Photo of John Webster Leslie

John Webster Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare privacy and security, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity, national security, and critical infrastructure protection.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity and critical infrastructure, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.

On March 27, 2024, the U.S. Cybersecurity and Infrastructure Security Agency’s (“CISA”) Notice of Proposed Rulemaking (“Proposed Rule”) related to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) was released on the Federal Register website.  The Proposed Rule, which will be formally published in the Federal Register on April 4, 2024, proposes draft regulations to implement the incident reporting requirements for critical infrastructure entities from CIRCIA, which President Biden signed into law in March 2022.  CIRCIA established two cyber incident reporting requirements for covered critical infrastructure entities: a 24-hour requirement to report ransomware payments and a 72-hour requirement to report covered cyber incidents to CISA.  While the overarching requirements and structure of the reporting process were established under the law, CIRCIA also directed CISA to issue the Proposed Rule within 24 months of the law’s enactment to provide further detail on the scope and implementation of these requirements.  Under CIRCIA, the final rule must be published by September 2025.

The Proposed Rule addresses various elements of CIRCIA, which will be covered in a forthcoming Client Alert.  This blog post focuses primarily on the proposed definitions of two pivotal terms that were left to further rulemaking under CIRCIA (Covered Entity and Covered Cyber Incident), which illustrate the broad scope of CIRCIA’s reporting requirements, as well as certain proposed exceptions to the reporting requirements.  The Proposed Rule will be subject to a review and comment period for 60 days after publication in the Federal Register. Continue Reading CISA Issues Notice of Proposed Rulemaking for Critical Infrastructure Cybersecurity Incident Reporting

On January 29, 2024, the Department of Commerce (“Department”) published a proposed rule (“Proposed Rule”) to require providers and foreign resellers of U.S. Infrastructure-as-a-Service (“IaaS”) products to (i) verify the identity of their foreign customers and (ii) notify the Department when a foreign person transacts with that provider or reseller to train a large artificial intelligence (“AI”) model with potential capabilities that could be used in malicious cyber-enabled activity. The proposed rule also contemplates that the Department may impose special measures to be undertaken by U.S. IaaS providers to deter foreign malicious cyber actors’ use of U.S. IaaS products.  The accompanying request for comments has a deadline of April 29, 2024.Continue Reading Department of Commerce Issues Proposed Rule to Regulate Infrastructure-as-a-Service Providers and Resellers

In late December 2023, the Federal Communications Commission (“FCC”) published a Report and Order (“Order”) expanding the scope of the data breach notification rules (“Rules”) applicable to telecommunications carriers and interconnected VoIP (“iVoIP”) providers.  The Order makes several notable changes to the prior rules, including broadening the definitions of a reportable “breach” and “covered data,” requiring covered entities to notify the FCC in addition to federal law enforcement of breaches, and modifying certain customer notification requirements.  The Rules are expected to become effective sometime in 2024, after they are reviewed by the Office of Management and Budget and the FCC’s Wireline Competition Bureau (“Bureau”) announces the effective dates by subsequent public notice.Continue Reading The FCC Expands Scope of Data Breach Notification Rules

On August 21, 2023, the Cybersecurity and Infrastructure Security Agency (“CISA”), National Security Agency (“NSA”), and National Institute of Standards and Technology (“NIST”) issued a joint quantum-readiness factsheet (the “Factsheet”) to inform organizations—particularly those that support critical infrastructure sectors—about quantum computing threats and to urge these organizations to begin

Continue Reading CISA, NSA, and NIST Urge Critical Infrastructure and Others to Prepare for Quantum Computing Cyber Threats

On March 21, 2023, the United States Cybersecurity and Infrastructure Security Agency (“CISA”) announced the issuance of updated Cybersecurity Performance Goals (“CPGs”).  The CPGs, which were originally released in October 2022, are intended to establish a set of fundamental cybersecurity practices to be voluntarily implemented by critical infrastructure owners and operators across all critical infrastructure sectors.  The CPGs apply to both information technology (“IT”) and operational technology (“OT”) and are designed to reduce risk related to known, high-impact cyber threats and adversarial tactics, techniques, and procedures (“TTPs”).Continue Reading CISA Releases Revised Cybersecurity Performance Goals for Critical Infrastructure

The Federal Energy Regulatory Commission (“FERC”) issued a final rule (Order No. 887) directing the North American Electric Reliability Corporation (“NERC”) to develop new or modified Reliability Standards that require internal network security monitoring (“INSM”) within Critical Infrastructure Protection (“CIP”) networked environments.  This Order may be of interest to entities that develop, implement, or maintain hardware or software for operational technologies associated with bulk electric systems (“BES”).Continue Reading FERC Orders Development of New Internal Network Security Monitoring Standards

On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.”  In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”

CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks.  The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves.
Continue Reading CISA Issues Voluntary Information Sharing Guidance for Critical Infrastructure Owners and Operators and Provides Resources for All

On December 2, 2021, the Transportation Security Administration (“TSA”) announced the issuance of Security Directive 1580-21-01, Enhancing Rail Cybersecurity, and Security Directive 1582-21-01, Enhancing Public Transportation and Passenger Railroad Cybersecurity (the “December Security Directives”), and “additional guidance for voluntary measures to strengthen cybersecurity across the transportation sector in response to the ongoing cybersecurity threat to surface transportation systems and associated infrastructure.”  TSA’s announcement clarifies that these actions are “among several steps DHS is taking to increase the cybersecurity of U.S. critical infrastructure.”

The December Security Directives, which become effective on December 31, 2021, impose significant requirements on owners and operators of “higher-risk freight railroads, passenger rail, and rail transit.”  TSA’s announcement also explained that it has extended certain requirements of the December Security Directives to airport and airline operators and has recommended that “all other lower-risk surface transportation owners and operators voluntarily implement” the requirements of the December Security Directives.
Continue Reading TSA Imposes New Cybersecurity Requirements for Rail and Air Sectors