The recently passed Cyber Incident Reporting for Critical Infrastructure Act has spurred headlines. Danny Bradbury questions whether it has the substance needed to succeed
In the last few months, the US and other governments warned critical infrastructure companies about the elevated risk of attack. Now, the US government aims to have eyes on just how at risk they are. New legislation seeks to mandate cyber incident reporting for critical infrastructure organizations. It will give Homeland Security a better idea of what adversaries are doing and how prepared organizations crucial to national security are to repel those attacks.
We’ve grappled with attacks on our critical infrastructure from nation-states and financial criminals alike for years. Banks have been hacked, electrical utilities have fought intruders in their systems and more recently, even oil pipelines and food producers have been compromised. These are the companies that keep society running. The Cyber Incident Reporting for Critical Infrastructure Act is the government’s attempt to gain more visibility into the threats that they face.
Full Disclosure
Congress passed the Act on March 11, and the President signed it into law four days later as part of federal omnibus appropriation legislation. Under the new law, critical infrastructure companies must disclose cybersecurity incidents to the Cyber and Infrastructure Security Agency (CISA) within 72 hours of discovery. If they make a ransomware payment, they must report that within 24 hours.
Reports must include details about the time window in which the incident happened, which systems were affected and a description of the affected systems and the organizational impact.
The Act also demands supplementary reports that describe any changes in the facts surrounding the breach. Critical infrastructure organizations must file reports confirming that they have fully mitigated the cyber incident.
CISA can share that information with other federal agencies for cybersecurity purposes, including responding to digital threats, although it doesn’t have carte blanche. It cannot disclose personal information as part of that sharing. An organization could also try to designate information as proprietary, preventing its disclosure.
This Act came at just the right time for the federal government, which has been sounding the alarm about potential attacks on critical infrastructure companies from Russia in light of increased tensions over its invasion of Ukraine. The bill was conveniently ready on the shelf as the situation unfolded, explains John Pescatore, director of emerging security trends at the SANS Institute.
“Russia is why it moved so fast, but it was a reaction to SolarWinds,” he notes.
The House first introduced the bill in April 2021, a month before the most infamous ransomware attack on a critical national infrastructure company to date: the ransomware infection at Colonial Pipeline.
As aggressive as the bill is, it isn’t the first move to require mandatory reporting of critical infrastructure incidents. The TSA already issued a directive last year that imposed reporting requirements for energy pipelines, followed by another that mandated cybersecurity protection measures to shore up that sector’s defenses.
More Data, More Insight
Patrick Miller, owner and CEO of critical infrastructure security consulting company Ampere Industrial Security, sees one of the Act’s most significant benefits as gathering actuarial data. Until now, we have been blind to much of the detail about attacks, partly because of the obfuscation from infrastructure companies, he says.
“We will know with a much higher degree of certainty which security controls, practices and policies are working and which are not"
“We will know with a much higher degree of certainty which security controls, practices and policies are working and which are not,” he predicts. “We will see adversary tactics more clearly.”
SANs’ Pescatore is heartened by the Act’s commitment to actually analyze reports from critical infrastructure companies. CISA will review and analyze reports to assess the effectiveness of organizations’ security controls and identify intruders’ techniques for subverting them.
This suggests that the DHS will put real resources behind the reporting process rather than just letting reports gather dust, he says.
“There have been lots of draft laws about reporting but what does the government do with those reports?” he asks. “It needs to allocate staff and resources to look at them.” By examining reports in detail, CISA might find correlations between incidents that could suggest a more concerted, significant attack, he adds.
However, it isn’t clear how many personnel will be assigned to analyze and distribute information. Teresa Payton, CEO of Fortalice Solutions and former CIO for the White House, worries that CISA might become a bottleneck.
“It will have to be able to process the massive information flow into high-quality, validated, verified and actionable intelligence,” she says. “Critical infrastructure leaders, under fear of not complying, might tend to over-report, leaving CISA with a data deluge to deal with.”
Ideally, the final language would include service level agreements for information sharing with other agencies, she says.
Reporting Requirements
Payton considers the Act a positive step overall, but it leaves her with more questions than answers. In particular, she worries about the potential reporting burden that this places on organizations. The 72-hour window is a big ask, she says, suggesting that it could hinder security operations.
“An arbitrary deadline of 72 hours, during the fog of war when an incident is fresh and being investigated, could distract from the incident containment and resolution,” she warns, adding that it could cause “more harm than help.”
Payton adds that the details on this reporting period are also unclear. “When does the clock start if it is a supply chain issue and the reporting entity is downstream from the attack and learns of it 24 hours after their vendor or provider knows of it?” she asks.
The shorter timeline for reporting ransomware payments also puzzles Payton. She ponders whether it would make more sense to encourage critical infrastructure organizations to report before deciding to pay rather than after the fact. That way, they could engage federal authorities at every step of the process.
Payton points out that the detailed scope of the bill isn’t yet clear.
“Critical infrastructure is a term that is vast and can cover many entities,” she warns. The Administration could refer to Presidential Policy Directive 21, which defines 16 critical infrastructure sectors. That leaves everything from energy to finance, transportation, emergency services, chemicals and IT under the Act’s purview.
The Act enables agencies to reach sufficiency agreements with pipelines already falling under the existing DHS directive, exempting them from the law.
“Critical infrastructure is a term that is vast and can cover many entities”
More details will be revealed over time. CISA’s director, Jen Easterly, must create rules for critical national infrastructure companies to follow when complying with the new law. The Agency must publish those rules in the Federal Register no later than 24 months after the law was enacted on March 15 2022, and must issue final rules within 18 months of that. The final rules will determine when the reporting requirements begin.
Those final rules will clarify which entities are covered, along with which cyber incidents fall within the Act’s scope, and what should go into a report to CISA. It will also detail the types of data that a victim of an attack must keep.
These are important questions because they affect what a critical national infrastructure organization needs to report. CISA must look at issues including the sophistication and novelty of the tactics used and the type, sensitivity and volume of affected data. Other factors will include the number of individuals affected and potential impacts on industrial control systems.
The Act already includes some language describing what constitutes a covered cyber incident. At a minimum, a covered incident would lead to substantial loss of confidentiality, integrity or availability of an information system or seriously impact the safety and resilience of operational systems. It can also disrupt operations, covering denial of service attacks and ransomware. It also takes supply chain attacks, including both software and services providers, into account.
Enforcing the Law
What happens if companies don’t comply? The Act gives CISA enforcement powers to hit organizations violating the law with subpoenas. It could even file civil enforcement suits against them via the Attorney General. However, there’s no private right of action for citizens to sue organizations if they fail to report.
Not everyone thinks that this has enough teeth. “I would have liked to see clear authority on what the penalties are for noncompliance,” says Ampere’s Miller. “It needs a true monitoring and enforcement component.”
Naturally, Easterly has been a strong advocate for the law, given that it falls on her desk and gives CISA additional authority, but the FBI has been less impressed. Its director, Chris Wray, has argued that it would slow down its response to attacks. Companies can already report data breaches voluntarily to the FBI.
As a former NSA and Secret Service employee, Pescatore’s take is that the intelligence and law enforcement agenda might conflict with security agencies. The FBI might want the power to avoid responding immediately to an attack so that it can gather more intelligence on the perpetrators. Conversely, security personnel might want to mitigate the problem quickly to avoid further damage, resulting in tipping off the perpetrator that they’ve been discovered.
Politics aside, a mandatory reporting act has the potential to give Homeland Security and other agencies greater insight into who is rattling the nation’s doors in cyberspace. Miller says that he has been advocating for this capability for a long time.
Any intelligence on which adversaries are targeting critical infrastructure must be positive, but the real test will come in its implementation. The specific rules that CISA creates to enact this law will determine its success or failure. It has plenty of time to write those – and that gives Russia and other nation-states more breathing space to do their worst.