In March 2022, U.S. President Joe Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Among the changes introduced, the law enacts a requirement for data breach reporting within 72 hours of the event. This, of course, has a major impact on the role of CISOs, and how they should handle incident management.
This is where we felt that the CISO community should weigh in.
We worked together with Team8’s CISO Village, to share thoughts, ideas and concerns, and to present the community’s feedback on the proposed regulations.
You can read our full response paper on the subject here.
Impact on the CISO’s Role
The first topic we discuss is the importance of understanding CIRCIA’s impact on the CISO profession as a whole, beyond a specific organization or sector.
CIRCIA was enacted to promote important national security and public interest goals, as well as to incentivise overall accountability.
However, when implemented in real life, we believe there is room to consider how it affects the CISOs’ work and the interfaces they maintain inside their organizations. This, we argue, is crucial for the successful implementation of the law, and to the day-to-day of any CISO.
To be even more specific, when a cyber incident occurs, CISOs need to manage cyber defense, deal with recovery, and communicate findings and implications to a wide range of stakeholders in real time. The trust of the board is essential.
In an already complex environment, the new legal obligations added by CIRCIA could potentially create additional challenges for the CISO.
Moving forward, we believe that CIRCIA rules should be developed with the aim of promoting coherence and clarity of the cybersecurity discipline on one hand, and support cybersecurity professionals within their organizational settings on the other.
Let’s break this down into relevant action items:
Cybersec, not red tape
Unlike typical breach notification policies, it seems that CIRCIA is not focused on compliance, enforcement or investor protection. Rather, it pragmatically focuses on national “situational awareness” that enables real time action.
Indeed, real-time, even zero-time responses are essential for cyber defense. Yet drawing focus from defense to compliance limits the capacities of protection and creates an unavoidable, unwanted, “legal friction.”
As a community, we are concerned that if CIRCIA becomes another regulatory law, the line of communications will be further legalized, thus causing legal friction or process blockers to effective communications. In this scenario, compliance might take precedence over a timely security response, which is essential to containing an ongoing attack.
Our recommendations are:
- Set very clear thresholds for reporting that require as little as possible interpretation, and can be applied by legal counsels based on clear triggers.
- Clarify with explicit guidance CIRCIA limitations on the use of the report.
- Uncouple the threshold reporting from the actual content of the report.
- Clarify that the reporting duty is the organization’s and not the CISO’s. Consider having a “CISO hotline” where CISOs can informally consult.
- Be advised that fast reporting will affect accuracy. Aspects such as the affected dataset, nature of telemetry and its accuracy, and any conflicts should be included.
It takes two to tango
The application of CIRCIA should be a two-way street: CISA should promote clarity as to CISA’s information sharing, its notification feedback loop, and interfaces with CISA after a report.
We think CISA should consider publishing a process for its feedback loop, that lets the reporting organization know within a relevant timeframe what is being done with the data, if any relevant government action has been taken, and whether the reporting organization can expect additional support.
Starting with a narrow approach
CIRCIA is a new legal obligation that applies to one of the most sensitive events in organizational cybersecurity: It sets legal rules of behavior in a constantly developing field. Thus, it risks burdening cybersecurity operations or flooding CISA with notifications.
We suggest narrowly tailoring terms under the law, to allow all to gain experience with its application.
This also applies to the content of the incident notification. Our belief is that it should include minimal details, such as the attack vector and the estimated timeframe for producing a clearer picture.
Epilogue: CIRCIA as an opportunity
Many jurisdictions these days are developing mandatory notification laws, similar to CIRCIA. This might create more challenges for a global company than the existing situation. Some have already described it as a “global patchwork.”
If CIRCIA rules are effective in promoting public-private information sharing, they can affect the global policy discussion in this area for the greater good.