It has been a year since the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) was signed into law by President Biden and security leaders are sharing their thoughts on the legislation.
CIRCIA requires critical infrastructure owners and operators report ransomware payments to the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.
“Conceptually, this was an excellent step toward securing critical infrastructure. While there is an understandable reluctance, especially in the private sector, to share information about cyberattacks, the cybersecurity community needs more information sharing if we're ever going to get ahead of threat actors and stay there,” said Mike Parkin, senior technical engineer at Vulcan Cyber. “By sharing information, even sanitized and redacted information, about security events we can analyze the attacks and improve our defenses overall. Keeping the details secret may save face and possibly keep some data from the hands of competitors, but that kind of secrecy doesn't make the world safer as threat actors have been able to count on that secrecy to retain their advantage.”
Chief Security Advisor at Tanium, Timothy Morris, said it seems CISA has been more vocal over the last year, especially with their known exploited vulnerability (KEV) announcements.
“However, that isn’t a part of this new law. As with most new laws, enforcements and audits take some time to ramp up,” Morris added. “Some agencies were already ahead of reporting requirements, like the SEC which has very tight reporting windows. They seem to be going stronger requiring more transparency with the details of a cyber incident or breach. In contrast, other agencies are further behind on reporting requirements, like the FCC (although they have new guidelines proposed).”
Morris said it will benefit the industry once all agencies have consistent requirements, not just for critical infrastructure or the financial industry.
“Sadly, in my opinion, the laws and regulations are necessary because self-regulation hasn’t worked to protect the public with regards to cybersecurity,” Morris said. “The impact attacks and breaches have had has shown that.”
Not long after CIRCIA was signed into law, CISA and the Federal Bureau of Investigation (FBI) established the Joint Ransomware Task Force (JRTF) in September 2022 to coordinate a nationwide campaign against ransomware attacks. And in January of this year CISA established the Ransomware Vulnerability Warning Pilot (RVWP) Program to identify the most common security vulnerabilities used in ransomware attacks and to identify information systems that already contain these vulnerabilities.
Bud Broomhead, CEO at Viakoo, agrees that CIRCIA is a key milestone in moving critical infrastructure —and organizations in general — toward more awareness and coordinated response to cyber threats.
“It’s not the destination (secure and resilient infrastructure), but an important waypoint toward it,” Broomhead said. “As the attack surface within critical industries has shifted towards IoT/OT/ICS vulnerabilities, CIRCIA has been forward-thinking in its focus on these types of vulnerabilities, and has acted as an accelerant to industry-level information and best practice sharing. As CIRCIA heads towards having final rule defined it is doing so with significant industry discussion and involvement.”
By March 2024 CISA is required by CIRCIA to publish a Notice of Proposed Rulemaking and open it for public comment.
“As we approach the halfway mark for CISA to issue a Notice of Proposed Rulemaking (NPRM) under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, it is clear both how transformational this and other cybersecurity transparency laws will be, but also how seriously CISA is taking this,” said Claude Mandy, chief evangelist, data security at Symmetry Systems. “CISA is asking for $98 million in funding to administer the incident reporting program; and has spent the last months gathering input from stakeholders across the country to ensure the first draft of its proposed rule considers their concerns.”
Mandy continued that despite the thoroughness of the CISA approach, a lot of organizations that fall into the current definition of a “covered entity within Designated Critical Infrastructure Sectors” will unfortunately remain unprepared and unaware of the implications of CIRCIA.
“Although organizations will have 18 months from the NPRM until the final rule is enacted, the transformation required in this timeframe for organizations to be able to produce an accurate assessment of the scope and impact of a cybersecurity incident within 72 hours feels daunting,” Mandy added. “Given that CISA has strongly encouraged organizations to voluntarily share cyber event information with CISA throughout the rulemaking period, it will be interesting to see how much information organizations have volunteered to date and whether that starts to increase as we get closer to the effective date.”