The Cybersecurity and Infrastructure Security Agency is seeking public input on how to set up a new incident reporting regime for critical infrastructure.
Earlier this year, Congress passed a law that would, for the first time, require companies and organizations designated as critical infrastructure to report to the government when they are hacked and when they pay ransomware groups to unlock their data. Agency officials and boosters in Congress say the law is essential to give the federal government visibility over how frequently hackers are attacking U.S. critical infrastructure, which sectors are most at threat and what impact those hacks may have on broader society.
In a Request for Information set to be published in the Federal Register Sept. 12, the agency asks for feedback from the public and industry on how to best structure the regulations.
CISA has said the rules will take about two years to move through the regulatory process before reporting begins. Director Jen Easterly said responses to the request — along with a series of listening sessions with industry the agency has planned in the coming months — will help provide badly needed visibility of cyberattacks on critical infrastructure and reduce the regulatory burden on organizations covered under the law.
“We can’t defend what we don’t know about and the information we receive will help us fill critical information gaps that will inform the guidance we share with the entire community, ultimately better defending the nation against cyber threats,” Easterly said in a statement. “We look forward to continuing to learn from the critical infrastructure community — through our request for information and our coast-to-coast listening sessions — to understand how we can implement the new cyber incident reporting legislation in the most effective way possible to protect the nation’s critical infrastructure.”
The public is free to offer comment on any aspect of the regulation, but CISA suggests a number of topics it considers relevant. Those topics include requests for specific definitions of entities and incidents that will be covered under the law, the number of organizations and incidents likely to be subject to the reporting requirements, what would constitute a “reasonable belief” that a covered incident has occurred and trigger the 72-hour timeline for reporting hacks to the government, as well as when a separate 24-hour timeline for reporting ransomware payments should begin.
Other requests ask for guidance on the paperwork organizations should submit to the agency, what data should be preserved during an incident and how to effectively balance reporting duties to the government with actual incident response work to mitigate the damage.
A major portion of the request is dedicated to scoping out where CISA’s rules may overlap or conflict with other government reporting rules. The Securities and Exchange Commission, the National Credit Union Administration, the Department of Defense and other agencies have all moved to put similar reporting rules in place, but each one is designed for the specific sectors and organizations under their regulatory purview. For example, CISA’s rules cover critical infrastructure, the SEC’s are designed for publicly traded companies and DoD’s rules are for defense contractors.
But there is substantial overlap between entities across those groups, and one of the chief concerns from industry and others has been around harmonization between the different regulations and reporting requirements.
In March, the Information Technology Industry Council wrote to the SEC to note “concerns with the way the proposed rule is currently written, including the fact that it could lead to disclosure of unmitigated vulnerabilities and that it may precede and thus overlap with the CISA rulemaking to implement the Cyber Incident Reporting for Critical Infrastructure Act of 2022.”
There are also concerns around how freely CISA will share information they receive with other agencies. The FBI made a late and ultimately futile push for Congress to alter legislative language to gain real-time access to the reporting, but Easterly has said her agency is committed to sharing the information they receive with the bureau as quickly as possible.
Most of the questions in the document have been floated by CISA officials or stakeholders in the months after the law’s passage. Bob Kolasky, a former CISA official who led their National Risk Management Center until March of this year, told SC Media that the depth and scope of the questions suggest that the agency is taking a careful and nuanced approach that reflects the fact that they are imposing some of the most aggressive reporting rules ever placed on industry around cyber attacks. To that end, he expects the agency to receive “thousands” of comments attempting to further shape the rule.
He was particularly pleased to see the document focus on harmonization with other agency regulations and questions on how to limit the regulatory burden and paperwork requirements for businesses.
“The benefits have to outweigh the costs, so by asking what kind of cost imposition this puts on entities, I think that’s an important element to collect and hopefully you can do a real cost-benefit analysis,” said Kolasky, now a senior vice president of critical infrastructure at Exiger.
Part of that calculus will depend on how CISA chooses to define the scope of the new rules and communicate the specific action items and benefits that will flow from industry reporting. According to Kolasky, “the worst case is a lot of paper and a lot of rules that don’t lead to better information.”
“I hope in addition to collecting information on cost, the benefit is defined by the government itself. Why is this going to make the nation’s cybersecurity better? How is it going to improve information sharing, risk mitigation and analyzing risk over longer term?” he said. "Really defining that specifically and making a decision on what the rules are with that in mind is going to make for a stronger rule."
Tony Anscombe, chief security evangelist at ESET, a cybersecurity company that sells software and analyzes malware, told SC Media that he is particularly interested in how CISA crafts the regulation and to what extent it can harmonize the reporting requirements with other federal agencies. Even then, companies will be dealing with similar requirements set up by state governments and other countries where they do business.
“The harmonizing the federal part is great, but it’s more than the federal part. It’s all the other people I need to go tell,” said Anscombe.
Anscombe said he did not know at this time if ESET intended to respond to the request but also cited the timing of when companies report incidents or ransomware payments, how much they would need to report within that timeline and how to balance those responsibilities in the midst of an ongoing incident as questions he was thinking about. He also said that definitions around things like what constitutes a “substantial cyber incident” need to be simple and direct, both to ensure companies are not overwhelmed and to prevent the process from being dominated by the kind of vague legalese that populates other breach notification regimes.
“You actually want to keep it relatively high level, one because you don’t want to have to go back and change the rules on a frequent basis, but also you don’t want to specify in too much detail that some lawyer is going to sit there and say ‘I don’t need to report that’ because it’s not specified,” he said.