Cyber incident reports will be shared with the agency under the soon-to-be implemented requirements of the Cyber Incident Reporting for Critical Infrastructure Act.
Cyber incident reporting requirements currently being drafted in collaboration with the private sector will help the Cybersecurity and Infrastructure Security Agency gain a better understanding of how successful its threat mitigation efforts have been, according to the head of the agency.
Appearing before the House Appropriations Subcommittee on Homeland Security on Tuesday to discuss the agency’s fiscal year 2024 budget request, CISA Director Jen Easterly faced questions from lawmakers about how the agency is able to measure its return on investment when it comes to safeguarding critical infrastructure from an array of digital and physical threats.
Rep. Dave Joyce, R-Ohio, who chairs the subcommittee, asked Easterly how CISA measures success and if she could quantify “how much safer the homeland is today” as a result of increasing funding allocated to the nation’s cyber defense agency over the past several years.
Easterly said that “as a measure of reducing risk, we don't have a lot of visibility into the overall ecosystem,” noting the inherent difficulties in assessing how increased agency visibility and warnings about software vulnerabilities have prevented or mitigated potential cyber incidents. But she said that last year’s enactment of the Cyber Incident Reporting for Critical Infrastructure Act—or CIRCIA—was “game changing” and will allow the agency to have greater insights into the broader threat landscape once it is fully implemented.
“We can say, ‘here are the number of critical incidents that occurred across our critical infrastructure this year,’ and then we can measure the reduction given all of the improvements that we've put in place,” Easterly added. “So we are on our journey to be able to give you very quantifiable metrics to allow us to articulate that return on investment.”
President Joe Biden’s fiscal year 2024 budget request seeks $3.1 billion for CISA, which the White House said represents an increase of $145 million to the agency’s current budget. That includes approximately $98 million to help CISA implement CIRCIA, which Easterly called “one of the most important things that happened legislatively since probably the establishment of CISA in 2018.”
Among its provisions, CIRCIA requires the agency “to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments to CISA.” Entities covered by the cyber incident reporting requirements, which are still being drafted, will have 72 hours to report relevant cyber incidents to CISA; federal agencies “must share that report with CISA within 24 hours.” Relevant entities must also report to CISA within 24 hours about “any ransom payments made as a result of a ransomware attack.”
Easterly said the FY 2024 funding earmarked for CIRCIA “was really about putting the technical infrastructure in place to allow us to be able to receive this massive amount of new reporting, to analyze it, to correlate it, to enrich it and then to use it to respond.”
Easterly said that CISA is still in the rulemaking process with CIRCIA, and has been working over the past year to “put the infrastructure in place so that we can start defining what we need to receive from the private sector within 72 hours, how we define a covered entity and how we define a covered incident.”
She added that the agency has worked to make this a “consultative process” with the private sector, which has included holding 27 listening sessions—10 in-person events and 17 virtual events—to gather feedback from private sector entities, as well as a request for comment that generated more than 100 responses.
“We're putting together that rule based on everything we've heard from the private sector,” Easterly said. “That's hugely important to make sure that we do this right.”
Easterly told the subcommittee that CISA expects the Notice of Proposed Rulemaking for the cyber incident reporting requirements to come out in March 2024, with the final rule expected to be implemented in September 2025. Until the rule is enacted, entities are not required to disclose cyber incidents to the agency, although Easterly said that CISA’s voluntary Shields Up campaign—which the agency launched in February 2022 following Russia’s invasion of Ukraine—has already resulted “in a ton of reports about potential scanning and activity.”
Beyond advancing CIRCIA’s rulemaking activities, Easterly noted that the agency recently launched a ransomware vulnerability warning pilot “that was mandated in the legislation” to help organizations identify vulnerabilities in their systems that have been frequently exploited by ransomware threat actors.
When asked by Rep. John Rutherford, R-Fla., about whether or not CISA would need to use its subpoena power to compel covered entities to provide reports on cyber incidents once the final reporting rule is enacted, Easterly said that “there are not a lot of sticks, in terms of enforcement and compliance” in CIRCIA. But she added that the agency is “not here to name, to shame, to stab the wounded—we are here to render assistance, and then to use that data, very importantly, to protect the rest of the ecosystem.”
“If you're in a neighborhood and your neighbor gets robbed, you're going to want to know that so you can actually lock your doors and put your guard dog out,” she added. “It's important for our collective defense.”