CISA Announces DC Event for Public Input on Incident Reporting Regulations

Luis Alvarez/Getty Images

The effort aims to give officials a greater understanding of cyber threats and the ability to defend U.S. critical infrastructure against cascading impacts when attacks occur.

The Cybersecurity and Infrastructure Security Agency shared details for participating in a listening session on how the agency should structure rules for owners of critical infrastructure to report cybersecurity incidents—including ransomware attempts—to the government.

The notice, published in the Federal Register Wednesday, included a link to register for the event scheduled over several hours on Oct.19. 

Congress authorized CISA in March to gather stakeholder input and issue the regulation in response to a series of landmark security compromises, including the “SolarWinds” hack, which breached at least nine federal agencies, and the ransomware attack on Colonial Pipeline, which caused a run on fuel supplies and emergency declarations in several states.     

In addition to reporting “covered cyber incidents” to CISA within at least 72 hours, the law required “covered entities” to report any “ransom payments” to the agency within 24 hours.  

Within those and other criteria, the law leaves it largely up to CISA—incorporating input from sector-specific agency regulators and other stakeholders—to define what counts as a “covered entity” and a “covered cybersecurity incident” in the coming rule.

Some critical infrastructure sectors, such as healthcare and finance, already have rules in place for companies to disclose breaches, for example when personally identifiable information is involved. But that was not hackers main focus in the case of SolarWinds or Colonial Pipeline, and large swaths of critical infrastructure are under no obligation to inform authorities when their systems are breached. 

Depending on how the rule is structured, and whether covered entities comply, lawmakers hope the law will better enable CISA to analyze the tactics, techniques and procedures that attackers employ. The agency could then more quickly warn others, who may also be dependent on underlying technology that makes them vulnerable and can mitigate any fallout with security patches or other fixes.

CISA previously also released dates for listening sessions on the issue in cities further afield around the country, including Chicago, Illinois, Dallas, Texas, New York City, Philadelphia, Pennsylvania, Oakland, California, Boston, Massachusetts, Seattle, Washington and Kansas City, Missouri. 

An event planned for Atlanta Georgia was cancelled last week due to preparations for Hurricane Ian. Another session was planned for Sept. 21 in Salt Lake City, Utah. CISA did not provide any information on the level of participation there.