What You Need to Know About the Cyber Incident Reporting for Critical Infrastructure Act of 2022
Mar 23, 2022
Earlier this month Congress passed a huge bill, which included a 9,099 word section on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. But don’t worry, because you don’t have to read it.
In this post, we’ll let you know the highlights of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and other things that might be of interest and while we are not legal experts, this recap is solely in hopes of saving you some time going through the bill yourself.
If all else is lost in this recap of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, just remember when it feels like we’re beating our head against a wall with the same message over and over, the government had to enact a law to direct their employees to “...strengthen cybersecurity measures to mitigate vulnerabilities, including those resulting from the use of personal email accounts or servers outside the .gov domain, improve the process to identify and remove inactive user accounts, update and enforce guidance related to the control of national security information, and implement the recommendations of the applicable reports…”
Sounds familiar, doesn't it!?
In a statement released by Congress on March 10th, “The Cyber Incident Reporting for Critical Infrastructure Act, included within the Consolidated Appropriations Act, 2022, is one of the most significant pieces of cybersecurity legislation in the past decade. Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA will mean greater visibility for the Federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so they can defend against future attacks.
To add to that, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) added, “CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks. CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”
So What Do I Need to Know About the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
H.R.2471, otherwise known as the “Consolidated Appropriations Act, 2022'' became public law on March 15, 2022. “Cyber” was mentioned 301 times within the Act, everywhere from Agriculture and Energy to Ukraine. In fact, nearly $5 Billion (with a capital B) has been allocated for potential cybersecurity, intelligence, and infrastructure between 2022 and 2024.
Needless to say, echoing the words of Director Easterly, “this is a game-changer.” From including cryptocurrency and other forms of ransom payment to defining important terms and criteria for reporting, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was about as dense as you could expect from a group of lawyers and politicians.
Relevant Additions to the Cyber Incident Reporting for Critical Infrastructure Act of 2022
The CISA and other agencies will be drastically looking “to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.
There are 16 critical infrastructure sectors that fall under the purview of this act:
- Commercial Facilities (think large crowds of people for shopping, business, entertainment, or lodging)
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
Cryptocurrency and Other Forms of Ransom Payment
The bill confirms the inclusion of cryptocurrency and other payment forms within the definition of Ransom Payment.
The term ‘ransom payment’ means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.
The term ‘virtual currency’ means the digital representation of value that functions as a medium of exchange, a unit of account, or a store of value.
The term ‘virtual currency address’ means a unique public cryptographic key identifying the location to which a virtual currency payment can be made.
Important Definitions Added
We also get further clarification on and additions of a few important definitions.
The term 'ransomware attack'--
- means an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and
- does not include any such event where the demand for payment is—
- not genuine; or
- made in good faith by an entity in response to a specific request by the owner or operator of the information system.
The term ‘significant cyber incident’ means a cyber incident, or a group of related cyber incidents, that the Secretary determines is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the people of the United States.
The term ‘supply chain compromise’ means an incident within the supply chain of an information system that an adversary can leverage or does leverage to jeopardize the confidentiality, integrity, or availability of the information system or the information the system processes, stores, or transmits, and can occur at any point during the life cycle.
What are the CISAs New Responsibilties?
In addition to the current Cyber Incident Review activities, the CISA will now be responsible for:
- Receiving, aggregating, analyzing, and securing reports to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes
- Identifying and tracking ransom payments, including those utilizing virtual currencies
- Providing appropriate entities with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures
- Establishing mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information, and how the Agency can most effectively support private sector cybersecurity
- Facilitating the timely sharing between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar cyber incidents in the future
- Conducting reviews of the details surrounding the cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future
- Pertaining to an ongoing cyber threat or security vulnerability, immediately reviewing those reports for cyber threat indicators that can be anonymized and disseminated, along with defensive measures, to appropriate stakeholders
- Publishing quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports
- Proactively identifying opportunities to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; and
- As soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information, or information received, make available the information to appropriate agencies.
The timeframes identified for reporting are dependent upon the scenario. A covered entity that experiences a covered cyber incident now must report the incident to the Agency within 72 hours after the incident occurred. However, a covered entity that makes a ransom payment as the result of a ransomware attack now must report the payment to the Agency within 24 hours after the ransomware payment has been made.
Here’s where it gets even more interesting. Even if the ransomware attack is not a covered cyber incident, the covered entity must still report the payment to the Agency within 24 hours.
In addition to the new reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022, covered entities must preserve all data relevant to the covered cyber incident or ransom payment.
The only exemptions to these rules apply to covered entities which are owned, operated, or governed by multi-stakeholder organizations that develop, implement, and enforce policies concerning DNS, such as ICANN or IANA.
The good news is, the bill pretty clearly defines what the reports should contain. And it should be noted that any additional information gathered after the initial report is also required. For instance, if the initial report was just the incident, but later a ransom payment was made, that is also required to be passed along.
What information should a report contain?
- A description of the covered cyber incident including:
- Identification and description of the function of the affected systems, networks, or devices
- A description of the unauthorized access with substantial loss of CIA of the affected information system or network or disruption of business or industrial operations
- The estimated date range of the incident
- The impact to the operations of the organization
- Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as TTP used to perpetrate the incident
- Where applicable, any identifying or contact info related to each actor reasonably believed to be responsible for the incident
- Where applicable, identification of category or categories of info that were accessed or acquired by an unauthorized person.
- The name and other information of the impacted organization
- Contact information for the impacted organization
- If a ransom payment was made:
- The date of the ransom payment
- The ransom payment demand including the type of currency, virtual currency, or other comedy requested
- The ransom payment instructions
- The amount of the ransom payment
Other Interesting Aspects of the Bill
The CISA will establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to develop processes and procedures for identifying information systems that contain security vulnerabilities associated with common ransomware attacks and notify the owners of those vulnerabile systems. This is a 4-year pilot project to determine the effectiveness and accuracy of such a system.
The CISA, along with the National Cyber Director, Attorney General, and the Director of the FBI will establish a Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks. This Task Force will:
- Prioritize intelligence-driven operations to disrupt specific ransomware actors
- Consult with relevant stakeholders to identify needs and establish mechanisms for providing input
- Identify a list of highest threat ransomware entities
- Disrupt ransomware criminal actors, associated infrastructure, and their finances
- Collect and share ransomware trends
- Create after-action reports to identify successes and failures that can help guide recommendations
It will be interesting to watch over the next couple years to see what kinds of data comes from these activities as well as the legal precidents that are set.
Hopfully this recap has saved you a little time in reading the bill yourself. Afterall, it is 80% shorter and pulls out a lot of the legal jargon. Remember, this post is only a recap and does not constitute legal recommendations or legal advice and should not be taken that way.