CISA Looking to Change Cybercrime Reporting Rules
WASHINGTON — As cybercrimes are on the rise, the Cybersecurity and Infrastructure Security Agency is asking people, businesses and other organizations for feedback on what its new reporting rules should look like.
The agency released the eight-page request for information Friday asking people how the agency should collect information. The agency’s progress towards making new rules comes as it works to meet its 2024 deadline set in the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which President Joe Biden signed into law this past March.
Lawmakers saw an opportunity to prevent cybercrimes through the creation of a set of requirements for businesses to meet when dealing with them.
The law “marks an important milestone in improving America’s cybersecurity by, among other things, requiring CISA to develop and implement regulations requiring covered entities to report covered cyber incidents and ransom payments to CISA,” the agency wrote in its request.
“These reports will allow CISA, in conjunction with other federal partners, to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends and understand how malicious cyber actors are perpetrating their attacks, and quickly share that information with network defenders to warn other potential victims.”
The agency is embarking on a multi-year process to create these laws by first soliciting information.
Agency employees will be visiting cities around the country on a “listening tour” to hear input from people throughout the fall. They will visit Salt Lake City, Utah; Atlanta, Georgia; Chicago, Illinois; Dallas, Texas; New York City, New York; Philadelphia, Pennsylvania; Oakland, California; Boston, Massachusetts; Seattle, Washington; Kansas City, Missouri; and host a session in Washington, D.C.
The new rules are a shift in how these cyberattacks are handled. The agency has mostly had a voluntary relationship with companies that choose to share they were victims of such attacks.
The request is specifically asking about how the agency should define what is a “covered entity” — the companies within the critical infrastructure sectors that would need to report cybercrimes and any ransoms they pay.
Currently different types of utility companies have different cybercrime reporting rules, which led to the Colonial Pipeline ransomware attack last year, halting the gas pipeline that brought gasoline up the East Coast. The Atlantic Council referenced that attack in a report it released in June this year, calling out these inconsistencies throughout cybersecurity practices.
The new law seeks to change that.
“Reporting cyber incidents and ransom payments to the government has many benefits. An organization that is a victim of a cyber incident, including those that result in ransom payments, can receive assistance from government agencies that are prepared to investigate the incident, mitigate its consequences, and help prevent future incidents through analysis and sharing of cyber threat information,” the agency states.
“CISA and our federal law enforcement partners have highly trained investigators who specialize in responding to cyber incidents for the express purpose of disrupting threat actors who caused the incident, and providing technical assistance to protect assets, mitigate vulnerabilities, and offer on-scene response personnel to aid in incident recovery.”
The agency is accepting public comments for 60 days after the request for information is officially published in the Federal Register on Monday, Sept. 12.