggers a notification requirement, notification timelines, the information that must be disclosed, and to whom. Additionally, several sector-specific federal breach notification standards exist (see the US Department of Homeland Security's [DHS] Harmonization of Cyber Incident Reporting to the Federal Government). This legal landscape creates a complex web of compliance requirements that may diverge, overlap, or conflict. This fragmentation arguably places a substantial burden on businesses, leads to increased compliance costs, and creates potential legal pitfalls.   

Proponents of federal harmonization of breach notification requirements contend that the lack of uniformity hampers the effectiveness of overall data breach response and sector coordination to reduce cyber risk. The US Federal Government has historically made attempts, albeit unsuccessfully, to harmonize breach reporting (e.g., see the National Technology Security Coalition's National Data Breach Notification Legislation Framework), yet federal lawmakers continue to introduce harmonization legislation year after year. Following the White House's issuance of the National Cybersecurity Strategy Implementation Plan, the DHS issued the report mentioned above to Congress in September 2023 calling for the harmonization of breach reporting across the Federal Government. These efforts may serve as a catalyst over time for broader harmonization across the states as well. The DHS report offers eight harmonization recommendations: 

• adopt a model definition of 'reportable cyber incident,' applicable to multiple sectors; 
• adopt a model for reporting timelines and triggers; 
• allow for delayed notifications where delay is warranted when such notification poses a significant risk to critical infrastructure, national security, public safety, or an ongoing law enforcement investigation; 
• adopt a model reporting form for cyber incident reports; 
• assess how best to streamline the receipt and sharing of cyber incident reports and cyber incident information; 
• ensure that cyber incident reporting requirements allow for updates and supplemental reports; 
• adopt common terminology regarding cyber incident reporting; and 
• improve processes for engaging with reporting entities following the initial report of a cyber incident. 

In addition to ongoing efforts to harmonize breach reporting, the White House's National Cybersecurity Strategy Implementation Plan also called for broader harmonization across other cybersecurity requirements. As a result of this call for broader harmonization, the White House Office of the National Cyber Director (ONCD) issued a Request for Information (RFI) in August 2023 seeking public input until October 31, 2023, on 'opportunities for and obstacles to harmonizing' cybersecurity regulation apart from notification. The RFI sought input on state, federal, and international laws establishing cybersecurity requirements in an effort to identify a common set of updated baseline regulatory requirements that would apply across sectors with a focus on critical infrastructure sectors and the expanded use of newer technologies, such as cloud infrastructure. While the ONCD evaluates the inputs it receives and works towards an approach to policy harmonization, it is important to note that businesses will need to continue navigating the existing and evolving patchwork of state regulations on cybersecurity safeguards. Examples of evolving state regulation include the California Privacy Protection Agency's (CPPA) rulemaking efforts related to conducting cybersecurity audits, risk assessments, and automated decision-making, New York's proposed rules on hospital cybersecurity, among others^[2].    

Artificial intelligence 

As this rulemaking progresses, the threats will continue to evolve. The use of AI will increasingly feature in both cyberattacks and defensive efforts to thwart those attacks. Hackers will use AI to craft persuasive phishing and spear phishing emails that will avoid telltale giveaways, such as spelling and grammatical errors (e.g., see Europol's ChatGPT - The impact of Large Language Models on Law Enforcement). Malicious actors will increasingly use AI to conduct reconnaissance on their targets, including, for example, on individual executives and financial managers. Deepfake technology leveraging AI will present heightened risks. Hackers will use AI to write malware and design effective attacks, lowering the bar to the level of human expertise to join the hacking ranks.  

On the defensive side, defenders will use AI to identify and filter potentially serious attacks and improve incident response efforts. The ever-expanding use of AI in service offerings will expand the attack service and the corresponding need to secure those critical processes, including supporting cloud systems and APIs against cyberattacks (e.g., see the CISA Roadmap for Artificial Intelligence, the Open Worldwide Application Security Project [OWASP] Top 10 for Large Language Model Applications, and the National Institute of Standards and Technology [NIST] Artificial Intelligence Risk Management Framework (AI RMF 1.0). Prompt injection attacks on large language models to bypass safeguards will increasingly be a focus of hackers with potentially dramatic consequences. We can expect that future regulations will require cybersecurity safeguards specifically for AI applications as a class of applications/services (e.g., see the Executive Order on the Safe, Secure and Trustworthy Development and Use of Artificial Intelligence, the CPPA Draft Cybersecurity Audit Regulations, the CPPA Draft Automated Decision-Making Technology Regulations, and the Cybersecurity of Artificial Intelligence in the AI Act).  At present, however, existing domestic and international data privacy, cybersecurity, and criminal laws and regulations stand in place contextualized by the heightened awareness of the cybersecurity and data privacy risks of AI (including the Gramm-Leach-Bliley Act and HIPAA, among many others). 

Application supply chain attacks 

Software supply chain attacks occur when a cyber threat actor infiltrates a software vendor's network and employs malicious code to compromise the software before the vendor sends it to their customers. Supply chain attacks (e.g., SolarWinds, Log4j, MOVEit) will continue to be a focus of public and regulatory attention. In May 2021, the White House issued an Executive Order on Improving the Nation's Cybersecurity that specifically mentioned cybersecurity safeguards necessary to secure the Federal Government's software supply chain. In May 2021, CISA and NIST jointly published a resource – Defending Against Supply Chain Attacks – as part of their ongoing efforts to promote awareness of and help organizations defend against supply chain risks. The publication provides recommendations for software customers and vendors as well as key steps for the prevention, mitigation, and resilience of software supply chain attacks.  

On October 30, 2023, the US Securities and Exchange Commission (SEC) charged SolarWinds and its Chief Information Security Officer (CISO) with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities. The SEC alleged that the CISO was aware of the cybersecurity risks and vulnerabilities but failed to resolve the issues or, at times, sufficiently raise them further within the company. As a result of these lapses, the company allegedly could not provide reasonable assurances that its most valuable assets, including its flagship Orion software product used by thousands of organizations, were adequately protected.

In November 2023, CISA and the National Security Agency (NSA) published further guidance on securing the software supply chain through the use of a Software Bill of Materials (SBOM). We can expect that the evolving risks to supply chain software and the increasing use of AI in those applications will merge resulting in an increased focus by state, federal, and international regulators in the near future on supply chain cybersecurity, both under anticipated new rules and existing standards. 

Conclusion 

While the specifics of future policy are uncertain, it is very likely that in the near future policymakers will continue to seek to anticipate and address evolving cyber risks, particularly around critical infrastructure, AI, supply chains, and corporate governance.  

Alaap Shah Member of the Firm 
[email protected]  
Brian G. Cesaratto Member of the firm 
[email protected] 
Epstein Becker & Green, P.C., Washington, DC