Industry Seeks Narrow Cyber Rules From CISA

CISA is writing rules directed by Congress under the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), which President Joe Biden signed in March (see 2203160051). CISA must publish an NPRM within two years of enactment and issue a final rule within 18 months of publication of the NPRM, according to the statute. The agency closed comments earlier this month on its request for information.

There shouldn’t be any rush in reporting, said Comcast Vice President Rudy Brioche during an FCBA event Tuesday. “Provide entities with the opportunity for them to conduct a proper investigation in order to report incidents that are truly substantial,” he said. “As an ISP, the number of incidents that we see throughout the day is staggering.” To get quality information, covered entities need a chance to confirm: “We know that garbage in is garbage out.”

CISA should provide clear definitions for when a company has “reasonable belief” an attack occurred, which will have ramifications for when the clock starts on reporting, said Palo Alto Networks Senior Director-Public Policy Coleman Mehta: Confirmed incidents should have a threshold for measuring a “tangible loss” for a company, including confidentiality and integrity impacts on data.

The new law requires covered entities to report incidents to CISA within 72 hours but only after the entity has confirmed an incident under CISA’s criteria. The agency should adopt regulations that “the 72-hour window will not begin until a Covered Entity has determined a covered cyber incident has occurred based on its reasonable belief,” TIA said in comments posted Monday. “Providing this discretion to Covered Entities will help ensure they have the latitude to conduct proper due diligence in ensuring an incident rises to the threshold of reportability before the 72-hour reporting timeline kicks in.”

“It’s not quite clear” what CISA’s “policy objective is yet,” said Oracle Senior Director-Strategic Initiatives Cheryl Davis. “Perhaps it will be a bit of an iterative process as this regime gets under way.” Step one is defining a clear policy objective through engagement with industry, which is “here to help” and wants CISA to “succeed,” she said.

Reporting shouldn’t be triggered until a covered entity has “the opportunity to assess and confirm an incident has met applicable criteria and thresholds,” commented USTelecom. Without clear rules about “reasonable belief,” industry out of “an abundance of caution,” might have to report many incidents that don’t meet the criteria, USTelecom said: “This overreporting could strain government resources and be counterproductive for both sides of the public-private partnership.”

CISA should draw up narrow definitions for covered entities, said TechNet. Potential expansive definitions for covered entities could sweep up “nearly all entities that operate in the critical infrastructure sectors” of Presidential Policy Directive-21,” said TechNet: Consistent with PPD-21, the scope of covered entity should be limited to organizations that, if subject to an attack, “would have a ‘debilitating’ impact on any combination of security, national economic security, or national public health or safety.”

CISA should define covered cyber incidents as “confirmed incidents that significantly disrupt a provider’s ability to operate core functions,” said NCTA: This includes incidents that endanger “public safety by disrupting the provider’s core, transport, and/or access networks would be considered a covered incident.” CTIA warned CISA against taking an “overbroad approach,” which could have “significant negative consequences” for cyber and the economy: If CISA “treats everything as critical and substantial, then nothing will be critical and substantial.”