The U.S. Congress has passed a significant new cybersecurity law that will require critical infrastructure entities to report material cybersecurity incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 and 24 hours, respectively. The reporting requirements will cover multiple sectors of the economy, including chemical industry entities, commercial facilities, communications sector entities, critical manufacturing, dams, financial services entities, food and agriculture sector entities, healthcare entities, information technology, energy, and transportation. CISA must promulgate a proposed implementing regulation within 24 months from final enactment date of March 15, 2022, and a final regulation no later than 18 months thereafter. The effective date of the act’s reporting requirements will be set by the final rule.
Background. Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) is intended to provide the federal government with a better understanding of the nation’s cyberthreats and facilitate a coordinated national response to ransomware attacks. The FBI currently provides an avenue for voluntarily sharing information about cyber incidents and estimates that only a quarter of cyber incidents are actually reported to the FBI. Separately, current Department of Homeland Security (DHS) Transportation Security Administration (TSA) directives impose cybersecurity and reporting requirements for designated transportation operators and pipelines. Existing directives require select transportation and pipeline entities to report to CISA, within 24 hours, those cyber events that have the potential to disrupt operations. CIRCIA now provides that federal agencies may enter into agreements regarding the sufficiency of any such existing, substantially similar reporting obligations. When such agreements are in place, the reporting entity is exempt from new reporting requirements imposed by CIRCIA.
Reports to CISA. The CIRCIA was quickly included and approved as part of federal omnibus appropriations legislation, which passed on March 11, 2022, and was signed by President Joe Biden on March 15, 2022. CIRCIA garnered bipartisan support in light of increased national cybersecurity risk in the wake of the Russian invasion of Ukraine. The act requires the reporting of significant cyber incidents or ransomware payments to the Director of CISA for evaluation by the DHS national cybersecurity and communications integration center (Center). Supplemental reports for both types of events will be promptly required, and covered entities will be required to preserve data relevant to the reporting.
Cyber Incident Report. The legislation requires reporting within 72 hours by “covered entities” within the critical infrastructure sector that reasonably believe a “covered cyber incident” has occurred. To be refined by the forthcoming rules, “covered entities” will be identified from within the currently designated “critical infrastructure sector” as defined in the existing Presidential Policy Directive 21. The definition of “covered cyber incidents” will also be refined in proposed rules to be propounded within 24 months of enactment. However, the rules will be subject to the criteria and definitions in the act, and the definitions in the Homeland Security Act of 2002, codified at 6 U.S.C. 651, et seq. As presently set forth in the act, covered cyber incidents are “a substantial cyber incident experienced by a covered entity that satisfies the definition and criteria established by the Director in the final rule ….” Section 2240(4). CIRCIA indicates that reporting will not be required for incidents that may have posed a threat but were not realized (“cyber incident … does not include an occurrence that imminently, but not actually, jeopardizes (i) information on information systems; or ‘‘(ii) information systems”). See Section 2240(6)(B). Rather, the act provides guidance that a “‘significant cyber incident’ means a cyber incident, or a group of related cyber incidents … likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.” Section 2240(16).
It appears that the focus will be on cyber incidents that lead to substantial loss of confidentiality, integrity, or availability of a system or network; seriously affect safety or resiliency of systems; or disrupt business or industrial operations. This can include incidents caused by a variety of kinds of attacks, such as
- a denial-of-service attack,
- a ransomware attack,
- an exploited zero-day vulnerability,
- the compromise of a cloud service provider, managed service provider or other third-party data hosting provider, or
- a supply chain compromise.
However, not all such attacks will necessarily be considered a covered cyber incident under the rules. The act acknowledges that, for example, not all ransomware attacks will also satisfy the definition of a covered cyber incident. See Section 2241(a)(6) (“… for a covered cyber incident, including a ransomware attack, that also satisfies the definition of a significant cyber incident, or is part of a group of related cyber incidents that together satisfy such definition …”). Rather, depending on the definitions in the final rule, critical infrastructure entities may need to engage in a fact-dependent analysis that might be similar to the analysis for a material cybersecurity event under Securities and Exchange Commission cybersecurity regulations. In determining the definition, CIRCIA calls on CISA to consider the sophistication of the attack, the type and volume of information affected, the number of individuals potentially affected, and the impact to systems.
While many of the details of the reports will be determined by CISA regulations, the act does provide a general framework for what the reports should include. The reports to CISA must, at a minimum, describe the affected systems, the unauthorized access and the impact on operations, and the estimated date range of the incident. Entities might also be required to provide a description of the vulnerabilities exploited and the defenses in place; what information might have been accessed by the unauthorized person; and general contact information about the reporting entity. For ransomware attacks, CISA may also require information about any actors believed to be responsible. Information collected may be shared with other federal agencies for specific cybersecurity or threat-prevention purposes.
Supplemental Reports. Critically, the act requires not just an initial report within 72 hours but supplemental reporting if facts materially change as well as a filing that the incident is resolved and “fully mitigated.” Specifically, the act states that covered entities “shall promptly submit to the Agency an update or supplement to a previously submitted covered cyber incident report if substantial new or different information becomes available or if the covered entity makes a ransom payment after submitting a covered cyber incident report … until such date that such covered entity notifies the Agency that the covered cyber incident at issue has concluded and has been fully mitigated and resolved.” Section 2242(a)(3). It will be important to monitor the development of the regulations to identify if the Secretary provides guidance of what it means to be “fully mitigated and resolved” — a difficult concept in the world of multilayered dependencies and potential vulnerabilities or opportunities for cyber improvement.
Ransomware. The act requires detailed reporting of ransomware payments within 24 hours of payment. Reportable payments include the transmission of any money, property, or asset, including virtual currency, delivered as ransom in connection with a ransomware attack. A “ransomware attack” is “the use of threat or use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.” Critically, ransom payments must be reported even if the incident does not meet the definition of a covered cyber incident.
Reports to the Center. Reports submitted to the Center will be reviewed to analyze national cybersecurity threats, and the Center will publish periodic, unclassified reports. Under the law, the CISA Director has subpoena power to collect information after an entity fails to respond to any requests for information. The Department of Justice then may act on a referral from the Director of CISA and file a civil enforcement action for failure to comply with the subpoena. However, there is no citizen private right of action for failure to report.
Information collected by the Center will also be shared with other federal agencies and Congress. Certain victim information within reports will be anonymized. Importantly, federal, state, local, and tribal governments are prohibited from using the information from reports to regulate or engage in an enforcement action. Reports are also considered proprietary information and are exempt from Freedom of Information Act disclosure. A Joint Ransomware Task Force is to be created within 180 days.
Cybersecurity Reporting Harmonization. The law requires the Secretary of Homeland Security to convene an intergovernmental Cyber Incident Reporting Council to coordinate and harmonize incident reporting requirements. Within six months of convening the council, the Secretary must issue a report to Congress identifying duplicative federal cybersecurity reporting, laying out the challenges of harmonizing regulations, and describing efforts and proposals to harmonize regulations.
Mixed Response From Senior Government Officials. CISA Director Jen Easterly has been a vocal advocate for the law. “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Easterly explained. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”
Other senior officials in the Biden administration have been more critical. For example, FBI Director Chris Wray said the law “has some serious flaws” and “would make the public less safe from cyber threats” because it would slow down the FBI’s response to hacks and hamper the government’s ability to identify and disrupt other ongoing attacks.
Deputy U.S. Attorney General Lisa Monaco echoed Wray’s concerns, saying, “This bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.”
Next Steps. Entities, particularly those within the critical infrastructure sector, should monitor the proposed rules to be promulgated and provide comment as necessary. Those in the critical infrastructure sector also will need to be prepared to begin reporting upon publication of the final rules.
To prepare, entities should follow the development of the CISA implementing regulations, review and update their incident response plans, and develop further refined internal reporting procedures. Those with established, prompt internal reporting processes will be best positioned to comply. Entities should require internal reporting to a central, internal collection point for any suspected cyber incidents, whether or not such events have been fully investigated. Internal training should be refreshed. Data retention demands also should be anticipated.