Facing cyber attacks, critical infrastructure gets new reporting requirements

A newly proposed rule by CISA, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours.

A newly proposed rule by the Cybersecurity and Infrastructure Security Agency, tasks those operating in critical infrastructure sectors to report cyber incidents within 72 hours and to report ransom payments within 24 hours of making a payment. These new requirements would significantly lengthen the To-Do List of these entities. For analysis on what the impact could be, Federal News Network’s Eric White spoke to Beth Waller on the Federal Drive with Tom Temin, Principal at the law firm Woods Rogers Vandeventer Black.

Interview Transcript: 

Eric White So 1,000 foot view. What are the major changes here and what is going to be the impact on these critical sector entities?

Beth Waller I think 40,000 foot view. Everyone was expecting the director of CISA to come out with these proposed rules. The big earth shattering component of it is really the definition of covered entity who falls within the orbit of needing to report. And so really, the proposed rule really kind of breaks it into two different sections. We have really those who have to report based on their size, how large they are, and those that have to report based on their sector. I think most folks who are watching for this proposed rule were really expecting the sector side of the house. We weren’t really expecting the size side of the house. And so from a 40,000 foot view, I would say that most businesses and entities might be surprised to find out that they are covered by these new reporting requirements as proposed.

Eric White Yeah. Is there anything in place to notify a company that, hey, by the way, this new rule, it applies to you.

Beth Waller I really think that CISA is going to need to do a good job of educating the public to let them know that, hey, you may fall within this, because again, when we look at the proposed definition of covered entity, for example, when it talks about size, it refers to an entity that exceeds the small business size standards specified by the applicable North American Industry Classification System Code and the US Small Business Administration Small Business Size regulations.

Eric White I read those yesterday.

Beth Waller That’s right. So if you look at those, as I think many of us did, went with bated breath to see, well, wait a minute. What does this mean? We start to see that, well, it really means anybody who has more than 500 employees and certain sectors, and with average annual receipts, over 7.5 million would qualify as somebody who would be needing to report. Now, there are certain exceptions by industry under the SBA regulations. But I think that really what is surprising for me, as somebody who really focuses in on critical infrastructure incident response, says, now we’re going to be really looking those SBA requirements and doing that math in the midst of an incident. And what I can’t really emphasize enough is the fact that we need to remember that this isn’t sitting at home twiddling your thumbs or the quiet of a Tuesday morning or whatever the case may be. You’re in the midst of a ransomware incident and your organization is down and you’ve been essentially taken hostage. And what you’re trying to do is within those first 72 hours, do this math and start figuring out, do I qualify, do I need to report? And so the proposed rule really focuses in on that size. Are we big enough to have to report and then the sector. And then of course sector, size doesn’t matter. It really is whether you fall within these different buckets. And the buckets are what you would somewhat expect. Nuclear reactors, energy, things like that. But then there are some areas that you might not expect, for example, in the health care and public health sector, for example, the proposed rules says that those that operate a hospital with 100 or more beds or are critical access hospitals. Well guess what, you’re dragged into that dragnet. So if I’m a small hospital in a rural location, I might not have 100 beds, but I might be considered critical access, and I would therefore be obligated to report a ransomware incident within 72 hours of finding it out.

Beth Waller Similarly, you have information technology, any entity that provides IT software, hardware, system or services to the federal government. So if you’re a teeny tiny software company, but you provide or have a contract with the federal government, well guess what, you’re grabbed into this. Similarly, if you are considered an original equipment manufacturer or a vendor or integrator of OT hardware, that’s operational technology, hardware or software, or those that perform functions related to DNS operations, guess what? You’re grabbed in. So again, you have some things that are kind of what you would expect chemical facilities, water, wastewater treatment systems, transportation systems. But then you have some unusual things including communications. So for example, wire radio communication services. So if FNN had an incident, you’d be doing that kind of analysis as to whether or not you needed to report within 72 hours as well. The other little tidbit I would say is that it’s not cut and dry the way the proposed rule is set up. I really think of it like it’s going to be a flow chart or a choose your own adventure type situation, because even with water and wastewater systems, for example, it breaks it down to say, is it a community water system? Publicly owned treatment works that serve more than 3,300 people? Well, that’s a random number to be trying to remember in the middle of an incident response do I qualify? Do I not qualify? Similarly with education. You’re looking at populations of 50,000 or more. We’re in the education sector. More than a thousand students. Or any institute of higher education that receives funding under title nine. And then finally, folks like the defense industrial based sector. Many of those folks, again, many of my clients in that space are very used to doing reporting to the DoD. Well guess what, that doesn’t necessarily get us out of jail free. We may also be having to do the same kind of report to CISA. And so those are the big kind of surprises in some ways, is that the sector really start getting into a lot of nuance and detail. And then of course, that size component. And again, if you qualify under one bucket, you’re just in. So if you got more than 500 employees and you’re manufacturing space, it doesn’t matter that you’re in the defense industrial base sector, you’re going to be in regardless. And so I think that a lot of folks are going to be gobbled up by this, because CISA wants as much information as possible to start really looking at these trends nationally of the types of incidents so that we as a nation are facing.

Eric White We’re speaking with Beth Waller, who is a cybersecurity attorney at Woods Rogers Vandeventer Black. And so it’s the people on that one end of the spectrum that the smaller entities that you mentioned. How big of a burden is this actually going to be on them? I imagine that for the bigger folks that are used to this, they’ve got maybe a whole team that’s assigned just to making sure they’re compliant. But there are probably some folks in rural hospitals who have never even heard of this process.

Beth Waller That’s right. And I really think that for those of us, again, I’m a cybersecurity data privacy attorney. And what I do is respond to these types of incidents and get signed in to these types of incidents. I think it’s going to really fall a lot on the legal profession to try to educate folks. Those of us that are called in to do breach response work, number one. But I would also say, I would argue that it’s not just onerous on the small businesses. It’s going to be really a huge task for the big businesses. And I would say that because the report itself is very detailed, it’s more detailed than the report that I would be giving, for example, if I was just in the defense industrial sector under the DFARS 7012,  filing on the DIDNet, those types of things. We’re used to doing that in this space. The report to CISA requires us to identify the covered entity. So the entity making the report. But in order to do that, what CISA is proposing is that I need to know the state of incorporation, trade names, legal names, the DUN number, tax ID, the EPA numbers, all this kind of stuff. Again, I go back to, think about what we’re in the midst of. We’re in the midst of a ransomware incident, highly unlikely that I have access to my work device. And so those first 72 hours, I can guarantee you you’re not getting access to a device that’s from your company. So you’re going to need to be able to pull this information together rapidly. It’s one thing if I’m a smaller defense contractor or a smaller contractor, to be able to know my state of incorporation. It’s another thing if I’m a mega corporation and I’ve made up a bunch of different LLCs or a bunch of different entities, or I have trade names, those types of issues. Pulling that kind of information together can be very challenging. And so I would argue that it’s going to be a burden to almost any entity that is going to be reporting to try to pull these things together.

Beth Waller In addition to that, the type of information about the incident that CISA is requesting, again, from somebody who has experienced an incident response, what they want to know within the first 72 hours is pretty broad. So, for example, they want a description of the covered incident with identification of affected information systems, including the physical locations of the impacted systems, networks and or devices. If I am a mega company, for example, and I have, 50,000 employees across the United States talking about the physical location of those impacted systems or networks. If I’m a manufacturer, it could be quite challenging in the midst of that first 72 hours, keeping in mind that the people who are needing to answer this are also potentially two people trying to come back online, getting things together, managing the incident response team. In addition to that, they want to know things like IOCs, which in the industry is indicators of compromise. They want to know the bad guys. What’s the telephone number, the IP address that they called from. They want to copy the malicious code and they want to know, for example, if you’re paying the ransom, which is another separate reporting requirement, they want to know exactly what your instructions were for payment of the ransom and things like that. I will say the good news is, thankfully there’s going to be a dropdown box for unknown at this time type answers given that this is the first 72 hours, but there is a requirement for supplemental reporting, and that supplemental reporting requires a report to be given every time there’s substantially new or different information becoming available. Again, if I’m in the midst of this incident, that is a very hefty burden to be thinking about.

Eric White Yeah, obviously this would be a substantial task order for, as you mentioned, somebody going through a cyber incident like this. But coming from CISA’s standpoint, this is pretty important information. A lot of people’s lives rely on these companies and obviously the critical infrastructure sector that runs the country basically. So, coming from them, why is this information so critical for an agency like CISA in the fight in ensuring that a lot of our big companies and critical infrastructure sectors are cyber secure.

Beth Waller Well, I think that what it does, it does create this dragnet of information to be able to really look at our adversaries and to be able to say, okay. Because a lot of times in the ransomware world, they have almost nonsense names. You’ve got Lockbit, Alphv/BackCat. You’ve got all royal, you’ve got, you know, all the different types of ransomware that are out there. And I tell folks, it’s kind of like their gangs, like off of The Sopranos or The Godfather movies. They’re just cyber gangs. And so being able to track the information of being able to say, okay, well, this is associated with this nation state or it’s not is really incredibly important to CISA. And again, as someone who is a federal partner in the midst of these incidents, because I do critical infrastructure incident reporting. So again, when you’re representing a state agency or a local government, you are already acting as a partner to your federal partners and providing information. So I think that there are big benefits to working with CISA and currently reporting to CISA as we do. But I think that with regards to the kind of nuances that are being asked for in this reporting, it’s going to create a lot of headaches. And keep in mind, many of these businesses are folks that are operating under multiple regimes. So for example, the financial sector is one of these that is considered critical infrastructure here. Well, if you’re already a bank, you’re reporting to the office of the Comptroller of the Treasury at the same time or reporting to CISA. If you are, for example, a manufacturer that is global, as many of our manufacturing Fortune 500 may be, you are also dealing with the laws in Europe. So GPR related laws, you’re also probably publicly traded. And so now you have the new Securities Exchange Commission rules and regulations about getting a notice out to your shareholders within four days of determining materiality. It’s really a very complex arena that CISA is coming into already from a regulatory standpoint.

Beth Waller I will say that the proposed rule says if CISA has an information sharing agreement in place with one of these other agencies that was receiving the report, that is potentially a get out of jail for a duplicate report filing, but it’s unclear at this time where CISA has that information sharing already. And I think that puts a lot of burden on the victim to try to figure that out. So hopefully Department of Defense, for example, creates an information sharing system with CISA where if you’re already again reporting to the DIDNet and going through that side of the process, you wouldn’t have to necessarily do it again here. Again, those clocks also start not on a Tuesday morning at 9:00 a.m. they often start at 1:00 am on Saturday morning whenever that network engineer figures us out. So a lot of times the folks that would be filling this out are not necessarily aware of it until, let’s say, 36 hours into an incident, depending on how large the organization is. So my argument would be to many businesses, look at your incident response plan. If these proposed rules come in to a final rule in the same manner that they’re currently looking at like right now, we’re going to want to make sure your incident response plan has a lot of this information gathered already, because, for example, maybe you could create something off line that says, this is our state of incorporation,  those types of things, so you’ve got that at the ready. Because again, keep in mind, most the time we’re dealing with something like ransomware where the entire network is encrypted. So how are we going to get at this information even if we wanted to, unless you just know it?

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Related Stories

    Stacy Bostjanick and Jennifer Henderson

    Risk and Compliance Exchange 2024: DoD’ Stacy Bostjanick, DCMA’s Jennifer Henderson on finding ‘any means possible’ to help small biz with CMMC

    Read more
    Amelia Brust/Federal News Networkcybersecurity

    How should software producers be held accountable for shoddy cybersecurity products?

    Read more