CISA faces resource challenge in implementing cyber reporting rules
After the Cybersecurity and Infrastructure Security Agency’s 447-page proposal for when critical infrastructure entities will have to report breaches landed with a heavy thud last week, experts say that now comes the hard work of figuring out whether the agency has the resources it needs to implement the requirement and digesting the huge amount of data it is about to receive.
Thursday’s notice of proposed rulemaking sets the stage for a landmark shift in how the U.S. government understands the prevalence and severity of cybersecurity incidents.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 creates for the first time requirements for critical infrastructure owners and operators to notify the government when they have been breached. The proposed rules represent CISA’s guidelines for how and when incidents are reported.
“We’re in a world where you can have reputable companies issue reports very close in time that show different trends and both of them being right because it’s based on the data they have. That’s a bad place to be because it means that you don’t really have ground truth,” said Michael Daniel, president and CEO of the Cyber Threat Alliance.
Questions like whether the number of ransomware attacks are increasing or decreasing depend on which organization is providing the information and which networks, clients, and datasets they can access. That may work fine for a single company, but when it comes to policy decisions from governments, a patchwork of information is not ideal.
On its face, incident reporting is a seemingly simple request — certain organizations need to report to CISA if a drastic enough cyber incident occurs — but the particulars of implementing such a requirement are staggeringly complex. The proposed rules are rife with exceptions, definitions, and rules that are going to face intense scrutiny by the companies that own and operate critical infrastructure.
Beginning this Thursday, industry groups have 60 days to comment on the proposed rules, and one area likely to face particular scrutiny is how CISA defines who is covered by the rules and what defines a reportable incident.
Caleb Skeath, a partner at the law firm Covington & Burling who advises clients on incident response, said “there is not necessarily bright line differentiators between what is and what is not a covered cyber incident.”
“A lot of these prongs or criteria refer to substantial losses of confidentiality, integrity, or availability or serious impact on safety and resiliency. A lot of that can be in the eye of the beholder and it could be a difficult judgment call to make in the heat of the moment,” Skeath said.
Privately, critical infrastructure officials say they are still trying to digest the lengthy proposed rules and attempting to make sense of a huge document.
And experts see the current moment as one in which both the private sector and CISA need to prepare for a set of rules that are going to have a major impact on the work of both government cybersecurity workers and infrastructure owners and operators.
“We have 18 months before this is going to come into effect. In those 18 months, I think CISA and the private sector need to see this as a ramping-up period,” said Elizabeth Vish, senior director for international cyber engagement at the Institute for Security and Technology.
Infrastructure operators, especially those who currently don’t have a reporting mandate, need to ensure they can quickly report an incident with as much correct information as possible — while under the duress of attack.
“On the other side, CISA needs to use these 18 months to build up their capacity to take in information, analyze it, anonymize it, draw out the useful, most important lessons and figure out how to push that information out in a way that helps defend critical infrastructure,” Vish said.
CISA already gathers and shares information from industry, but CIRCIA’s reporting requirements will create a massive increase in the information collected by the agency. Analyzing that data and reporting it back out in an actionable way to an industry that has long been skeptical of the quality of information supplied by the federal government represents a major challenge.
“CISA is going to have to do a good job of publishing aggregate statistical data from this,” Daniel said. “They’re going to have to treat this like they are a statistical agency, in the sense of producing a lot of reports and making it very transparent.”
The agency expects to receive around 25,000 incident reports annually, but due to the lack of quality cybersecurity data, it is difficult to assess the accuracy of that estimate.
The ruling also represents CISA’s first foray into taking on a regulatory role that it has long resisted, a development that may test the collaborative relationships that currently underlie much of the agency’s work.
“I think they can keep the relationships they’re trying to grow, but they have to show utility from what they get the information for,” said Ari Schwartz, managing director of cybersecurity services at Venable LLP and the coordinator for the Cybersecurity Coalition, an industry group. “If it’s going to be more of the same, there is going to be a lot of skepticism.”
Ingesting and analyzing incident data may prove challenging to CISA due to recent budget constraints. The agency is increasingly becoming a target for far-right conspiracies and faces a funding shortfall on its CIRCIA-related work.
“I think that there is a question as to whether they really do have the right resources now and have enough money to build the resources to be able to do the analysis that they’re going to need to do in order to make a difference,” Schwartz said.
In a briefing with reporters last week after the release of the proposed rules, a CISA official acknowledged the agency’s funding challenges, saying that the budget for CIRCIA “came in a little less than our request … so we’ll be working through exactly what that means.” The official added that they expect CISA to be able to implement the reporting requirements with the funds available.
Among the unanswered questions related to the rule is how CISA plans to use incident reporting data to inform its response work of identifying and mitigating breaches. The proposed rules include references to incident response and mitigation, but it is not clear how CISA plans to approach that issue.
CTA’s Daniel said CISA needs to have a process to filter out potential incident response requests so the agency is not expected to be involved in every incident and only responds to those that reach a certain threshold.
“The resource issues are real,” Daniel said. “That is probably going to be a process in the works — how you triage through these reports to actually figure out which ones actually require direct government intervention, or attention to, versus just being part of the broader pool of information.”