China has implemented regulations for 1-hour reporting of severe cybersecurity incidents. This would include disruptions that impact over 50% of the people in a province or 10 million people, such as critical infrastructure attacks.
The irony is that China is recognized for its advanced and aggressive foreign cyber operations. But there is brilliance in this requirement. China has an excellent perspective in how such attacks can be used to disrupt adversaries and push foreign policy. It doesn’t want to suffer in ways that other nations might and therefore is improving its response and recovery capabilities.
In contrast, when the US SEC required public companies to report material outages within 4 days beginning in 2025, there was upheaval with some cybersecurity leaders, stating that it was impossible or at the very least irresponsible. They lobbied Congress to repeal the requirements. Since the regulation took effect, no major issues have arisen from the 4-day requirement.
The vast majority of US critical infrastructure is operated by private industry and concealing cybersecurity compromises only benefits the attackers.
The Cybersecurity and Infrastructure Security Agency (CISA) is also looking to update rules specifically for US critical infrastructure, mandating a 72-hour notification, but the final rule may not be published until mid-2026.
China knows something and realizes the importance of early reporting. Even the most aggressive US reporting proposals falls far short of the 1-hour requirement in China.
I hope my peers will remain calm, realize the necessity, and support early notification in the US.
Comments