How the cyber incident reporting law could finally fix the information sharing problem
Government and industry have long struggled with cybersecurity information sharing, but the cyber incident reporting measure passed earlier this year by Congress could be the best chance yet to improve the flow of data between companies and government — if the Department of Homeland Security can get the details right.
Without data from the private sector, government officials say they’re blind to the full extent of nation-state cyberattacks such as the SolarWinds intrusion. Meanwhile, industry complains that intelligence from federal agencies often comes weeks too late after going through the declassification process.
The private sector “has always been dismayed with how much is being shared back, how useful it is, how timely it is, how valuable it is,” said Andrew Howell, a lobbyist at Monument Advocacy that represents the Operational Technology Cybersecurity Coalition.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, may offer a mechanism to provide both sides with timely and actionable intelligence. But, experts say, that ultimately rests on how the Cybersecurity and Infrastructure Security Agency writes rules to implement it.
The public comment period for industry to give their input on CIRCIA ended last week. And ensuring that CISA quickly shares valuable information was a recurring theme, according to responses and experts.
The law, which is expected to take effect in 2025 or sooner, states that certain industries must disclose hacks within 72 hours and reveal if they’ve made ransomware payments within 24 hours. But the critical question is just how much data CISA will require from organizations. If CISA mandates that industry share every bit of data related to a hack or suspected intrusion, experts worry that’ll simply overload the agency and delay the feedback loop with the private sector.
Industry is hungry for concise information, said Amanda Sramek, senior manager for security at the American Gas Association. And the more valuable the information industry gets in return, she said, operators will say, “Oh, this was super useful, I’m going to report more and more.”
But getting to that point will be no easy task. The agency already must navigate a complex mix of existing federal laws that mandate cyber incident reporting — which CISA cannot supersede — while also propping up the infrastructure to digest and then distribute threat alerts.
“There is actually a tremendous amount of back-end work that needs to happen to implement this incident reporting process appropriately,” said Michael Daniel, president and CEO of the Cyber Threat Alliance.
It’s not just a technical challenge, either. CIRCIA could require CISA to hire more personnel and potentially spend millions on additional technology.
“Congress should be thinking about how CISA ingests, processes and analyses that data,” said Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, who previously served as executive director of the U.S. Cyberspace Solarium Commission. “We will not be successful if all [CISA does] is write a great set of business rules about how to receive the data.”
Rep. Jim Langevin, D-R.I., said in a statement that he expects “to see new resource needs for CISA that are related to CIRCIA and the CISA Force Structure Assessment required by the FY21 NDAA to be reflected in the Agency’s FY24 budgetary request, and I encourage my colleagues to ensure that those needs are met.”
The end of the comment period kicks off the beginning of months-long rulemaking process for CISA. During this effort, some critical infrastructure operators will be lobbying to escape the mandate altogether, which many see as just more federal red tape for sectors such as energy and transportation that have reporting mandates for certain owners and operators.
So far, there’s no clear indication of what critical infrastructure sectors will be required to report cyber incidents.
“One of the biggest challenges in all of this is that we failed as a nation to have a thoughtful policy conversation on how we prioritize what we protect. Hopefully, part of the aftermath of this rulemaking would be a larger conversation around it,” said Howell.
In the electric sector, for instance, many in the industry don’t want to change the current state of reporting requirements. The National Rural Electric Cooperative Association said in their response to CISA that “the statutory obligation is on the federal government, not industry, to ensure DHS receives the information it needs from the sector.”
The North American Electric Reliability Corp., which defines reliability requirements for the bulk power system, asked CISA to consider that established threat information-sharing groups, or ISACs, have established information-sharing methods.
The pipeline industry echoed many of the same sentiments. Some owners and operators are required by federal law to report to the Transportation Security Agency shortly after a cyber incident occurs. How CISA handles the litany of state laws which can include cyber incident reports for utilities as well as data breach laws is another open question. So, one organization may need to report to state officials, TSA, the Department of Energy as well as to CISA.
Further complicating matters for other critical infrastructure sectors, agencies such as the Security Exchange Commission are developing incident reporting rules, too. “If a financial services company already has to report an incident to Treasury, then have them just send that same report to CISA and let that count until the federal government can get to the point where it has the equivalent of the common college application form,” said Daniel of the Cyber Threat Alliance. “It’s the common incident reporting form for all the agencies.”
While the rulemaking is ongoing in the coming months, many critical infrastructure operators — especially the smaller ones — may have to develop their own processes to ensure they can comply with CIRCIA. Some simply aren’t equipped to quickly detect cyberattacks, let alone follow rigorous reporting requirements, say experts.
“Is it reasonable to expect the smallest of the small water systems to have a full range of technologies in place? Absolutely not,” said Howell, the lobbyist at Monument Advocacy. Beyond that, he said, there’s simply going to be ongoing resistance if the government wants data that exposes critical information about a client. “They don’t want to be put in between the government and their customer.”
CISA did not respond to request for comment.