In the realm of cyberattacks that plague organizations across the United States, there exists a significant gap in the knowledge and reporting of such incidents. This issue was brought to light by CISA Executive Director Brandon Wales during his discussion at the RSA Conference 2024. The conversation revolved around the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), a law signed by President Joe Biden in March 2022.
The primary aim of CIRCIA is to mandate certain entities to report covered cyber incidents and ransom payments to CISA, the national cybersecurity agency. By enforcing reporting requirements, CISA intends to swiftly deploy resources to aid attack victims, identify trends across sectors, and alert network defenders to potential threats. However, while CIRCIA was signed into law, the final rules are still under development.
The proposed rules, outlined in a document published in April, target a wide range of organizations linked to critical infrastructure, spanning healthcare, operational technology, energy, defense, education, and government agencies. Under these rules, covered entities must report relevant cyber incidents within 72 hours of detection or within 24 hours of making a ransom payment.
To gather feedback and refine the regulations, CISA is undergoing a public comment period until July 3. Wales emphasized the necessity of CIRCIA and its potential impact on organizations that may otherwise resist voluntary reporting. He highlighted the need for comprehensive visibility into cyber threats to bolster national cybersecurity efforts.
One aspect of CISA’s pursuit for enhanced reporting is extending outreach to organizations that may not fall under CIRCIA’s jurisdiction. Wales underscored the importance of continuous reporting by all entities, even those not mandated by law, to benefit the broader community and strengthen the cyber ecosystem.
The conversation with Wales delved into the challenges faced in encouraging voluntary reporting, the scope of CIRCIA’s impact on various organizations, and the critical role feedback plays in shaping the final rules. Wales also stressed the collaborative nature of reporting cyber incidents, emphasizing its significance in reinforcing cybersecurity measures on a national scale.
As the cyber landscape continues to evolve, the need for comprehensive reporting mechanisms becomes increasingly crucial. By fostering a culture of transparency and information sharing, organizations can collectively fortify their defenses against cyber threats and bolster the nation’s cybersecurity. The journey towards improved reporting practices is a collaborative effort aimed at safeguarding critical infrastructure and enhancing the resilience of the digital ecosystem.