Insights into the Cyber Incident Reporting for Critical Infrastructure Act of 2022

Anthony (Tony) Sabaj is currently the Director of Channel Security Engineering for North America at Check Point, with over 25 years of experience in Cyber/Information/Network security.

In this interview, expert Tony Sabaj explores new information that holds relevance for many US-based businesses. The insights in this article can help your organization proactively adapt to aggressive new mandates, optimize hierarchical structures, maneuver through legal minefields, and achieve stronger cyber security outcomes. Understand, interpret, and take action around the US’s groundbreaking cyber security legislation. What are the implications for your business?

On March 15^th, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was signed. What kinds of enterprises will this legislation affect?

This act affects 16 sectors deemed critical within the United States:

• Chemical Sector – Agricultural, Pharmaceutical and Consumer chemical industries
• Commercial Facilities Sector – Anywhere large numbers of people gather, including Hospitality, Movie/Broadcast Studios, Outdoor Events, Stadiums, Zoos, Shopping Centers and Casinos
• Communications Sector – Wireline, wireless and satellite communication providers, including telcos and cellular providers
• Critical Manufacturing Sector – Metal Manufacturing, Machine Manufacturing (turbines, power distribution, mining/agriculture machines), Electrical equipment manufacturing (electric motors, transformer, generators) and Transportation Equipment Manufacturing (Cars, Trucks, Ships aerospace)
• Dams Sector – includes over 90,000 dams in the United States
• Defense Industrial Base Sector – Companies and their subcontractors that work with the Department of Defense (DoD), including more than 100,000 organizations.
• Emergency Services Sector – Law Enforcement, Fire and Rescue, Emergency Medical Services (EMS), Emergency Management and Public Works.
• Energy Sector – Oil, Gas and Electricity production and distribution
• Financial Services Sector – Banks/Credit Unions, Investment Houses/Brokerages, and Insurance/Financing organizations.
• Food and Agriculture Sector – over 2.1 million farms, 950,000 restaurants and over 200,000 food manufacturing, storage and processing facilities.
• Government Facilities Sector – special-use military installations, libraries, courthouses, education, monuments and election systems
• Healthcare and Public Health Sector – Private and Public Healthcare Delivery Organizations
• Information Technology Sector – Providers of hardware, software and services in information Technology. This sector collaborates and overlaps with the Communication Sector.
• Nuclear Reactor, Materials and Waste Sector – 99 active and 18 decommissioned nuclear power stations, 31 research and test reactors, 8 nuclear fuel cycle facilities and over 20,000 licensed uses of radioactive materials. This sector collaborates and overlaps with many other sectors, including Energy and Chemical sectors.
• Transportation System Sector – Aviation, Highway and Motor Carrier, Maritime Transportation System, Mass Transit and Passenger Rail, Pipeline Systems, Freight Rail and Postage and Shipping
• Water and Wastewater Systems Sector – over 153,000 public drinking water systems and over 16,000 publicly owned waste water systems covering over 80% of the US population.

Although not universally applied to all organizations, this legislation -across 16 sectors- covers an enormous number of entities in the United States and its territories. More detailed information regarding the sectors and definitions can be found at: https://www.cisa.gov/critical-infrastructure-sectors

Will this law force organizations to fundamentally change the way in which they operate in relation to cyber security?

The law mainly focuses on breach reporting and ransomware payment disclosure within 72 and 24 hours, respectively. Although the law does not require specific protections to be in place, the best way avoid reporting a breach or ransomware payment is to not have the breach in the first place.

Organizations will need to place greater focus on threat prevention solutions and architectures designed to thwart advanced threats, and shift focus away from detection and reporting alone.

Given the relatively short reporting windows, how realistic are the new reporting requirements for the average enterprise?

It’s very important to understand that the legislation requires disclosure of a breach within 72 hours of when it is known to the organization. The breach may have happened days or months in the past. The question “Who knew what and when” will be an important distinction when determining the legal adherence to this law.

The ransomware payment disclosure is straightforward. Once an organization makes a payment, they have 24 hours to report it, along with to whom they made the payment and how (crypto, bank transfer).

If businesses report incidents quickly, what kinds of protections are bundled into the legislation?

Any information submitted as part of the breach or ransomware payment is protected as confidential and proprietary information to the reporting organization and cannot be used in legal proceedings that do not pertain to this act.

Additionally, the information is excluded from FOIA (Freedom of Information Act) requests and other similar disclosure laws.

Ransom payments must be reported within 24 hours. What are the implications for businesses, for attackers, and for national security at-large in the US?

The act of paying ransom gives credibility and encouragement to malicious actors. Many ransomware campaigns implement double or triple extortion. Not only will the ransomware extortionists ask for a payment to decrypt the affected assets, there will be an additional ransom asked for to not release exfiltrated data and/or disclosure to affected third parties. Although not illegal to pay ransom amounts to threat actors, it is illegal to make payments or conduct financial transactions with entities that appear on the OFAC SSI list (Office of Foreign Assets Control, Sectorial Sanctions Identification). In turn, this has become a bit of a legal gray area, which becomes further complicated by cryptocurrency payments.

How will the new legislation affect the CIO-CISO dynamic within organizations, if at all?

The focus of this legislation is on the reporting and timelines. One of the most interesting aspects of this legislation requires the affected organization to have a named CISO and the CISO has some authority over the CIO. Organizations will need to make cyber security decisions that can be independent from IT initiatives. For many smaller organizations, the option of a vCISO (virtual CISO) may be the best way to adhere to this law.

In accordance with the legislation, CISA will create a centralized repository of information about threat actor intentions, programs and operations. Will this help everyone achieve stronger cyber security outcomes and if so, how?

Much like after 9/11, the Department of Homeland Security (DHS) moved to consolidate overall security into one single agency. CISA, part of DHS, is now the consolidated cyber security component of DHS. The US government has always had robust public/private partnerships in regards to cyber security. CISA is required to share the information in an anonymized format with the public and non-governmental organizations. More data will strengthen the security of organizations and the effectiveness of security tools.

Would threat intelligence + MITRE ATT&CK serve the same purpose?

MITRE ATT&CK receives most of its data from publicly available data sources. As CISA starts to publish more information, as required by this legislation, it could very well be a great source of information for tools like MITRE.

Anything else that you wish to share with the CyberTalk.org audience?

This legislation is a good first step in consistent cyber security incident reporting. It is not an all-encompassing requirement that applies to all organizations. As this legislation and other pieces of legislation mature, organization will be forced to look at prevention strategies and further adoption of zero trust principals.

For more outstanding insights from Tony Sabaj, see CyberTalk.org’s past interviews. Lastly, to receive cutting-edge cyber security news, insights, best practices and analyses in your inbox each week, sign up for the CyberTalk.org newsletter.