The Cybersecurity and Infrastructure Security Agency is embarking on a complex, potentially lengthy process to make new cyber incident reporting requirements a reality, marking a significant regulatory shift for the partnership-focused agency.
The omnibus spending bill signed by President Joe Biden earlier this month included landmark requirements for critical infrastructure entities to report cyber incidents to CISA within 72 hours. It also requires them to report ransomware payments within 24 hours.
But first CISA has to implement them through a federal rulemaking process. The law gives the agency 24 months to publish an initial notice laying out the rules, and then an additional 18 months to finalize the regulations.
Tatyana Bolton, who led cyber policy at CISA between 2017 and 2020, said the requirements represent a “turning point” for CISA. Bolton now works as policy director for cybersecurity and emerging threats at the R Street Institute.
“They’re going from a cooperative partner begging for information to a regulatory enforcer that has legitimate power to enforce compliance with particular requirements for cybersecurity,” Bolton said. “I think you’ll see a bit of a shift in terms of the way that industry sees CISA and its power and authority.”
The agency’s collaboration with industry has been boosted over the past year with the establishment of the Joint Cyber Defense Collaborative. CISA Chief of Staff Kiersten Todt said voluntary engagements like the JCDC should help lay the groundwork for easier cooperation on incident reporting rules.
“People don’t trust institutions, they trust individuals,” Todt said during a March 23 media roundtable hosted by Neosystems. “And so what CISA has really been working on is how do you build that trust with industry through the JCDC, through these very specific relationships and engagements, to create that trust for incident reporting.”
But while JCDC involves a handful of major technology and cybersecurity firms, the new incident reporting requirements apply to potentially thousands of companies across 16 critical infrastructure sectors. The government estimates private companies operate 85% of U.S. critical infrastructure.
Part of the rulemaking is determining what specific entities have to follow the reporting requirements, as well as what kind of cyber incident meets the reporting threshold. Henry Young, policy director of the industry group The Software Alliance, says the definitions will be crucial.
“We really want it to be unambiguous,” Young said. “We want to have clear definitions, so all parties involved, government and industry, know who is required to report and what that entity is required to report.”
But Bolton suggests CISA should keep the definitions broad to make it easy for as many companies as possible to report incidents.
“You want to get as much information as you can, and then you figure out on the back end, whether any of it actually is important,” she said. “Without that type of mindset, you’re going to miss things where an incident seemed minor, and in fact it was a thread that could have led to the identification of a Solar Winds-like attack.”
As it starts down the rulemaking path, Bolton suggested CISA look to the Federal Aviation Administration’s system for reporting flight incidents as a model. The Aviation Safety Reporting System accepts confidential reports from pilots, air traffic controllers, mechanics and others, analyzes the data, and then distributes information to the aviation community.
“It’s not about blame,” Bolton said. “It’s about information to ensure that all our skies are safe. The same is true for cybersecurity.”
Even seemingly “pedantic” issues, like determining what kind of data format companies should use for their reports, will be crucial in shaping the program, according to Michael Daniel, chief executive of the Cyber Threat Alliance and former White House cybersecurity coordinator during the Obama administration.
“You’ve got to set up the processes on the back end to accept reports, and then figure out how to distribute them, action them, if necessary, inside the government,” he said. “So there’s a lot of pieces to actually moving from the legislative step, which was enormously important, into actual practice.”
Companies on the clock
The 72-hour deadline for critical infrastructure entities to report incidents represents a compromise of sorts, as some lawmakers had proposed just a 24-hour deadline. But now CISA will have to determine how it will wield the law’s new power to penalize companies who don’t comply with the reporting requirements.
The law gives CISA the ability to subpoena companies to disclose information if they don’t report incidents or respond to requests from the agency within 72 hours. If the entity doesn’t respond to the subpoena, it could be referred to the Department of Justice for civil action.
The law currently states the 72-hour clock starts when an entity “reasonably believes that a covered cyber incident has occurred.” But Young says The Software Alliance is advocating for CISA through the rulemaking process to clarify that companies don’t have to report until they confirm a cyber incident has occurred.
“We think that the the clock should probably start when an entity knows it has been the victim of a covered cyber incident, rather than the current ‘reasonably believes’ standard,” he said. “In the heat of a cyber incident, organizations should not be distracted by regulatory burdens, but should be focusing on responding to and recovering from the incident, and ‘reasonably believes’ is a more ambiguous standard than something like ‘know.’”
Daniel also suggested the 72-hour clock should start when senior management at a company becomes aware that a significant cyber incident has occurred. He said the law is designed to get ensure companies don’t sit on cyber incidents for months before reporting to the government, while giving companies enough time to investigate potential incidents.
“I think this is a place where CISA needs to signal that the 72 hours is a marker for generally how fast we want it to be reported, but not that CISA is going to be sitting there with a stopwatch,” Daniel said.
Young also said a key priority for industry is ensuring companies aren’t on the hook to report cyber incidents multiple times to multiple agencies. The FBI asks companies to report cyber incidents to the bureau, and unsuccessfully pressed lawmakers to be included in the new incident reporting law.
“One of the industry’s concerns is that it will spend more of its cybersecurity resources on creating reports than it will on improving cybersecurity,” he said.
Easterly has already said CISA will immediately share incident reports it receives with the FBI. And the legislation establishes intergovernmental “Cyber Incident Reporting Council” to “coordinate, deconflict, and harmonize federal incident reporting requirements, including those issued through regulations.”
“CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure,” Easterly said in a statement after the law was passed.
Meanwhile, lawmakers are already pressing CISA to enact the new requirements as quickly as possible in the face of threats like ransomware and potential Russian cyber attacks stemming from the Ukraine conflict.
But Daniel suggested the two-year timeframe the law provides CISA for coming up with initial rules isn’t unreasonable given the importance of the requirements.
“They will certainly try to move as expeditiously as possible, but I really think that we want this incident reporting structure that we set up to be durable for the long term,” he said. “To do that well, you need time to do the consultation with industry, you need time to maybe even do some pilot programs, you need some time to get the processes and systems in place.”