CISA releases draft rule for cyber incident reporting
In one of the biggest cybersecurity policy reforms in recent memory, the Cybersecurity and Infrastructure Security Agency on Wednesday released its much-anticipated notice of proposed rulemaking to require critical infrastructure organizations to report cybersecurity incidents, a move intended to provide the federal government with better insight about breaches that affect highly sensitive entities, such as water and power utilities.
Wednesday’s notice of proposed rulemaking (NOPR) represents the next step in a process that began after the Cyber Incident Reporting for Critical Infrastructure Act was signed into law in March 2022. That law was inspired in part by the SolarWinds hack, which made clear the lack of information available to the federal government about breaches affecting critical infrastructure entities. It also represents one of the first steps by CISA to take on a more regulatory role that the agency has tried to avoid.
“CIRCIA is a game changer for the whole cybersecurity community, including everyone invested in protecting our nation’s critical infrastructure,” said CISA Director Jen Easterly in a statement. “It will allow us to better understand the threats we face, spot adversary campaigns earlier, and take more coordinated action with our public and private sector partners in response to cyber threats.”
Under the rules, companies will have to report incidents less than 72 hours “after the covered entity reasonably believes the covered cyber incident has occurred” and ransomware payments within 24 hours of being made, unless payment is accompanied by an incident, in which case the organization has 72 hours.
While they contain a series of detailed carve-outs, the rules generally require companies to report incidents that impact safety, lead to a disruption of services or if the breach was carried out through a third party like a cloud service provider.
In a media briefing Wednesday, a senior CISA official noted that the agency is working on a way to share anonymized data with researchers. While cyberattacks on critical infrastructure systems are believed to be legion, researchers lack good data about their prevalence, and many experts hope that CIRCIA’s incident reporting requirement can fill this lacuna in the data.
According to the proposed rules, CISA plans to use the data it receives to carry out trend and threat analysis, incident response and mitigation, and to inform future strategies to improve resilience.
While the rule is not expected to be finalized until 18 months from now or potentially later next year, comments are due 60 days after the proposal is officially published on April 4. One can be sure that the 16 different critical infrastructure sectors and their armies of lawyers will have much to say. The 447-page NOPR details a dizzying array of nuances for specific sectors and cyber incidents.
For example, companies would only be required to report a distributed denial of service attack if it results in a service outage for an extended period. One that results in a “brief period of unavailability,” however, would not need to be reported.
The list of exceptions to the cyber incidents that critical infrastructure operators will need to report is around twice as long as the conditions that require reporting an incident, and the final shape of the rule may change as CISA considers comments from industry.
The companies affected by the proposed rules include all critical infrastructure entities that exceed the federal government’s threshold for what is a small business. The rules provide a series of different criteria for whether other critical infrastructure sectors will be required to report incidents. Some will be covered in their entirety, such as the chemical sector. Other critical infrastructure sectors, such as the information technology sector, will qualify based on criteria laid out in the framework.
Indeed, the rules governing the information technology sector could have a wide reach, as CISA is proposing that any organization that sells “IT hardware, software, systems, or services” to the federal government be required to report incidents.
CISA’s proposed rules represent the latest entrant in a complicated regulatory landscape governing when companies are required to report cybersecurity incidents. Last year, the Securities and Exchange Commission mandated that publicly traded companies report “material” breaches to investors — a move Rep. Andrew Garbarino, R-N.Y., chair of the House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection, sought to quash because it conflicts with CISA’s remit.
Harmonizing these various reporting requirements represents a key challenge facing executive branch policymakers. While CISA’s rules are aimed at critical infrastructure organizations that experience cyber-related disruptions, the SEC regulations affect publicly traded companies. These reporting requirements may in some cases overlap, and many experts see them as a compliment to one another rather than in conflict. Additionally, CISA’s rules require much more detailed information be disclosed about breaches.
CISA expects the rules will cost industry and government combined around $2.6 billion between now and 2033 and anticipates receiving around 25,000 reports each year.
Ranking member of the House Committee on Homeland Security Bennie Thompson, D-Mass., and Rep. Yvette Clark, D-N.Y., said in a joint statement that they’d like to see a reduction in compliance costs so that additional resources can be invested in security.
While the list of covered entities list might appear long — CISA said it expects around 350,000 to be required to report — the size-based criteria and sector-specific rules might leave major gaps, according to Josh Corman, founder of the I Am the Cavalry and former chief strategist of CISA’s COVID Task Force.
Corman has spoken frequently about the surprising number of small organizations that, if impacted, could have posed serious risks to the nation’s COVID-19 response. “It’s not the size of the organization,” Corman said in an interview. “It’s the size of the harm to the national critical functions and critical infrastructure.”
That concern is heightened by recent warnings from U.S. national security officials that China is carrying out increasingly aggressive operations targeting American critical infrastructure.
Corman argues CISA could have relied on the list of systemically important critical entities that the agency has developed — which are the most critical of critical entities that may fall outside what is considered critical infrastructure — in order to ensure better coverage.
Corman pointed to the proposal’s treatment of hospitals as a major flaw: Under the rule, facilities with fewer than 100 beds are not required to report incidents, even though just a small number of hospitals are above that threshold. Hospitals that are considered a “critical access” — which are largely rural — would also be required to report.
The proposed rules contend that larger hospitals “are more likely” to experience “substantial impact” and that “larger hospitals are likely to be better equipped to simultaneously respond to and report a cyber incident.”
Corman also pointed out that the categories of critical infrastructure entities are based on sector-specific plans that have not been updated since 2015. “CISA did not even exist in 2015,” Corman said. “How can a sector-specific plan written almost 10 years ago be the basis for us getting our head around the proper focus and implementation as planned?”
Other experts questioned whether entities have the financial resources to implement the requirements. The rules require community water systems and water treatment services that serve more than 3,300 people to report incidents, and experts question whether these entities can implement proper security measures — let alone spot and report breaches.
Chris Warner, an operational technology security strategist at GuidePoint Security, described what he encountered at one water utility in Florida: “They were so small they had three IT guys handling the OT security and we all know … 99% of the time that doesn’t work at all.”