CISA's Cyber Incident Reporting Proposal - Friend or Foe?

Tom Mc Andrew blog jpg

Tom McAndrew

Chief Executive Officer, Coalfire


Mark Weatherford

Chief Cybersecurity Strategist, Coalfire

April 12, 2024

On March 27th, the Department of Homeland Security (DHS) released a Notice of Proposed Rule Making (NOPR) to implement the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) that was signed into law in March 2022. This is a critical piece of legislation, that when final, could become the single most important cybersecurity legislation affecting American businesses. With good and bad consequences.

In case you haven’t read the NOPR, you aren’t alone. Its 447 pages. That’s more pages than Mark Twain wrote for the Adventures of Huckleberry Finn.

That’s a lot of bureaucratese to digest for the estimated 316,244 organizations potentially affected by the proposed rule. In fact, that’s a lot of words for anyone to digest.

Let’s state upfront, at the risk of being pilloried by our friends and colleagues in the cybersecurity community, that we all share some responsibility for this proposed rule. As citizens, we are sick and tired of the data breaches, of letters notifying us that our data was exposed, and we need to change our passwords and sign up for free credit monitoring. Whatever we’re doing, it doesn’t appear to be working. 

As we write this, the malware attack on Jackson County, MO, has spurred an executive order declaring a state of emergency, which serves as a proactive measure against a potential ransomware attack affecting various other county systems. Their statement reads: “The County has promptly notified law enforcement and enlisted the expertise of IT security contractors to assist in the investigation and remediation of the situation.”

CISA’s Role in a Cybersecurity Incident

We have had the unfortunate privilege to work on some of the largest cybersecurity breaches in the nation, from retailers to financial institutions to healthcare providers. When something happens, some of the immediate and necessary decisions companies need to make are WHO to inform, WHAT to share, and WHEN to do it.

Federal agencies such as the SEC have mandated that public companies disclose a data breach within four days. But when you consider who to involve, like the Secret Service, the FBI, local police, and DHS, it can be confusing and frustrating. 

We can ask 10 CISOs about CISA’s role in a cybersecurity incident, and we’ll almost certainly get 10 different answers. And that is before the lawyers get involved. And this isn’t trivial because more and more, lawyers get engaged with every incident. 

And what if companies decide not to share with CISA? Unlike the SEC, it isn’t clear what the repercussions would be. What if you are late with sharing, or only share partial data?

We’ve long believed that when the safety and security of American society is at risk and the response lacks a sense of urgency, the government has a duty to step in. Now they’ve done it. But it begs the question, is CISA here to help organizations or to hold them accountable? 

Companies that are required to reach out to CISA because they are victims of hacks may ultimately find themselves as suspects being investigated by the very government they called on for help and then having the data they shared used against them. Many are worried that this could even lead to criminal cases in the future.

Effects of the NOPR to Implement CIRCIA

This proposed rule will result in a massive increase in the size, oversight, and overall authority of CISA. We can argue whether that’s good or bad, but if history is any indicator, big government is not always good government. And CISA is already under pressure to justify the ROI for their current budget.

The implementation of CIRCIA indicates that most of the government costs will result from the “creation, implementation, and operation of the government infrastructure.” If the estimate in the proposed rule is correct and CISA actually receives 210,525 CIRCIA reports over the next 3,650 days – roughly 58 reports each day – any reasonable person will question how CISA can expect to ingest, analyze, track, and efficiently share out information from CIRCIA reports. 

On one hand, having a central view and pulse of what is going on across America’s infrastructure can be hugely powerful by allowing us to see trends, patterns, techniques, and ways to help prevent attacks at a speed and scale that we have not had in the past. On the other hand, that data could be used to justify Gross Negligence and hold people accountable.

We have some experience seeing this play out in the commercial sector with credit card breaches. Before malware became all the rage, credit card theft was the crime de jour. 

Credit card companies could correlate thousands of cards and determine if there was a Common Point of Purchase (CPP), which was usually a merchant who received a call from the card brands telling them THEY were the issue. 

As highlighted in the Summary of Costs and Benefits of the proposed rule, the primary drivers for industry are the time and infrastructure to learn the rules and establish reporting requirements, as well as the “recurring data and records preservation requirements.” 

These costs will almost certainly grow as the infrastructure required to support CIRCIA matures. As we’ve seen following the establishment of other regulatory frameworks, they become self-licking ice cream cones that grow simply to sustain themselves.

The Cost of Implementing the NOPR for CIRCIA

Finally, CISA is already competing for much of the same cybersecurity talent the private sector needs, so finding the right level of skilled people to administer this mandate will be Sisyphean in scale. Make no mistake, while many of the roles will be purely administrative in nature, a great number will require people skilled in understanding both general technology and more importantly, industrial control system technologies.

The end result is an estimated cost of $2.6 billion over the next 10 years between the government and the private sector. We suspect that this vastly underestimates the long-term cost of the program, which will eventually include increased costs to the end customer, as companies typically pass on their operating costs. 

We’ve been saying for over a decade that security is neither optional nor free. Now, we all need to be prepared to pay up for safe and secure infrastructures.

As we continue to review the NOPR, we’ll provide additional thoughts on both the value and cost of the CISA proposed rule.