The move toward collaboration is being driven, in large part, by the allocation of federal funds for cybersecurity and broadband. Within cyber, discussion at NASCIO centered on responding to the Infrastructure Investment and Jobs Act (IIJA) grants, with 80 percent of the funds to be spent on local governments.
Cybersecurity collaboration with locals is commonly referred to as a “whole-of-state” approach to cybersecurity. GovTech*did an article last year on how this is playing out, highlighting efforts in New York, Virginia, Colorado and North Carolina.
The facet of state/local collaboration I find most intriguing in this context is the trend toward requiring local governments to report cyber incidents to the state. Georgia got this legislation in 2021 (House Bill 156). The other strategies around whole-of-state are all opt-in, meaning that a local jurisdiction can decide to opt in to some state-provided resources. The new incident notification laws require local governments to interact with the state around their cyber incidents.
Note to the reader: Before you join me for a 2,000-word deep dive here, I’ll give you a heads up that this is a specialized issue. You might care about it if you are participating in this eco system; that is, if you work in IT or cybersecurity for a state government or a local government, or you work for a supplier of managed services for state or local governments. If that’s not you (or you just don’t have the patience or time for 2,000 words), you could skip ahead to the “problems and predictions” section at the end.
What sparked my interest in this topic was a discussion with some colleagues about contract provisions for third parties. We were looking at our state law on notification and figuring out how to include it as a contract requirement for suppliers. I wondered what other states were doing, how suppliers were handling it, and whether these notification laws were effective or not. My main conclusion: It is too soon to tell.
What Is Happening Across the States with Respect to Notification
A lot of legislation around cyber incident notification have been passed by state legislatures in the last few years. The National Conference of State Legislatures (NCSL) does a fantastic job of tracking state legislation on “hot” topics and has been tracking cybersecurity legislation for years. They also track failed bills, which can offer as much insight into trends as tracking bills that are enacted.
I skimmed through cyber legislation that passed in 2021 and 2022 and at least touched on notification. I also looked back at 2020 and 2019 and found that while some bills in those years included notification provisions, they focused on data breaches and consumers or requiring insurance carriers to notify the state insurance office. In other words, the emphasis was on consumer data breach events.
I looked at 11 enacted bills from 10 states: Florida, Georgia, Indiana, Iowa, Maryland, New Hampshire, New York, North Dakota, Virginia and West Virginia. I also searched for media coverage, hoping to learn more about the problems each bill was trying to solve. The questions I wanted to answer for each were, in the case of a cyber incident:
- Who is required to notify?
- Who gets notified?
- How is this funded?
- How fast does the notification need to happen?
- What happens after the notification?
I ended up building a spreadsheet; I’ll spare you that here, as it is complicated and messy. Instead, I’ll summarize the similarities and differences between the bills.
Also, I’ll touch on the federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) and a handful of other federal incident reporting requirements that have come mainly through rulemaking by regulatory agencies.
The Trends I'm Seeing
The biggest trend is that there is no big trend.
Most of the bills address several cybersecurity problems where notification is just one aspect. Notification doesn’t appear to be complicated enough to lead states to use other states’ bills as templates, which might then lead to de facto standardization. Rather, there is a lot of variation from state to state in how detailed and how prescriptive the laws are.
Who Must Notify?
At a minimum, everyone is requiring state agencies to notify the state CIO’s office or the emergency management agency. Like a lot of things in government at the state level, there are some carve outs for agencies that have a special status (e.g., led by a statewide elected official). There are six states in my pool of 10 that also require local governments to notify about cyber incidents: Georgia, Maryland, New Hampshire, North Dakota, Virginia, West Virginia.
Who Gets Notified?
Mainly it is the emergency management agency, the state CIO’s office, or a combination of the two. Of the 10 states, five require notifying the state CIO’s office (or a dedicated security office under the state CIO’s office). Three require notifying the emergency management agency. For two of the three states using their emergency management agency as the point of contact, the EMA is directed to share the reports with the state CIO’s office.
How Is This Funded?
Funding streams are difficult to determine from just reading the bills. With the exception of Florida, which in parallel created a new agency dedicated to cybersecurity, none of the bills explicitly allocate or direct funds to be spent on notification. However, since the agencies implementing the laws are existing functions with operating budgets, funding might be handled elsewhere in the budget process. What I don’t see anywhere is direct assistance for the locals.
How Soon Is Notification Required?
This element ended up being the most varied across the states, ranging from immediately to 10 days.
Some states delegate the determination of the time limit to the agency that will receive the notifications. Some states have different times for specific types of events (ransomware) or high-severity events.
Georgia includes power utilities in its notification law and ties the notification time to federal requirements: “Within two hours of making such report to the United States government or any agency thereof, the agency provides substantially the same information to the director of emergency management and homeland security.”
Where times were provided, they were clustered at the low end of the range — immediately, 24 hours, 48 hours, two business days. For comparison, the federal CIRCIA requires its covered entities to report incidents within 72 hours and ransomware payments within 24 hours.
What Happens After Notification?
Most of the bills are silent about what is done with the information; a few also contemplate creating regular reports of all cyber incidents. There are also only a few tangential mentions of incident notification from third-party suppliers.
New Hampshire’s law is the only one with a clear expectation of third parties participating in incident notification.
What About the Feds?
The federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed in March of 2022. It focuses on critical infrastructure owners and operators — it isn’t directly applicable to how states are interacting with local governments but does provide another comparison point. One caveat: There is still a lot of rulemaking to be done on CIRCIA to work out the details of implementation. Until the final rule is published, CIRCIA reporting is voluntary. CIRCIA sets the notification time at 72 hours for security incidents and 24 hours for ransomware payments.
The Washington Postdid a nice overview on July 27 of some of the incident reporting requirements that are being set by regulatory agencies through rulemaking. The National Credit Union Administration published a proposed rule in July of 2022 that would require credit unions to notify within 72 hours. The Transportation Security Administration requires pipeline operators and certain rail operators to notify within 24 hours. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation teamed up to set a 36-hour reporting requirement on banks. The Securities and Exchange Commission proposed rules this spring that would set a four-day reporting requirement. The Federal Communications Commission is also considering updating its rules for notification.
What Are The Bad Guys Doing?
While states are trying to improve their cyber posture, the threat actors aren’t standing still either. They are also changing their tactics or doubling down on tactics that are working. The annual Data Breach Investigations Report (DBIR), published in May, notes some significant shifts in motives and attack types that impact state and local government.
For the reader not familiar, the DBIR is an annual industry report published by Verizon with contributions from dozens of other organizations. The DBIR analyzes thousands of security incidents from the previous year, looking for ways the motives are changing, how attackers are getting in and what they do when they get in.
The 2022 edition analyzed 23,896 security incidents, of which 5,212 were confirmed data breaches. The report offers analysis by sector, citing 2,792 public-sector incidents, 537 with data breaches. The time frame for the events being analyzed was Nov. 1, 2020, to Oct. 31, 2021.
The DBIR isn’t a comprehensive list of incidents, just a large representative sample provided by partners who participate in creating the report. Four findings this year seem especially relevant to this discussion about incident notification and whole-of-state security:
A new motive for attacks on public-sector organizations. If you go back a couple of years in the DBIR reports, you’ll see that espionage is the No. 1 motive for attacks, accounting for 44 percent of the breaches in 2018 and 66 percent of the breaches in 2019. Financially motivated attacks represented about a third of the breaches. Those motives have flip-flopped. The espionage motive dropped to 4 percent in 2021 and climbed back to 18 percent in 2022. Meanwhile, the financial motive has risen steadily, peaking in 2021 at 96 percent (see Table 1).
My opinion: This is bad news for local governments. Espionage is the business of nation-states, and while nation-state agendas are inscrutable, we can imagine that if espionage is the goal, a local sheriff’s office may not be an interesting target. If a threat actor’s motive is financial, then that same sheriff’s office might now be an attractive payday.
Ransomware is still a popular attack, coming in third this year behind stolen credentials and “other.” Ransomware increased by 13 percent over the last year to be the attack type in 25 percent of breaches. It’s worth noting that “other” is a little misleading in the No. 2 spot because it includes everything in the long tail of attack types that aren’t numerous enough on their own to be a named category.
Discovery time is getting shorter. Typically this measure — the amount of time a threat actor can stay undiscovered in a victim’s network — is measured in months. One of the points mentioned in every discussion about reporting time requirements is the long discovery times: Does an extra day to produce a more complete incident report really cost you anything when an attacker has been in your network for several months? Discovery time isn’t getting shorter because we are all getting better at detecting threat actors. Rather, more than 50 percent of breaches are now discovered by actor disclosure — a ransomware note or public announcement. There are two tracks here: discovery times measured in months for attacks where the attacker has motives that involve staying hidden and discovery times measured in days or weeks for attacks that have a financial motive. Some of the incident notification bills treat ransomware as a separate category of attack, always with shorter notification time requirements.
Supply chain attacks are becoming more prevalent and can impact many organizations. Here I’m using the DBIR definition of supply chain breach: a vendor, partner or supplier has a breach involving data owned by a downstream organization. Supply chain was responsible for 62 percent of system intrusion incidents this year (3,403 incidents). Overall, supply chain was 9 percent of the total incidents the DBIR analyzed and 0.6 percent of the breaches. Except for one state, all of the legislation I looked at is silent on reporting requirements for suppliers. That in itself isn’t a problem, as the local governments that are required to report will need to make this kind of pass-through notification part of their contracts going forward. However, in my experience, it is a lot easier to get a supplier to agree to something if you can point at an unambiguous law.
A Few Problems and a Few Predictions
I set out to find out the best practices in cyber incident notification between state and local governments. Though I learned a lot about what is happening, I didn’t answer that question. I’ll leave you with a few of the problems I see in the current approaches and a few predictions.
I expect more legislation is coming. If you’ll recall, six states include local government (or other non-state entities) to participate in incident notification. I think requiring state agencies to report incidents centrally is becoming “table stakes” and every state will require that. Another trend in state cybersecurity is the creation of state task forces to oversee cybersecurity. At this point, there are at least 30 such task forces. As these task forces mature, they will seek more data about what is happening on the ground and perhaps get more involved in incident response, in turn driving more reporting requirements. Some of that might be done through rulemaking or executive order, but I expect that anything with broader scope than the executive branch will require legislation. Almost all of the state laws and the federal rules I looked at set the notification times in hours (e.g. 24 hours, 36 hours, 72 hours) or just said "immediately."
No one is publishing data yet about how incidents are being reported. Results of the various laws are anecdotal at this point; it is too soon to tell how effective they are. GovTechdid a story on this in June 2022, focusing on Indiana and North Dakota. Indiana is notable in its outreach — the state has visited about half of the counties (as of May 2022) to communicate about the law, and they’ve received 175 incident reports.
What’s expected of the recipient isn’t clear. None of the legislation paints a clear picture of the responsibility of the party receiving the report (the state CIO’s office or the emergency management agency). I can imagine several types of responses that would aid the local government, but all of them require resources on hand or money.
The federal Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) won’t preempt what the states are doing. The focus of CIRCIA is critical infrastructure. The same can be said for the other federal agencies using rulemaking to establish incident notification requirements — they are all focused on specific groups (e.g., banks, pipeline operators, telecom carriers).
The supply chain isn’t being addressed. Log4j and SolarWinds are recent examples of the kind of trouble you can inherit from an upstream technology provider. As noted in the section on the DBIR, almost 10 percent of last year’s confirmed breaches were categorized as a supply chain problem. A more practical problem is the difference between a supplier disclosing an incident and notifying you. My experience is that the supplier preference is to publish a notification on their website and perhaps some social media channels and put the responsibility to discover the incident on the customer.
IIJA grants are an opportunity. The Infrastructure Investment and Jobs Act has allocated $1 billion for cybersecurity, with 80 percent of that being spent on local government. While states are waiting on detailed guidance from the feds, they are trying to figure out how to package up services that are easy to implement for local governments. Incident response seems like a possibility if it can be framed in a way that passes scrutiny with the grant monitors.
For the readers that are still with me: Do you think required cyber incident notification, at the state or federal level, is going to lead to better security outcomes? If yes, why do you think that?
Editor's note: This piece was lightly edited for clarity.
*Government Technology is a sister site to Governing. Both are divisions of e.Republic. This article was republished with the author's permission. Read the original article here. Governing’s opinion columns reflect the views of their authors and not necessarily those of Governing’s editors or management.