No consensus on creating a unified US cyber incident reporting framework

On the heels of a string of high-profile breaches, in March 2022, US President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), which mandates that the Cybersecurity and Infrastructure Security Agency (CISA) develop and implement regulations requiring critical infrastructure organizations to report cyber incidents and ransom payments to CISA. The bill requires critical infrastructure operators to tell CISA within 72 hours of when a cyber incident has occurred. The law also requires organizations to report ransom payments within 24 hours of making the payments.

In September 2022, CISA issued a wide-ranging request for information (RFI) asking for public feedback on many questions that would feed into its notice of proposed rulemaking (NPRM). CISA plans to issue its NPRM in March 2024. According to press reports, the Cyber Incident Reporting Council established under CIRCIA expects to send to Congress this summer proposed recommendations on developing an incident-reporting framework across crucial agencies and regulatory bodies.

CISA received 131 comments in response to its RFI by the November 14, 2022, deadline. The agency also hosted 30 “listening sessions” with various industry groups from September 2022 through January 2023.

An examination of selected comments submitted to CISA reveals how challenging the task of creating an overarching cyber incident reporting framework will be. The commenters diverged on a host of the central questions posed by CISA, including how to define which entities should be covered, which kinds of cyber incidents should be reported, how soon incidents should be reported, how they should be reported, and how the sensitive reported information should be protected.

The commenters rarely completely agreed on how CISA should proceed, particularly regarding who should be obligated to report. Moreover, many of the commenters advocated narrowing the reporting requirements with exclusions or criteria that would eliminate many cybersecurity incidents. Finally, most commenters recommended aligning CISA’s reporting framework with those developed for specific sectors, which could make CISA’s ultimate framework unwieldy to implement.

The following summary highlights only some primary threads from the CISA’s NOI reply comments.

Which entities should be covered?

The commenters varied widely regarding which entities should be covered by the incident reporting rules. Several commenters stressed that CISA should apply size thresholds to weed out smaller entities. For example, the Independent Community Bankers Association said that for the Financial Services Sector, “covered entities” should only include banks with $50 billion or more in assets. The American Water Works Association, representing tens of thousands of primarily small water companies across the US, likewise advocates limiting reports based on size, suggesting a population threshold of customers served starting at 3,300.

Energy provider Exelon offered a more complex approach, saying that the definition of covered entity should be consistent with the definition of critical infrastructure provided in section 2240(5) of the Homeland Security Act and based on:

• Consequences that disruption to or compromise of the entity could cause to national security, economic security, or public health and safety
• The likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country
• The extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure

Several commenters recommended a risk-based approach in determining what constitutes a covered entity. NCTA – The Internet & Television Association said that consistent with previous policy-based approaches, the “types of entities that constitute covered entities” should be based on risk-based criteria. These criteria include “the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety,” “the likelihood that a malicious cyber actor may target such an entity, and “the extent to which damage, disruption, or unauthorized access to such an entity . . . will likely enable the disruption of the reliable operation of critical infrastructure.”

On the other hand, Microsoft was among the commenters who advocated a more encompassing approach to defining covered entities, saying a risk-based approach is too difficult to implement. The software giant told CISA that “the definition should incorporate existing federal critical infrastructure regulation. The term covered entity should include any entity designated as critical infrastructure by other federal law or authority, including an executive order or presidential policy directive, or is otherwise subject to federal law or regulation as a critical infrastructure operator.

Advocating narrow definitions

To limit the burdens organizations would face if they had to report every minor mishap, many commenters advocated narrow definitions of which incidents to report. NTCA – The Rural Broadband Association argued that covered cyber incidents should include only confirmed incidents that significantly disrupt a provider’s ability to operate core functions and exclude attempts that seek to disrupt them if they don’t rise to that level.

The Municipal Information Systems Association of California (MISAC) said that the definition of a covered incident should be as specific as possible, identifying the criticality or scope of the incident that requires reporting and excluding “external cyber events, natural or man-made, that targets critical infrastructure services including but not limited to DDoS, phishing attempts, provider issues, or natural disaster with no successful infiltration into the agency network, systems, or data.”

Cloudflare argued that any definition of a covered incident should be narrow and specific and encompass only incidents that involve a loss of data, a loss of personally identifiable information (PII), a loss of trade secrets, a financial loss due to degradation, or a substantial disruption of a covered entity’s services.

72-hour cyber incident window with caveats

Although CIRCIA stipulates a 72-hour reporting period, many commenters view that time frame as infeasible. HIMSS Electronic Health Record Association, for example, said that CISA should “provide flexibility for Covered Entities to only include information they have been able to verify in the initial 72-hour report. Requiring all of the elements identified in CIRCIA at 72 hours will not be feasible and would contribute to delays in reporting and divert resources from efforts of the Covered Entity to recover and resume normal operations.”

Like other commenters, NTCA – The Rural Broadband Association argued that the 72-hour window should be considered a minimum time frame. “Cyber incident reports also should not be required until a minimum of 72 hours after a covered entity has confirmed a cyberattack disrupting the provider’s core, transport, and/or access networks has occurred. Covered entities need time to investigate and mitigate an intrusion before reporting to the government. This will also result in more effective incident reports as the reporting entities will have a clearer picture of the incident, making CISA better aware of the tactics used to carry out the cyber-attack, NTCA said.

NTCA’s counterpart, NCTA, suggests that the 72-hour clock should not start until the confirmation and containment of an incident as a “substantial incident.” The National Association of Manufacturers suggests that the 72-hour clock should start once a covered entity “reasonably believes” an incident occurs because “the days following discovery of a major cybersecurity incident are often characterized by inconclusive data and mixed presentations of information that require an all-hands-on-deck effort within an enterprise to investigate and respond to the threat.”

Harmonize cyber incident reporting requirements to reduce burdens

The one area of consensus among most of the commenters is that CISA should take great care to align their reporting requirements with those from other regulatory bodies, some of which, such as those from the Federal Communications Commission (FCC) and the Securities and Exchange Commission (SEC), are still evolving. Most also point to potential overlap with other governments’ reporting requirements, including the European Union’s General Data Privacy Regulation (GDPR) and state-level breach reporting requirements.

The National Association of Manufacturers acknowledges the 72-hour reporting deadline is consistent with the GDPR data breach standard, adding that “Any labor-intensive reporting requirements would divert a company’s internal resources from responding to an attack and add unnecessary layer to an already complex situation.”

Several commenters in the power sector point to the already extensive reporting requirements applied to electricity providers, including regimes overseen by the Department of Energy (DOE) and the Federal Energy Regulatory Commission (FERC). The American Public Power Association (APPA), and the Large Public Power Council (LPPC) said, for example, “Given the existing incident reporting regimes overseen by FERC and DOE, CISA should engage in direct and deep consultation with FERC and DOE as it works to implement CIRCIA. Moreover, CISA must take into account existing data breach reporting requirements at the state level. To improve the threat landscape and associated awareness of it, it will be critical to work with existing infrastructures wherever possible to allow single-point reporting with the government being responsible for sharing information internally in a need-to-know environment, rather than imposing multiple reporting obligations on an impacted entity, which may also be dealing with a live cybersecurity event.”

Flexibility and confidentiality for cyber incident report submissions

In terms of how covered incidents should submit reports to CISA, the commenters touched on a range of topics, including whether organizations can report through third parties such as information sharing and analysis centers (ISACs), how they receive report submission confirmations, and the degree to which CISA will keep any reports confidential.

The North American Electric Reliability Corporation advised CISA to require covered entities to clearly identify that they are reporting an incident under CIRCIA, as opposed to a voluntary share, and develop an automated mechanism to confirm receipt of a CIRCIA report from a covered entity or a third party on behalf of a covered entity.

The National Rural Electric Cooperative Association said that CISA should be flexible in how reports are submitted, including machine-to-machine and other reporting methods, and asks CISA to use the current structure of the electricity subsector regarding content and submission procedure.

Some commenters expressed concerns over how CISA could keep the reports confidential. NCTA, for example, said, “Much of the information reported to CISA under CIRCIA will be highly confidential and competitively sensitive. To protect such information, CISA should consider treating incident reports as covered either by DHS’s PCII Program or an equivalent program. The PCII Program establishes uniform procedures for the receipt, care, and storage of critical infrastructure information submitted to DHS to protect sensitive data against disclosure through FOIA requests, state and local disclosure laws, use in regulatory proceedings, and use in civil actions.”