CISA executive director discusses CIRCIA, incident reporting

SAN FRANCISCO -- We only know about a fraction of the cyberattacks that affect organizations in the U.S., and that's a major problem, according to CISA Executive Director Brandon Wales.

Earlier this month at RSA Conference 2024, Wales spoke with TechTarget Editorial to discuss the Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA. The act, which President Joe Biden signed into law in March 2022, requires CISA to develop regulations requiring certain entities to report covered cyberincidents and ransom payments to the national cybersecurity agency.

These reporting requirements will enable CISA, according to the agency's website, "to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims."

Although CIRCIA was signed into law, the rule is still under development. The proposed rule, which was published in April, covers a wide range of organizations connected to critical infrastructure, such as those in healthcare, operational technology, energy, defense, education, government agencies and others. Covered entities would be required to report a relevant cyberincident within 72 hours after reasonably believing an incident has occurred or within 24 hours of sending a ransom payment.

CISA will develop the final rule upon completion of a public comment period ending July 3 in which individuals and organizations can provide feedback for the proposed rule. The agency will consider feedback in developing the final rule, which CISA is required to publish 18 months after publication of the proposed rule.

During an interview, Wales shared his thoughts regarding the proposed rule, including why he feels it's necessary, how to reach organizations that otherwise wouldn't voluntarily report and more.

Editor's note: This interview was edited for clarity and length.

What made CIRCIA necessary?

Brandon Wales

Brandon Wales: It's an important question. We have long known that the federal government doesn't have sufficient insight into what is happening in our cyber ecosystem. Inside the United States today, we only know about a fraction of the incidents that hit us, and that weakens our ability to protect this country. It means we can't spot adversary campaigns quickly enough. It means that novel techniques may happen repeatedly before we become aware and share that information out so other organizations can protect themselves. It means we can't render assistance. On the law enforcement side, it means we can't follow the money in terms of ransom payments, and we can't begin to identify bad actors and see what options from a law enforcement perspective exist to impose costs.

Those gaps were critical. And working with Congress, we made the case that we needed to close these gaps, and that a mandatory consistent reporting regime across critical infrastructure was essential to giving us the right level of visibility that will make us better able to provide the level of cybersecurity that we need for this measure.

Under the proposed guidelines, what's the scope of organizations that are affected by CIRCIA?

Wales: In the Notice of Proposed Rulemaking, we document the scope of what a covered entity is and how we define a covered entity. And right now, our definition will cover a couple hundred thousand entities based upon our current estimates, which excludes millions of small businesses throughout the country. And we think that is appropriate. Congress gave us broad latitude in the CIRCIA legislation. The legislation says that anything that operates within a critical infrastructure sector is potentially available to be subject to this regulation. We decided to scope that down and exclude small businesses, but we do make sure that anything that is particularly important to include is covered, starting with all large businesses. Then we go through sector by sector to make sure that critical small businesses in those sectors are also covered. We think, at the end of the day, it will be a couple hundred thousand entities that would be required to report under this rule.

One of CISA's initiatives over the last few years has been to encourage organizations to report voluntarily, which is probably easier said than done given various business factors. How successful have these outreach efforts been?

The amount of voluntary reporting has increased, but not to the scale where we need it to be.

Wales: The amount of voluntary reporting has increased, but not to the scale where we need it to be. And we recognize that, in the middle of an incident, there is a lot of pressure on that company to not report. They're going to be getting advice from outside counsel. There's going to be pressure from inside the company to try and make sure they have as much information as possible and get the issue resolved before they tell us.

What we have tried to argue is that today, you're not going to get a huge amount of value out of reporting. But tomorrow, you're going to want other companies that have been compromised to report because the information we can glean from that reporting will help you. And I think this goes to the very heart of CIRCIA and why it is a kind of unique regulation that CISA is leading. Most of the cyberincident reporting regulations that exist out there from other regulatory bodies are about accountability. They want to make sure that a company is being held accountable for potential deficiencies or whether they're meeting cybersecurity standards set by another regulator. Our regulation is not about accountability for that company -- it is about getting information in to the government that we can use to protect the broader ecosystem and impose costs on our adversaries.

In fact, CIRCIA has specific protections that the information submitted under CIRCIA regulation cannot be used for regulatory or other law enforcement activities against those companies. We think that despite the fact that this will now be required, ultimately, this information is going to be used to turbocharge the voluntary work that we do -- to get information into the hands of network defenders to make all of our critical infrastructure, all of our networks and systems more secure.

From the public comments you've received or conversations you've had with stakeholders, what is some of the feedback you've gotten? What do people like? What are the friction points?

Wales: If you look back at some of the press that I did when we first got this authority, and we were beginning to do listening sessions and sent out a request for information back in 2022, the areas that we're getting the most feedback on are the same now as we had assumed then, and that is two of the most critical questions as part of the rulemaking. One being, how do we define a covered entity who is going to be required to report? Have we scoped it correctly? We've laid out why we think that we have identified the correct scope and why this scale of companies reporting is critical to ensure that we can fulfill the mission in the program. Industry will have their say in terms of their feedback on that scope, and then we'll see how we adjust the scope, or the final rule, based upon the comments.

The second critical question is, what is a covered cyberincident? What types of incidents have to be reported? This is a really important question because we want to make sure that we are receiving enough incidents that it gives us insights into the cyber activity happening against U.S. networks -- that we can spot these campaigns early. But we want to make sure that we can protect the signal from the noise. And so, just as important as what we're including are the types of incidents that we're excluding. But this is obviously going to be an immensely critical question.

Those two will be the ones that we have to spend the most time on going through the comments and looking at how we make final adjustments to the final rule. And I expect the final rule will be different than the proposed rule. How much? I don't know. We'll have to see what kind of comments we receive. There are a small number of comments that have been officially submitted through the docket to date, but not any ones that are very detailed and substantive yet. Those tend to come a little bit later. I know a lot of organizations told us that they're working on those, and I'm looking forward to that.

For organizations not covered by CIRCIA that still might feel motivated not to report, how do you intend to reach these entities?

Wales: This is an incredibly important issue, because we don't want anyone to wait for CIRCIA to start reporting. We need those reports today. I don't want to wait another 18 months to start getting critical information on cyberattacks happening against U.S. critical infrastructure. That information will help us and it will help everyone. Every company benefits when we get this information and can share out anonymized information that benefits network defenders. We urge every company to report their significant cyberincidents in to us immediately. We make it very easy on our website to do so: CISA.gov/report.

But even after CIRCIA is out there, it should be viewed as the floor, not the ceiling. Just because you are not required to report doesn't mean we all won't benefit if you do. If you're a company and you have the ability to report, and you have cyberincidents -- particularly ones that your CISO was like, 'Huh, that's interesting' -- get that in to us. That information will benefit us. It'll benefit larger companies. It'll benefit other small companies. And I know that there is some burden on getting that information to the government, but it is so important that we view this as a common good that we can all both contribute to and benefit from. And that is hard. It requires a little bit of sacrifice on the part of an individual company. But the dividends for the broader community that we make this part of our culture in this country will ensure that we have a more secure cyber ecosystem.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.