CISA cyber reporting mandate faces tough road

Illustration: Si Weon Kim

Experts say that proposed cyberattack disclosure rules affecting U.S. critical infrastructure could prove onerous, especially for already-understaffed organizations in rural areas and small towns.

A coalition of trade associations and cybersecurity policy organizations is asking the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to extend the public comment period on a proposed rule that would require businesses operating in the 16 critical infrastructure sectors to report cyberattacks due to broad concerns about the measure.

The 447-page proposed rule, which in its current form would affect as many as 316,000 businesses, was published on April 4 with a 60-day period for public comment. It implements a 2022 law, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), that Congress passed after high-profile ransomware attacks on Colonial Pipeline and JBS. (The former led to gasoline shortages in parts of the South and the East Coast; the latter disrupted meat production and distribution throughout the U.S.)

The day after the rule was published, a letter from more than two dozen technology, cybersecurity and industry trade groups asked CISA to extend the comment period to 90 days, noting the “extensive and intricate” nature of the proposal, and arguing that ”its length and depth necessitate a comprehensive review process to ensure that all stakeholders fully understand its implications.”

The request, and the broad support it enjoys, suggest that CISA might face a rocky road as it moves to implement the rule.

“Extremely burdensome”

Critics charge that the rule’s reporting requirements—which mandate companies to submit technical details about cyber incidents within 72 hours; update that reporting with any new information they find, as often as necessary; and then store all the data they collected to make those reports for two years—are overly burdensome.

Moreover, these requirements would be placed on many businesses that might never have had to deal with government reporting mandates, pointed out Megan Brown, an attorney specializing in cybersecurity and data governance. Those businesses would have to develop systems to retain and analyze the data they would need in the event of an incident, she said.

“Even a company which [already] has a robust data security program is going to have to build something new to gather up all that information [about cyber incidents], validate it, provide it to the government, and then supplement it thereafter, if new information emerges,” said Brown, a former senior advisor to U.S. Attorney General Alberto Gonzales.“It’s extremely burdensome.”.

CISA declined to make an official available for interview, but defenders of the rule played down the bureaucratic burden. Faced with a “plethora of reporting requirements,” said data privacy consultant Paul Rosenzweig, companies can “take the least common denominator and do the same for everybody … If one report is required at 72 hours and another at 96, you just submit them both at 72 and you’re done.”

Rosenzweig, who served as a senior policy official at the Department of Homeland Security (DHS) under Secretary Michael Chertoff, compared the multiple reporting requirements for cyber incidents to the 37 state privacy laws companies already have to comply with. “It's the nature of a federal system. But it's also the nature of a global system. Because not only do we have reporting requirements here, but if you're in Europe, you've got [different] reporting requirements there, too.”

Ultimately, Rosenzweig told README he was skeptical about the pushback against the rule. “Businesses rightly complain about overly burdensome paperwork. But they tend, I think, to gild the lily a bit,” he said.

But Brown, a partner at law firm Wiley Rein, said she had worked on incident response to cyberattacks for large corporate clients, and disputed the comparison to state data privacy laws.

“It's not a small thing to comply with what the government is proposing here,” she said, pointing out that companies typically have a multi-stage review process for incident response information submitted to regulators. “You're submitting it under penalty of perjury, so someone's got to make sure it's accurate,” she said. “You have to review the information, you get a subject matter expert to verify that it's correct. You have to have a lawyer look at it, to make sure you're reporting the right elements. And then you go to whatever portal or website it is [to input the data], it takes an immense amount of time.”

Duplication and harmonization

That burden was multiplied, Brown said, by various state and federal agencies imposing overlapping reporting requirements.

A congressionally mandated report last year on cyber incident reporting identified 45 separate federal reporting requirements set by law or regulation administered by 22 different federal agencies. It also found seven proposed new or amended reporting requirements that were then moving through the rule-making process.

Brown gave a hypothetical example of a company that was a government contractor, required under federal acquisition regulations to report cyber incidents within 72 hours. If it was a public company and the incident met the SEC’s bar for a reportable incident, that report had to be filed within 96 hours. Some health providers are required by U.S. Department of Health and Human Services’ rules to report breaches within one hour, she said.

“So you've got these snapshots of information at a moment in time. And the information that the government wants [for these different snapshots] is almost never the same. And the information is not static. … Let’s say I submit my first report on a Friday night. If on Monday, my team comes back and says, ‘You know what? We thought they only got into these five systems, but now we think they got into seven.’ Well, do you have to report that? I think a lot of companies are going to feel like they should.”

Each supplemental report would have to go through the same multi-stage review process, Brown said, pushing back on the idea that the bureaucratic burdens the proposed new rule would impose were minimal. “I think it's a very big deal. And the government should really think about how much it's willing to burden companies, who are admittedly victims of cyberattacks, in the middle of their response.”  

At a background briefing for reporters on the proposed rule, a senior DHS official highlighted the work the department was doing to harmonize duplicative regulatory requirements through the multi-agency Cyber Incident Reporting Council. The council, established by the same CIRCIA law that’s the basis for the new rule, is making recommendations for, e.g. a single government-wide definition of “reportable cyber incident.”

“Incident reporting from our perspective is not necessarily only about the reporting requirements itself but implementing it in a way that is best harmonized for owners and operators,” the senior DHS official said.

Congress will be watching closely. In a statement commending CISA for its work on the proposed rule, Rep. Bennie G. Thompson (D-Miss.), the ranking Democrat on the Homeland Security Committee, called on the administration to “redouble its efforts to promote harmonization.”

“It is Congress’ duty to ensure CISA is a private-sector partner and not another burdensome regulator,” Homeland Security Committee Chairman Rep. Mark E. Green (R-Tenn) told README via email. “As CIRCIA enters its next phase, the Committee will work to ensure that the final rule furthers regulatory harmonization efforts that provide consistency and clarity in incident reporting requirements––not duplication.”

“It’s broad … because critical infrastructure is broad”

Defenders of the rule argue that its broad application is essential. It’s a reflection of the huge scope of the mandate— to protect the 16 U.S. industry sectors, from retailers and farms to banks and transit systems, that the government deems “critical infrastructure.”

The rule “is broad in terms of its application, because critical infrastructure is broad,” said Elizabeth Vish, a former cyber policy advisor at the State Department who now leads international cyber engagement at the Institute for Security and Technology, a think tank in Washington, D.C.

“They're not asking every private firm in the country to report,” Vish said, “they're asking private firms that are critical to achieving national critical functions.” More than 80%of critical infrastructure in the U.S. is privately owned, and in some sectors, like water, power and transportation, often owned by small businesses.

The rule needed to cast a wide net because small electricity or water utilities were no less critical to the life of their communities than large ones, she said, and had to be defended, too. That meant data had to be collected from businesses and organizations of all sizes.

“They're trying to defend the whole pool, so they need to know about incidents in the whole pool,” she said.

The breadth of the rule also reflected CISA’s unique mandate to defend critical infrastructure across all its different sectors, Vish said. Other departments and agencies could play a role in relation to specific industries, like the Department of Energy for the electric grid, but CISA was “the nexus,” she said. “CISA should be the place where people [from every sector] are going with their technical input, and the place where everyone turns for best practices.”

Money, money, money

At the background briefing for reporters, a senior CISA official acknowledged that the agency would have to show a return on the investment they were asking from businesses. “We see this legislation and implementation as a two-way street,” the official said. “We as a department must provide value back to the country and the cybersecurity community” from the data they were collecting.

That value was the key to making CIRCIA work, said Robert Huber, Chief Security Officer for cybersecurity firm Tenable. Specializing in vulnerability detection and management, Tenable’s business won’t be impacted by CIRCIA implementation.

“As a practitioner, to me and my peers, cybersecurity is a team sport. And we all have to contribute to win,” he said. “Properly done, incident reporting enables me to rapidly identify, remediate and set up proactive defenses against cyber incidents. And the more quickly we're able to assimilate that information and share that information, the faster we can all respond, and I think that's a win.”

CISA estimates that they will receive 25,000 reports a year after the rule goes into effect in 2026. Huber said that adequate resources will be essential to fulfill the promise of CIRCIA.

“That's a concern of mine, is making sure that Congress provides adequate funds, so CISA can go through those thousands of reports they’re going to get and review and analyze them, find the center mass, what’s critical and disseminate it out as quickly as possible,” he said.

Automation was the key to speed, Huber added. Currently, advisories from CISA tended to come “in the form of a PDF file or an Excel document … which requires an analyst to go in and mine that information to extract and put it back into our systems.”

Eliminating that step by providing the data through an API or a specially formatted file feed, to enable “machine speed” ingestion by defenders would be “a huge win,” Huber predicted.

CISA’s budget request for fiscal year 2025, which starts in October, includes $116 million for the CIRCIA program, including 122 full-time government staff to “receive, analyze, and action reports,” according to the DHS budget overview.

CISA also plans to roll out “major technology enhancements,” for CIRCIA, including a ticketing system for threat reports, a customer relationship management tool and an incident reporting web app.

Redeeming history?

More than a decade ago, in 2012, anxiety about DHS’s role as a regulator helped kill the Senate bill that would have introduced mandatory cybersecurity standards for critical infrastructure. DHS was widely seen as not being capable of regulating cybersecurity standards across multiple sectors.

In that context, the CIRCIA rule-making looks like a chance for CISA to redeem itself and prove it is now worthy of playing in the big leagues.

But there are still those who remain skeptical. While the agency has sought to build a regional presence and expand the services it offers the private sector, it lacks the personnel to make a dent in the problem at scale, said one former senior DHS official, who asked for anonymity to preserve business relationships. And even if CISA can do something with all this data, many of the companies who fall under the new requirements might not be able to do anything with it because they lack even a single full-time IT person, to say nothing of a cybersecurity specialist.

“There’s no one to read the advisories, let alone do anything with them," the former official said. “How does that help?”