With ransomware attacks, the war in Ukraine, Chinese and Iranian-directed hacking campaigns and other threats looming over U.S. critical infrastructure, officials for the federal agency charged with implementing a new law that will provide the government with reporting on the volume and extent of those attacks reiterated that they do not intend to rush the regulatory process.
In a House Homeland Security hearing Tuesday, Matt Hartman, deputy executive assistant director for the Cybersecurity and Infrastructure Security Agency, reiterated to lawmakers that the agency was looking at a 24-month timeline to develop specific regulations for the reporting regime and laid out a number of questions officials were grappling with as they determine the scope.
“We intend to really find the sweet spot in implementation between defining the types of incidents that need to be reported to the federal government and when to allow victim organizations to focus on restoring their systems and data but also in sufficient time, providing the information to the federal government so we can limit the impact of a potential campaign and help the broader community,” said Hartman.
CISA not ready for ransomware, breach reporting?
The comments underscore that CISA may not be in a position to receive regular reporting around ransomware attacks and other breaches affecting critical infrastructure until at least 2024. Rep. Elissa Slotkin, D-Mich., chair of the Homeland Subcommittee on Intelligence and Counterterrorism, cited research from private cybersecurity company SonicWall claiming a 98% increase in observed ransomware attacks over the past year, while she also noted “we heard from [Michigan] state officials …that ransomware attacks have doubled since last year.”
Those statistics may or may not indicate that the problem is getting worse, as ransomware researchers say the lack of uniform reporting make it nearly impossible to determine whether attacks against critical infrastructure or other companies are increasing or decreasing, by how much, and whether policies or issues like the war in Ukraine and subsequent tensions between the U.S. and Russia have made an impact on those numbers.
“Given that [critical infrastructure] is owned privately and the previous absence of reporting requirements, I’m really not sure whether anybody has a good handle on the number of incidents. We certainly don’t, and I couldn’t begin to speculate as to whether there’s been an increase or decrease,” Emsisoft ransomware analyst Brett Callow told SC Media earlier this year.
While CISA Director Jen Easterly and others have encouraged companies to voluntarily report in the meantime, the reality is many companies and their legal counsel will likely want to wait for specific regulatory language spelling out exactly what information they are legally required to pass along.
Those companies might want to move even more cautiously in the face of pledges from Hartman and other officials that they intend to “to make sure that when CISA receives information about ransomware or other cybersecurity incidents from all sectors, that we are quickly sharing that information back with the FBI, with the sector risk management agencies from any of the sixteen sectors, and with appropriate state and local authorities.”
Matthew Hayden, who served as assistant secretary for cyber, infrastructure, risk, and resilience policy at the Department of Homeland Security until May 2022, and worked as a senior advisor to CISA before that, told SC Media that in the past, former director Chris Krebs pushed the agency to add a button on the agency’s main website that would follow a user wherever they scrolled, encouraging companies to report hacks to the government when they were hacked.
It didn’t move the needle.
“There was no level of promotion that worked to get companies to do that who weren’t in the [cybersecurity] field. If you were a pen tester and you found something, you were going to report…if you are a member of an [Information Sharing and Analysis Center] you are sharing that information, but if you were a target, you weren’t clicking on that button,” said Hayden, now a vice president of cyber client engagement at GDIT.
SEC developing similar breach reporting regulations
Hayden said one aspect that may be largely outside of CISA’s control but could affect their success is the timing for a parallel set of incident reporting regulations being developed by the Securities and Exchange Commission. Recently, the Information Technology Industry Council used the SEC’s public comment for the new regulations to make the same argument, writing that their rules “may precede and thus overlap with the CISA rule-making to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022,” and calling on the agencies to deconflict their respective reporting rules.
While CISA’s program will only cover critical infrastructure and the SEC’s will apply to publicly traded companies, Hayden said the two efforts will at some point merge to serve “a common federal marketplace” as some critical infrastructure entities in other sectors share both those distinctions. Hayden said large companies and those in the financial and energy sectors who are already heavily regulated and used to “government breathing down their necks” will likely be the most prepared to comply with the new rules. Meanwhile, the healthcare sector “makes us the most nervous” largely because of the volume of vulnerable legacy hardware and software used for critical services that cannot be shut off.
Nevertheless, getting both agencies to roll out a uniform set of reporting standards (or something close to it) will be key to avoiding confusion.
“The only challenge that I personally see is the timing of the rulemaking. They’ve got to line up,” he said. “If you want people to see this as a holistic effort, then it has to be at done with holistic timing. If you have SEC rules come out and then a year later you have CISA rules come out and they vary … if they don’t speak the same in the form standard reporting techniques that argument will get stronger.”