Expanded cyber incident reporting mandate included in extensive $1.5 trillion legislative bundle by Congress.
In a significant move to bolster the nation's cybersecurity, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) has been passed by the U.S. Congress, making the Cybersecurity and Infrastructure Security Agency (CISA) the primary recipient of incident reports related to ransomware and cyberattacks on critical infrastructure.
Led by Director Jen Easterly, CISA will take on this responsibility under the new legislation, which is part of a $1.5 trillion omnibus spending bill. The move comes in response to a series of high-profile attacks, including the SolarWinds supply chain attack and the ransomware assault on Colonial Pipeline.
Security experts have long advocated for such reporting requirements, citing the need to fill critical information gaps and enable rapid deployment of resources and assistance to victims. However, concerns have been raised by companies, with potential litigation from investors and investigations from federal or state regulators among the foremost worries.
Numerous companies have declined to notify federal agencies of prior ransomware and supply chain attacks. Yet, the new reporting requirements aim to address this issue, with CISA Director Easterly stating that the incident reporting will help build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure.
The reporting will also allow for the analysis of incoming reporting across sectors to spot trends, and it will enable quick sharing of information with network defenders to warn potential victims. This will be crucial in alerting other potential targets promptly, as urged by federal authorities.
The legislation has not been without controversy, with a turf war erupting over which agency should receive the incident reports. The question centred on whether CISA or the FBI should be mandated. Despite this, President Joe Biden is expected to sign the bill, and CISA Director Easterly has praised the legislation in a statement on Friday.
Corporate stakeholders are eager to better understand the risk calculus of their technology stacks, and the reporting will provide valuable insights to help them do so. Gartner Research VP Katell Thielemann stated that the success of the reporting will depend on the details of implementation.
The lingering question among corporate stakeholders remains whether they are a target. The investigations of the SolarWinds attack revealed that threat actors were lurking in systems since late 2019, underscoring the need for vigilance and proactive reporting.
In summary, the new legislation mandating cyberattack reporting to CISA is a significant step towards enhancing the U.S.'s cybersecurity posture. It aims to provide CISA with better visibility and data to protect businesses and critical infrastructure, ultimately benefiting all Americans.
