NJOHSP Aims to Respond More Quickly to Incidents
According to New Jersey CISO Michael Geraghty, who’s also director of the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC), a division of NJOHSP, the legislation is meant to help organizations respond promptly to cybersecurity threats, not punish them for late reporting.
“It’s not punitive in any way if you don’t report in 72 hours. We’re not going to hit you over the head with anything,” Geraghty says. “It’s really that idea of a neighborhood watch. We want to share information with our cyber neighbors so they can protect themselves.”
With prompt reporting, New Jersey cybersecurity officials should be better positioned to help organizations respond to attacks quickly and stamp out attacks before they spread. Geraghty notes that even if organizations don’t have all the details when they alert the NJOHSP, a timely report can keep an attack from growing, and organizations can always follow up later with more details as they become available.
“Local, county, K–12, state government: They’re all interconnected in some way,” Geraghty says. “If one organization has a cyber incident, it has the potential to impact others.”
Timely reporting should also help government organizations stay safe in the future, as NJCCIC will be able to share the techniques, tactics and protocols that attackers have used and the best practices to thwart them.
Without reporting requirements, Geraghty says it’s not possible to get enough data to accurately assess the threat landscape and identify overarching trends or changes. With all incidents being reported, the NJOHSP will better understand what kind of help is needed and where.
“We’ll never disclose who the victims are when sharing information. But what we can say is, ‘This email address is sending malicious emails’ or, ‘This IP address has attacked a number of school districts,’ so that other agencies can be on the lookout,” Geraghty says.
Incident Reporting Guidelines Aim for a Timely Response
According to Geraghty, the NJOHSP’s reporting guidelines are being finalized and should be released in the coming days. The guidelines aim to keep agencies from reporting benign incidents that were blocked or otherwise unsuccessful, as these kinds of reports take time and resources away from more important incidents.
“Everyone connected to the internet is subject to numerous probes, scans and attempts to exploit vulnerabilities. The vast majority of those attempts are benign,” Geraghty says. “We don’t want agencies to report on those. We don’t want the legislation to be a burden.”
New Jersey wants reports on events in which agencies reasonably believe the incident:
- May impact their ability to conduct daily business operations or provide core services
- Resulted in the loss of agency data, system availability, or control of informational or operational systems
- Indicates unauthorized access to or malicious software present on public information or operational technology systems
- Resulted in financial loss to the agency
- Had an impact or threatens to impact the health, welfare and safety of individuals
- Is part of an ongoing series of attacks by a threat actor that may have originally been thwarted but could result in any of the impacts listed above.
Agencies can file their cyber incident reports online at cyber.nj.gov.