SAN FRANCISCO - The streamlining of incident reporting is a large part of the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), and at RSA Conference this week, a CISA official outlined how it is laying the groundwork for the backend processes related to collecting and analyzing the information in these reports.
In the weeks since CISA released the proposed details for CIRCIA - a law passed by the Biden administration in 2022 that directed CISA to develop and implement requirements for critical infrastructure entities to report incidents and ransomware payment information to the agency - it has received feedback from public and private sector organizations, mostly centered around how it has defined what a covered incident is, and what types of information are considered reportable, said Brandon Wales, executive director with CISA during a panel at RSA Conference.
“The goal is to get it right and craft a rule that maximizes the benefits… It’s about spotting campaigns earlier, it’s about novel tactics and techniques, and it’s ensuring that the government, importantly, has insights into what’s happening across the entire cyber ecosystem, not only so it can take action, but also so that we can take understand the impacts of policies that we make,” said Wales. “Today, when the U.S. government decides on various policy initiatives, we don’t fully know the impact they are having on the ground because we don’t have consistent reporting for critical infrastructure… This will be an important tool to make sure we are calibrating what we do better in the future.”
The law, which will go into effect in 2025, will also mark a shift for CISA in the scale and scope of reported incidents that it receives. The rules apply to an estimated 316,244 entities across the 16 critical infrastructure sectors. Currently, Wales said that CISA opens up to 150,000 tickets in its operation center annually for incidents reported by government agencies. Wales said that CIRCIA will increase the number of reports from the private industry, and CISA in its proposed rules estimated that a total of 210,525 CIRCIA reports would be submitted through 2033.
A critical piece in keeping up with the sharp increase will in part come down to funding from Congress. CISA also estimated that the cost of the proposed rule would be $2.6 billion over the course of 11 years, driven by “initial costs associated with becoming familiar with the proposed rule,” as well as recurring data and records preservation requirements, and help desk calls and enforcement actions. Wales said that CISA needs the appropriate level of resources to develop and sustain modern systems and get the right people on board to analyze the influx of data at scale.
However, “we’re not necessarily concerned about the scale of reporting,” said Wales. "We’re putting in place technology in that will… enable improved analytic work inside CISA and improve the relationship even with our existing interagency partners.”
Part of the incident reporting rules also ties into an overall effort to better harmonize and streamline incident reporting rules across the board in the government, and for CISA that will require the ability to share analyzed information to support policy decisions, threat intelligence and overarching trends in the cybersecurity threat landscape. As part of these efforts, CISA is building on existing processes it already has in place with various regulators. For instance, CISA currently collects information on significant security incidents reported by transportation entities under TSA’s security directive and provides it to the TSA in real time.
“By the time the CIRCIA rule is final… I think we’ll be very confident that reports that come in can go to agencies that are required to receive them,” said Wales.