By Michael Daniel, CTA President & CEO, and Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology
Over the past decade, the cyber threat has grown worse. Yet we do not know how much worse the problem has become. What is the overall rate of incidents? How fast is that rate increasing? How does it differ by sector, region, or company size? What defensive actions have proven the most effective? Can we predict where malicious cyber actors might go next? We lack the data to answer these questions sufficiently.
This data shortfall stems from an absence of broad-based reporting. While some sectors, such as financial services, are required to report significant cyber incidents to the government, many sectors are not. Absent a legal requirement, many companies choose not to report cyber incidents to the Federal government. Adding to the problem, the data that is reported is not aggregated and correlated across agencies. Thus, our experience over the last decade indicates that voluntary reporting will not generate sufficiently broad information about malicious cyber activity across our digital ecosystem.
Recognizing this shortcoming, Congress passed the Cyber Incident Reporting for Critical Infrastructure Act in March 2022. It mandates that companies in critical infrastructure sectors report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA). The Act also directs CISA to issue a regulation to implement this requirement.
In developing this regulation, CISA asked for input from the private and non-profit sectors. Recently, the Cyber Threat Alliance (CTA) and the Institute for Security and Technology (IST), along with the CREST, CipherTrace, Coveware, Cybera, Cybercrime Support Network, Cyber Peace Institute, Open Cybersecurity Alliance, SolarWinds and many others, developed a set of recommendations regarding the proposed regulation.
To develop our recommendations, IST and CTA drew on the broad expertise available across our networks and examined this requirement in response to different kinds of cyber incidents, such as a ransomware attack. For example, members of IST’s Ransomware Task Force from multiple sectors, including law enforcement, blockchain analytics, cyber insurance, incident remediation, and others identified the types of information most critical for payment interdiction. CTA and IST also reviewed the existing reporting channels, such as the FBI’s Internet Crime Complaint Center (IC3) form, the Financial Crimes Enforcement Network (FinCEN)’s Suspicious Activity Report, and CISA’s current forms. The resulting collaborative cyber incident response framework reflects inputs from across disparate communities.
We submitted these recommendations to CISA in mid-October. In that document, we recommend that CISA maintain broad coverage for the reporting requirement, propose a definition for significant cyber incidents, and identify key principles that CISA should follow in drafting the regulation. We also categorized cyber incidents into 10 major types and we provided sample reporting formats complete with information fields for each type. In particular, we noted that CISA should ensure that the reporting process is easy, accessible, and iterative, and that it considers the burden placed on organizations experiencing a cyber incident.
Some fear that the reporting requirements could harm their organizations. Given the potential burden and complexity that could come with a reporting requirement, having concerns is understandable. Aside from worries about the burden of submitting a report in the midst of a crisis, the next two most common concerns are that the data could be used for regulatory enforcement and that the Federal government cannot protect the incident data shared with it. Given these concerns, some organizations are seeking to narrow the reporting requirements as much as possible to avoid being subject to the mandate.
However, these two concerns do not hold up to scrutiny. CIRCIA specifically prohibits the use of information reported through this mechanism for regulatory purposes, directly addressing the first concern about regulatory action. With regard to the second, while adequate data protection is a legitimate concern, the solution is for CISA to invest in effective cybersecurity for incident data – something it should already be doing – not to argue that companies should try to avoid providing data to CISA. In fact, taken to its logical conclusion, this line of argument would say that no one should provide any information of any kind to the Federal government because it might be compromised at some point in the future. Such an approach is simply not workable from a practical point of view and is not a viable basis for objecting to a reporting requirement.
If we want to combat cyber threats effectively, we need better data regarding the number, type, and distribution of cyber incidents across our digital ecosystem. If businesses want more effective warning about on-going campaigns, the Federal government needs better data to develop those warnings. If we want to impose more costs on our adversaries in cyberspace, we need better, more accurate, more actionable data. The best way––arguably the only way––to get this kind of data is to implement a broad-based, robust cyber incident reporting requirement.
CIRCIA provided us with the legislative foundation to collect this data. Now, CISA needs to develop the specific rules and mechanism for collecting the information. Our Cyber Incident Reporting Framework provides these rules and a workable mechanism. It asks the right questions, collects the right data, and underlines core principles on which to build an efficient, effective, and meaningful reporting process. We look forward to working CISA and the rest of the community in implementing this critical capability.