Given ongoing geopolitical tensions and a variety of other factors, there has perhaps never been more focus on cybersecurity by government agencies and members of Congress than there is today. In the midst of new threats surfacing every day, Congress last week passed the Cyber Incident Reporting for Critical Infrastructure Act, which places stricter cybersecurity incident reporting obligations on communications service providers and other critical infrastructure operators, and this is likely just the beginning of federal officials’ work with the private sector to notify the government of malicious cyber intrusions.
While we are still reviewing the law, which President Biden signed this week, our work shows it could affect NTCA members in the following ways:
- Certain cybersecurity breaches would need to be reported to the government within 72 hours.
- For the first time, the Cybersecurity and Infrastructure Security Agency (CISA), which has never before been a rulemaking body, would need to develop regulations for incident reporting by critical infrastructure providers, including communications companies.
- The legislation also provides requirements for reporting ransom payments no later than 24 hours after the payment is made.
- Under the act, CISA may also subpoena a covered entity to produce information if it experienced a cyber incident and/or made a ransomware payment but failed to report it.
At the same time, the FCC and other federal agencies are considering potential new cybersecurity requirements, and there are calls to include a company’s cybersecurity maturity (based on the NIST framework) as a factor to be considered in awarding broadband grants.
As always, we are working hard to make sure that any new cybersecurity requirements for NTCA members are done in a manner befitting small business broadband providers. We worked with drafters of the new cybersecurity law to narrow its application to reporting significant cyber intrusions as opposed to mere attempts to compromise a network and will continue to monitor its implementation. Moreover, even as some of these efforts will likely move quickly, there is still a lot of work and process ahead before many of these requirements become a reality, and there is time and opportunity to define the scope of them. CISA will be seeking comment soon on how to implement the new law within the timeframes established by Congress, and NTCA will be advocating for measures and program definitions that balance the growing need for robust cybersecurity measures with the realities of managing risk reasonably and operating as small businesses. Similarly, NTCA will be working actively with industry partners to try to shape any new rules that come out of the FCC and efforts to update the NIST Framework.
In the meanwhile, NTCA provides several ways already that you can improve your cyber posture, including a sector specific guide to the NIST framework and the NTCA Cybersecurity Series consisting of four components designed to help telco executives, board officers and operational staff develop a risk-management approach to cybersecurity. And, of course, we strongly encourage you to join CyberShare – a strong trusted collaboration between small broadband providers, industry and government, and a single source of public and non-public cyber information to help you protect your network and systems.