[BreachExchange] From ‘partner’ to ‘regulatory enforcer’: CISA takes on complex cyber incident reporting mandate

[Terrell Byrd]

https://federalnewsnetwork.com/cybersecurity/2022/03/from-partner-to-regulatory-enforcer-cisa-takes-on-complex-cyber-incident-reporting-mandate/

The Cybersecurity and Infrastructure Security Agency is embarking on a
complex, potentially lengthy process to make new cyber incident reporting
requirements a reality, marking a significant regulatory shift for the
partnership-focused agency.

The omnibus spending bill signed by President Joe Biden earlier this month
included landmark requirements for critical infrastructure entities to
report cyber incidents to CISA within 72 hours. It also requires them to
report ransomware payments within 24 hours.

But first CISA has to implement them through a federal rulemaking process.
The law gives the agency 24 months to publish an initial notice laying out
the rules, and then an additional 18 months to finalize the regulations.

Tatyana Bolton, who led cyber policy at CISA between 2017 and 2020, said
the requirements represent a “turning point” for CISA. Bolton now works as
policy director for cybersecurity and emerging threats at the R Street
Institute.

“They’re going from a cooperative partner begging for information to a
regulatory enforcer that has legitimate power to enforce compliance with
particular requirements for cybersecurity,” Bolton said. “I think you’ll
see a bit of a shift in terms of the way that industry sees CISA and its
power and authority.”

The agency’s collaboration with industry has been boosted over the past
year with the establishment of the Joint Cyber Defense Collaborative. CISA
Chief of Staff Kiersten Todt said voluntary engagements like the JCDC
should help lay the groundwork for easier cooperation on incident reporting
rules.

“People don’t trust institutions, they trust individuals,” Todt said during
a March 23 media roundtable hosted by Neosystems. “And so what CISA has
really been working on is how do you build that trust with industry through
the JCDC, through these very specific relationships and engagements, to
create that trust for incident reporting.”

But while JCDC involves a handful of major technology and cybersecurity
firms, the new incident reporting requirements apply to potentially
thousands of companies across 16 critical infrastructure sectors. The
government estimates private companies operate 85% of U.S. critical
infrastructure.

Part of the rulemaking is determining what specific entities have to follow
the reporting requirements, as well as what kind of cyber incident meets
the reporting threshold. Henry Young, policy director of the industry group
The Software Alliance, says the definitions will be crucial.

“We really want it to be unambiguous,” Young said. “We want to have clear
definitions, so all parties involved, government and industry, know who is
required to report and what that entity is required to report.”

But Bolton suggests CISA should keep the definitions broad to make it easy
for as many companies as possible to report incidents.

“You want to get as much information as you can, and then you figure out on
the back end, whether any of it actually is important,” she said. “Without
that type of mindset, you’re going to miss things where an incident seemed
minor, and in fact it was a thread that could have led to the
identification of a Solar Winds-like attack.”

As it starts down the rulemaking path, Bolton suggested CISA look to the
Federal Aviation Administration’s system for reporting flight incidents as
a model. The Aviation Safety Reporting System accepts confidential reports
from pilots, air traffic controllers, mechanics and others, analyzes the
data, and then distributes information to the aviation community.

“It’s not about blame,” Bolton said. “It’s about information to ensure that
all our skies are safe. The same is true for cybersecurity.”

Even seemingly “pedantic” issues, like determining what kind of data format
companies should use for their reports, will be crucial in shaping the
program, according to Michael Daniel, chief executive of the Cyber Threat
Alliance and former White House cybersecurity coordinator during the Obama
administration.

“You’ve got to set up the processes on the back end to accept reports, and
then figure out how to distribute them, action them, if necessary, inside
the government,” he said. “So there’s a lot of pieces to actually moving
from the legislative step, which was enormously important, into actual
practice.”

Companies on the clock
The 72-hour deadline for critical infrastructure entities to report
incidents represents a compromise of sorts, as some lawmakers had proposed
just a 24-hour deadline. But now CISA will have to determine how it will
wield the law’s new power to penalize companies who don’t comply with the
reporting requirements.

The law gives CISA the ability to subpoena companies to disclose
information if they don’t report incidents or respond to requests from the
agency within 72 hours. If the entity doesn’t respond to the subpoena, it
could be referred to the Department of Justice for civil action.

The law currently states the 72-hour clock starts when an entity
“reasonably believes that a covered cyber incident has occurred.” But Young
says The Software Alliance is advocating for CISA through the rulemaking
process to clarify that companies don’t have to report until they confirm a
cyber incident has occurred.

“We think that the the clock should probably start when an entity knows it
has been the victim of a covered cyber incident, rather than the current
‘reasonably believes’ standard,” he said. “In the heat of a cyber incident,
organizations should not be distracted by regulatory burdens, but should be
focusing on responding to and recovering from the incident, and ‘reasonably
believes’ is a more ambiguous standard than something like ‘know.’”

Daniel also suggested the 72-hour clock should start when senior management
at a company becomes aware that a significant cyber incident has occurred.
He said the law is designed to get ensure companies don’t sit on cyber
incidents for months before reporting to the government, while giving
companies enough time to investigate potential incidents.

“I think this is a place where CISA needs to signal that the 72 hours is a
marker for generally how fast we want it to be reported, but not that CISA
is going to be sitting there with a stopwatch,” Daniel said.

Young also said a key priority for industry is ensuring companies aren’t on
the hook to report cyber incidents multiple times to multiple agencies. The
FBI asks companies to report cyber incidents to the bureau, and
unsuccessfully pressed lawmakers to be included in the new incident
reporting law.

“One of the industry’s concerns is that it will spend more of its
cybersecurity resources on creating reports than it will on improving
cybersecurity,” he said.

Easterly has already said CISA will immediately share incident reports it
receives with the FBI. And the legislation establishes intergovernmental
“Cyber Incident Reporting Council” to “coordinate, deconflict, and
harmonize federal incident reporting requirements, including those issued
through regulations.”

“CISA is committed to working collaboratively and transparently with our
industry and federal government partners in order to enhance the security
and resilience of our nation’s networks and critical infrastructure,”
Easterly said in a statement after the law was passed.

Meanwhile, lawmakers are already pressing CISA to enact the new
requirements as quickly as possible in the face of threats like ransomware
and potential Russian cyber attacks stemming from the Ukraine conflict.

But Daniel suggested the two-year timeframe the law provides CISA for
coming up with initial rules isn’t unreasonable given the importance of the
requirements.

“They will certainly try to move as expeditiously as possible, but I really
think that we want this incident reporting structure that we set up to be
durable for the long term,” he said. “To do that well, you need time to do
the consultation with industry, you need time to maybe even do some pilot
programs, you need some time to get the processes and systems in place.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220328/352f316f/attachment.html>