Sharing of Cyber-Related Incidents to Become Mandated
May 09, 2022 by
By now, “cybersecurity” is the buzzword we hear about every day. We see attacks, government-issued warnings, new bad actors, and heightened cybersecurity concerns in the news constantly. New cyberthreats, attack vectors, and malicious groups are popping up faster than many can account for – and these threats will certainly keep increasing as the war in Ukraine continues to escalate. Now, more than ever, these ongoing events have prompted the public sector to take notice of their cybersecurity programs.
Unfortunately, the notion of “if” a cyberattack will happen is a thing of the past. Now, it’s all about “when” a cyberattack will occur. Because there is simply so much going with the threat landscape at any given moment, public sector organizations must have each other’s backs when it comes to keeping valuable constituent data secure. It’s no longer enough to sit back and hope that a cybersecurity incident won’t occur. Organizations must work together to collectively fight cybercrime. After years of debate, the U.S. government has passed a law to help.
CIRCA Act of 2022
In response to increasing debilitating cyberattacks, President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act (CIRCA) of 2022 into law on March 15, 2022.The first-of-its-kind law is intended to help keep the public and the U.S. economy secure, by requiring organizations that operate within the DHS defined critical infrastructure sectors to report on significant cybersecurity events soon after they occur. Although the law was enacted on March 15, 2022, it is important to note the Cybersecurity & Infrastructure Security Agency (CISA), the nation’s cyber defense agency, has 24 months to publish the implementing rules and regulations to implement. The final rule will be set no later than 18 months after publishing this notice.
Required Reporting of Certain Cyber Incidents
Under the law, covered cyber incident reports, ransom payment reports, supplemental reports, and data preservation must take place when an incident occurs. Covered cyber incidents – or a substantial cyber incident related to ongoing cyberthreats and vulnerabilities – must be reported no later than 72 hours after the incident occurs. An entity that makes a ransom payment as a result of a ransomware attack against the entity must report it within 24 hours of the payment being made. Additionally, covered entities must also submit an update or supplement to their original cyber incident report if substantial new or different information regarding the incident becomes available or if a ransom payment is made after the initial report is submitted. Finally, any covered entity that files reports on an incident, ransom payment, or submits a supplemental report, must preserve any data relevant to the cyber incident or ransom payment.
Noncompliance With Required Reporting 2244
If a covered entity – an entity that is part of a sector that is defined under CISA’s critical infrastructure list – fails to comply with the reporting requirements, the Director of CISA has the right to obtain information about the incident or payment by communicating directly with the organization. If the Director of CISA does not receive an appropriate response from the entity, legal action will be taken.
What to Report & How to Report
While the final rule is not effective just yet, organizations will be required to comply with the law in the coming months. It is encouraged that stakeholders within federal, state, local, territorial, and tribal governments start voluntarily sharing information regarding cybersecurity incidents now, so they can positively contribute to stopping emerging cyberthreats targeted toward critical infrastructure.
CISA recommends sharing the following information:
- Unauthorized access to your system
- Denial of Service (DOS) attacks lasting more than 12 hours
- Malicious code on your systems, including variants if known
- Targeted and repeated scans against services on your systems
- Repeated attempts to gain unauthorized access to your system
- Email or mobile messages associated with phishing attempts or successes
- Ransomware against critical infrastructure, include variant and ransom details if known
Additionally, organizations should share these 10 key elements if possible:
- Incident date and time
- Incident location
- Type of observed activity
- Detailed narrative of the event
- Number of people or systems affected
- Company/organization name
- Point of contact details
- Severity of event
- Critical infrastructure sector if known
- Anyone else you informed
If your organization has already completed one of CISA’s Incident Reporting forms, they encourage you to keep using that method. If an incident from your organization has never been reported, parties can email firstname.lastname@example.org to share information. If the incident is phishing-related (via email messages, mobile messages, and website locations), you can send the phishing message to email@example.com. Read CISA’s full bulletin here.
Together, cities, counties, municipalities, and school districts are empowered to share their cybersecurity incident information for the greater good of the public, their organization, their peers, and the nation.