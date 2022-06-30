The recently passed Cyber Incident Reporting for Critical Infrastructure Act has spurred headlines. Danny Bradbury questions whether it has the substance needed to succeed In the last few months, the US and other governments warned critical infrastructure companies about the elevated risk of attack. Now, the US government aims to have eyes on just how at risk they are. New legislation seeks to mandate cyber incident reporting for critical infrastructure organizations. It will give Homeland Security a better idea of what adversaries are doing and how prepared organizations crucial to national security are to repel those attacks. We’ve grappled with attacks on our critical infrastructure from nation-states and financial criminals alike for years. Banks have been hacked, electrical utilities have fought intruders in their systems and more recently, even oil pipelines and food producers have been compromised. These are the companies that keep society running. The Cyber Incident Reporting for Critical Infrastructure Act is the government’s attempt to gain more visibility into the threats that they face. Full Disclosure Congress passed the Act on March 11, and the President signed it into law four days later as part of federal omnibus appropriation legislation. Under the new law, critical infrastructure companies must disclose cybersecurity incidents to the Cyber and Infrastructure Security Agency (CISA) within 72 hours of discovery. If they make a ransomware payment, they must report that within 24 hours. Reports must include details about the time window in which the incident happened, which systems were affected and a description of the affected systems and the organizational impact. The Act also demands supplementary reports that describe any changes in the facts surrounding the breach. Critical infrastructure organizations must file reports confirming that they have fully mitigated the cyber incident. CISA can share that information with other federal agencies for cybersecurity purposes, including responding to digital threats, although it doesn’t have carte blanche. It cannot disclose personal information as part of that sharing. An organization could also try to designate information as proprietary, preventing its disclosure. This Act came at just the right time for the federal government, which has been sounding the alarm about potential attacks on critical infrastructure companies from Russia in light of increased tensions over its invasion of Ukraine. The bill was conveniently ready on the shelf as the situation unfolded, explains John Pescatore, director of emerging security trends at the SANS Institute. “Russia is why it moved so fast, but it was a reaction to SolarWinds,” he notes. The House first introduced the bill in April 2021, a month before the most infamous ransomware attack on a critical national infrastructure company to date: the ransomware infection at Colonial Pipeline. As aggressive as the bill is, it isn’t the first move to require mandatory reporting of critical infrastructure incidents. The TSA already issued a directive last year that imposed reporting requirements for energy pipelines, followed by another that mandated cybersecurity protection measures to shore up that sector’s defenses. More Data, More Insight Patrick Miller, owner and CEO of critical infrastructure security consulting company Ampere Industrial Security, sees one of the Act’s most significant benefits as gathering actuarial data. Until now, we have been blind to much of the detail about attacks, partly because of the obfuscation from infrastructure companies, he says.

“We will know with a much higher degree of certainty which security controls, practices and policies are working and which are not,” he predicts. “We will see adversary tactics more clearly.” SANs’ Pescatore is heartened by the Act’s commitment to actually analyze reports from critical infrastructure companies. CISA will review and analyze reports to assess the effectiveness of organizations’ security controls and identify intruders’ techniques for subverting them. This suggests that the DHS will put real resources behind the reporting process rather than just letting reports gather dust, he says. “There have been lots of draft laws about reporting but what does the government do with those reports?” he asks. “It needs to allocate staff and resources to look at them.” By examining reports in detail, CISA might find correlations between incidents that could suggest a more concerted, significant attack, he adds. However, it isn’t clear how many personnel will be assigned to analyze and distribute information. Teresa Payton, CEO of Fortalice Solutions and former CIO for the White House, worries that CISA might become a bottleneck. “It will have to be able to process the massive information flow into high-quality, validated, verified and actionable intelligence,” she says. “Critical infrastructure leaders, under fear of not complying, might tend to over-report, leaving CISA with a data deluge to deal with.” Ideally, the final language would include service level agreements for information sharing with other agencies, she says. Reporting Requirements Payton considers the Act a positive step overall, but it leaves her with more questions than answers. In particular, she worries about the potential reporting burden that this places on organizations. The 72-hour window is a big ask, she says, suggesting that it could hinder security operations. “An arbitrary deadline of 72 hours, during the fog of war when an incident is fresh and being investigated, could distract from the incident containment and resolution,” she warns, adding that it could cause “more harm than help.” Payton adds that the details on this reporting period are also unclear. “When does the clock start if it is a supply chain issue and the reporting entity is downstream from the attack and learns of it 24 hours after their vendor or provider knows of it?” she asks. The shorter timeline for reporting ransomware payments also puzzles Payton. She ponders whether it would make more sense to encourage critical infrastructure organizations to report before deciding to pay rather than after the fact. That way, they could engage federal authorities at every step of the process. Payton points out that the detailed scope of the bill isn’t yet clear. “Critical infrastructure is a term that is vast and can cover many entities,” she warns. The Administration could refer to Presidential Policy Directive 21, which defines 16 critical infrastructure sectors. That leaves everything from energy to finance, transportation, emergency services, chemicals and IT under the Act’s purview. The Act enables agencies to reach sufficiency agreements with pipelines already falling under the existing DHS directive, exempting them from the law.

