Just over a year ago, the White House released its long-awaited National Cybersecurity Strategy.1 Focusing on protecting critical infrastructure,2 Promote public-private cooperation;3 and, availability 16 of 16 sectors whose assets, systems, or networks are deemed critical to national security, public health, or safety.
A year can seem like an eternity in the cybersecurity threat landscape. This was driven home in January by the FBI director, who appeared before a House subcommittee to report that China had launched a massive hacking operation aimed at sabotaging the U.S. power grid, oil pipelines, and water systems. He warned that it was being strengthened.Four
Low-level attacks on civilians are part of China's plan. Chinese hackers are camped out on American infrastructure, ready to wreak havoc on American citizens and communities and cause real-world damage should China decide the time is right for an attack.
Russia is also gaining momentum. In a 44-page report released this week by cybersecurity firm Mandiant,Five It describes how a group calling itself CyberArmyofRussia_Reborn hacked “multiple local water infrastructure systems in the United States.” As confirmed in early February, two of these systems are in Texas.6
As if on cue, the Cybersecurity and Infrastructure Security Agency announced three priorities for public and private partners in mid-February. (1) Defending against Advanced Persistent Threat (APT) operations, (2) Raising the cybersecurity baseline, and (3) Predicting cybersecurity with new technologies and risks.7 According to CISA, these priorities allow for adjustments.
On March 27, 2024, CISA published a Notice of Proposed Rulemaking for the Critical Infrastructure Incident Reporting Act of 2022 (CIRCIA). This concerns all of the above priorities, especially his second one. The final rule is expected to be developed by 2025, with reporting requirements beginning in 2026. Interested parties have until June 3, 2024 to submit their comments.
I. CIRCIA — Who and what is covered?
At its core, CIRCIA requires critical infrastructure entities to report significant cybersecurity incidents to CISA within 72 hours and ransomware payments within 24 hours, and is required by Presidential Policy Directive 21 (PPD21). Applies to entities in the 16 critical infrastructure sectors listed in .8 Illustrated here:
CISA estimates that there are 316,244 entities that could be affected by this proposed rule.
large-scale cyber incident
CIRCIA defines a major cybersecurity incident as one that leads to one of the following:
- significant loss of confidentiality, integrity, or availability of the covered entity's information systems or networks;
- It has a significant impact on the safety and resilience of operational systems and processes.
- interruption of the ability to engage in business or industrial activity or to provide goods or services;or
- Unauthorized access caused by (1) a breach of a cloud service provider, managed service provider, or other third-party data hosting provider, or (2) a supply chain breach.
The proposed rule provides 10 examples of incidents that are likely to be considered significant cyber incidents. Examples include a distributed denial-of-service attack that leaves a target entity's services unavailable to customers for an extended period of time, or a ransomware attack that locks a target entity out of an industrial control system.
CIRCIA reporting requirements
Covered companies must report a major cyber incident within 72 hours of “reasonably believing” a reportable incident has occurred, similar to the NCUA's recent 72-hour reporting rule for some financial institutions. need to do it.9 Covered entities are not required to determine the cause of the incident, but may need to be granted additional time.
When CIRCIA was passed in 2022, CISA identified “10 Key Elements to Share” as part of its reporting requirements.Ten This expanded through the rule creation process to require more detailed information, including a description of the targeted entity's security defenses, indicators of compromise, and malicious software description, copies, and samples.
Even if the ransomware attack that prompted the ransom payment was not a critical incident, notification that a ransom payment has been made must be submitted within 24 hours. Ransom payment reports should also typically include the same or similar detailed information provided in response to a major cyber incident, and should also identify incident response efforts.
The proposed rule would also require covered entities to submit a supplemental report if new or different information becomes available after the initial report has been submitted, or if a ransom payment has been made. To reduce the number of notifications required, CISA may enter into “CIRCIA agreements” with other agencies. Federal agencies will establish information sharing mechanisms.
Liability protection and enforcement
CIRCIA's reports are exempt from disclosure under the Freedom of Information Act and may not be “received in evidence, the subject of discovery, or used in any trial, hearing, or otherwise in or before a court, regulatory agency, or other authority.” may not be used in any proceeding of the United States, any state, or any political subdivision thereof. ”
CISA can also request or subpoena information if it believes an organization has not reported targeted cyber incidents or ransomware payments. Additionally, CISA may impose criminal penalties under 18 USC 1001 against anyone who knowingly and knowingly makes materially false or fraudulent statements in connection with a CIRCIA report.
II. NIST releases new incident response recommendations
Although CIRCIA does not go into effect until 2026, it includes standards that many covered entities should already have in place: (1) cybersecurity incident response plans, (2) cybersecurity risk assessments, and (3) written information. There is no doubt that a security program is mandatory. Each of these must be reviewed and updated to be CIRCIA compliant.
Coincidentally, on April 2, 2024, the National Institute of Standards and Technology (NIST) posted for public comment: Incident response recommendations and considerations for cybersecurity risk management.11 These recommendations are important given that NIST is recognized by various federal regulations and some state cybersecurity laws.
The recommendations are in draft form and will incorporate the groundbreaking version 2.0 of the Cybersecurity Framework released by NIST in February, essentially building on the Computer Security Incident Handling Guide released in 2012. It will be updated. Two statements stand out:
- Lessons learned from incident response activities and root cause analysis can help improve cybersecurity risk management and governance efforts.
- Incident response has evolved into an important part of cybersecurity risk management, and we'll also discuss how the concept of the incident response lifecycle has changed to reflect this.
With the advent of CIRCIA and other cybersecurity regulations, and the influx of “adversarial AI” cyberattacks, incident response will become a focus area for legal and compliance obligations. While improvements in governance are expected, achieving technical perfection is not expected. A month ago, CISA also announced that it had been successfully hacked.12
[1] https://www.polsinelli.com/kurt-r-erskine/publications/its-here-the-new-national-cybersecurity-strategy
[2] https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf
[3] https://www.jdsupra.com/legalnews/leveraging-public-private-collaboration-2851378/
[4] https://www.nytimes.com/2024/01/31/us/politics/fbi-director-china-wray-.html#:~:text=Christopher%20A.%20Wray%2C%20director%20of,of %20a%20Conflict%20over%20Taiwan.
[5] https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf
[6] https://www.wired.com/story/cyber-army-of-russia-reborn-sandworm-us-cyberattachs/?
[7] https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/2024-jcdc-priorities
[8] Presidential Policy Directive — Critical Infrastructure Security and ResilienceWhite House: Office of the Press Secretary, https://abamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructor-security-and-resil.
[9] https://www.polsinelli.com/alexander-d-boyd/publications/how-credit-unions-can-prepare-for-3-day-cyber-report-rule
[10] https://www.cisa.gov/sites/default/files/2022-11/Sharing_Cyber_Event_Information_Fact_Sheet_FINAL_v4.pdf
[11] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
[12] https://www.cybersecuritydive.com/news/cisa-attacked-ivanti-cve-exploits/709893/
