[co-author: Danny Riley]
On March 15, 2022, President Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022. The Act will require critical infrastructure organizations (defined below) to report cyber attacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. The Act also creates an obligation to report ransomware payments within 24 hours.
According to the Federal Bureau of Investigation’s 2021 Internet Crime Report, released on March 23, 2022, cyber incidents rose 7% from 2020, with potential losses topping $6.9 billion. Many of the most threatened organizations fall into the critical infrastructure sector, and in 2021 alone, cyber incidents caused oil and food shortages, as well as supply chain threats. With cyber incidents reaching all-time highs in 2021, the legislation purports to protect U.S. critical infrastructure entities and investigate cyber crimes moving forward. The Act suggests that reporting obligations are being implemented to ensure that the government can support in the response, mitigation, and protection of both private and public companies that are covered under the Act. Within 24 months, CISA’s director is required to issue a proposed rule, and must issue a final rule 18 months after making the proposal. The legislation also authorizes the Director of CISA to issue future regulations to amend or revise that rule.
While the reporting obligations will not be in effect until the Director of CISA clarifies which entities are officially covered in the final rule, the Act refers to the Presidential Policy Directive 21 (2013) to provide some guidance. With reference to the Directive, the industries that might be covered as critical infrastructure entities include: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial bases; emergency services; energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems. When a covered entity “reasonably believes” that it has experienced a “substantial” cyber incident, the 72-hour reporting obligation will trigger. They will have 24 hours to report any ransom payments, even if the ransomware attack does not fall within the defined coverage of cyber incidents. If a covered entity both pays a ransom and suffers a substantial cyber incident, it may submit a single report to CISA.
Covered Cyber Incidents
The Act directs CISA, in the final rule, to include a clear description of the types of substantial cyber incidents that would trigger a reporting obligation. A covered incident, at a minimum, would include a “substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes;” a disruption of operations due to a denial of an attack on an entities’ network or technology systems, or an unauthorized access or disruption to operations caused by a compromised supply chain or service provider. The Act adds that the final rule should also highlight considerations such as the sophistication of tactics used in the attack, the sensitivity to the data at issue, the number of individuals actually or potentially affected by the attack, and the potential impacts on industrial control systems. In finalizing the rule, CISA’s Director will need to issue regulations regarding which entities and incidents are covered; the manner, timing and form of reports; and the necessary steps to take for information preservation.
The Expanded Role of the Cybersecurity and Infrastructure Security Agency
The legislation expands CISA’s role in managing cyber reporting for the U.S.’s critical infrastructure sector. Among the responsibilities described in the Act are CISA’s oversight in rulemaking, assessing reported incidents, enforcement, coordinating and sharing information with other federal agencies, and moving forward with other Federal cyber initiatives. Once the final rule is enacted, CISA will conduct an outreach and education campaign on the current and upcoming cybersecurity initiatives of the initiatives mentioned in the Act are below:
- Cyber Incident Reporting Council: The Council is to “coordinate, deconflict, and harmonize Federal incident reporting requirements.” It would be led by the Department of Homeland Security in consultation with the Attorney General and other Federal agencies.
- Ransomware Vulnerability Warning Pilot Program: CISA will be required to implement this program no later than one year after the law’s enactment. The program’s goal, leveraging existing authorities and technologies, will be to develop procedures for identifying information systems at risk for ransomware attacks, and to notify the owners and operators of those vulnerable systems.
- Ransomware Threat Mitigation Activities: To mitigate ransomware threats, CISA will establish a Joint Ransomware Task Force in consultation with the FBI, the National Cyber Director, and the Attorney General. The task force is “to coordinate an ongoing nationwide campaign against ransomware attacks and identify and pursue opportunities for international cooperation.” In carrying out these responsibilities, there will be a priority on implementing intelligence-driven systems that disrupt cyber criminals. To do so, the task force will consult “with relevant private sector, State, local, Tribal, and territorial governments and international stakeholders to identify needs and establish mechanisms.”
Guidance for Organizations
The Act’s reporting obligations will not take effect until CISA implements a final rule. Companies may get involved in the rulemaking process once CISA releases the proposed rule in the Federal Register. When the proposed rule is issued within the next two years, public commentary is taken into consideration from anywhere between 30 and 60 days. If a company has the desire to notify authorities of malicious cyber activity, they can utilize the FBI’s Internet Crime Complaint Center (IC3) or the CISA Incident Reporting System. While waiting for the rule to be drafted, companies should be taking steps to bolster internal cybersecurity protocols. CISA’s website provides updates, resources, and tools for organizations, as well as individuals, to ensure heightened security procedures. The final rule for mandatory reporting may be a few years out, but organizations and individuals should protect themselves and their assets now.