In March 2022, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was enacted in the U.S. with a clear purpose to improve the nation’s cybersecurity by requiring covered entities to report significant cyber incidents, including payments made for ransomware attacks. The law, and its rulemaking that is required of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), offers a vital opportunity for the U.S. government to strike a proper balance between the potential security benefits of prompt incident reporting and the potential negative impacts of setting the thresholds for reporting too low. If CISA stays laser-focused on the goal of establishing incident reporting requirements anchored in principles of risk management, its rulemaking process may serve as an important model for governments globally.
CISA initiated the statutorily-required rulemaking process with a Request for Information (RFI) to seek public input on developing CIRCIA rules, which reflects the recognition that consultation with key stakeholders is essential. One issue that has been frequently raised in private sector responses to the RFI is the importance of regulatory harmonization of cyber incident reporting timelines issued at different levels of government and by international organizations. This argument sounds intuitively sensible given the risk it can pose for a victim entity that might otherwise need to divert scarce resources away from incident response and remediation to address multiple, potentially conflicting reporting deadlines.
However, the distinctions in the missions of CISA and other independent regulatory agencies illustrate a potential flaw in this argument. Among federal agencies, CISA has a unique cybersecurity-oriented mandate. It can singularly focus on targeted information sharing that will balance the cost of generating reports on victims with the benefit to the security ecosystem from timely reporting requirements. CISA can carve a niche position for itself that is not reliant on the reporting standards established and followed by other federal regulatory agencies.
In theory, private entities performing critical functions prefer simplicity in regulatory reporting requirements in the form of harmonized requirements. However, such harmonization is not likely to be attained without significant trade-offs, particularly when the reporting purpose differs between agencies. The risk, therefore, is that in the name of achieving a single, unified reporting standard, CISA might then be required to accept the terms demanded by other agenices, which may have a different focus than CIRCIA.
Governments across the globe are framing a range of prescriptive regulations on cyber incident vulnerability disclosure. For instance, India has imposed a six-hour incident reporting timeline and the EU requires a 24-hour incident reporting window. CISA has an important opportunity to frame risk-based cyber incident reporting requirements that can potentially serve as a model for other countries. Timely reporting of incidents is critical to defending America against malicious actors and attacks. CISA can contribute to a robust national defense and security system through exemplary legislation that minimizes risks and maximizes benefits. Bargaining with multiple government agencies to achieve a harmonized incident reporting requirement for the entire U.S. government, while tempting, may not be the right answer.