Some of the nation’s top critical infrastructure providers are asking the Cybersecurity and Infrastructure Security Agency to provide guardrails around the incident reporting requirements signed into law by President Biden earlier this year.
The Cyber Incident Reporting for Critical Infrastructure Act of 2022 requires these organizations to promptly report major incidents and ransomware payments in order to help federal officials rapidly respond to attacks. The aim is to share that information with other agencies and critical providers, who may not realize there is an impending threat.
Leading critical infrastructure providers and information sharing groups want CISA to place limits around these requirements so their security operations workers are not overburdened with false alarms or asked to provide incomplete intelligence.
“Mandatory incident reporting can assist with the information prong, but it must be crafted precisely to avoid unintended consequences of wasted resources and providing irrelevant information to stakeholders,” IBM officials said in a letter to CISA.
The Bank Policy Institute, American Bankers Association, Institute of International Bankers and the Securities Industry and Financial Markets Association sent a joint letter to CISA, saying the reporting requirements should be linked to an “actionable purpose” and asks for clarity on what the information will be used for.
The groups also pointed out the financial services industry has been subject to strict disclosure requirements for 20 years from a variety of agencies.
The Information Technology Information Sharing and Analysis Center (IT-ISAC) warned the mere presence of a known vulnerability should not be considered a covered cyber incident, however welcomed reporting under current best practices that call for responsible disclosure.
The U.S. Chamber of Commerce argues that “CISA should thoughtfully set a high threshold for an incident to be considered reportable,” in its 16-page letter from Matthew Eggers, VP in the cyber, space and national security policy division.
The letter raises concerns that CISA could be overwhelmed if providers reported a large number of insignificant events to the agency.
The comments were sent under a Nov.14 deadline, just as CISA is finishing a nationwide listening tour. The agency spent time listening to local communities about their concerns about cyber risk, disclosure requirements and other related issues.
“The consensus seems to be that CISA will have to walk a tricky Goldilocks fine line between collecting too much information from too many entities, which could quickly turn into a bureaucratic nightmare and not [provide] enough information to derive value from,” Katell Thielemann, VP analyst at Gartner told Cybersecurity Dive via email.