BSA-The Software Alliance is concerned about the level of detail CISA will want in mandatory incident reports and argues for “minimal, but specific reporting requirements” to create consistency across sectors.
“CISA should be cautious about what information it requires a covered entity to report. CISA’s requirements will directly affect how covered entities use their limited resources while also responding to the cyber incident,” BSA says in comments submitted Monday to CISA on the upcoming incident reporting regulation.
BSA says, “CISA reporting requirements could create a perverse incentive for a covered entity to focus on activities that do not advance its response – an outcome CISA and industry should work together to avoid. We understand, respect, and remain optimistic that CIRICA will reduce risk and increase resilience, but, for these reasons, strongly recommend a cautious approach to reporting requirements.”
The Cyber Incident Reporting for Critical Infrastructure Act, known as “CIRCIA,” directs CISA to establish a mandatory regime where incidents must be reported within 72 hours and 24 hours for ransomware payments.
CISA released a request for information in September asking for input on the timeframe requirements and what should be considered “reasonable belief” to start the clock for reporting.
Other questions seek to define the scope of reportable incidents, including what should be considered a “covered entity,” “covered cyber incident” and a “substantial cyber incident.”
BSA says CISA should require a covered entity to only report the following:
- Company name
- Company point of contact information (name, position, telephone, e-mail)
- Date of incident detection
- Type of compromise (unauthorized access, unauthorized release, unknown, not applicable)
- Description of technique or method used in cyber incident
- Incident narrative (chronological explanation of the incident; threat actor tactics, techniques, and procedures; indicators of compromise; targeting, mitigation strategies)
- Whether it detected the incident because of information in the National Vulnerability Database, the Known Exploitable Vulnerabilities Catalogue, or a similar repository, or whether the covered entity detected the covered cyber incident because of threat information shared by CISA, for example through a CISA, NSA, FBI joint Cyber Security Advisory
The software association also asks CISA to create a portal where covered entities can report cyber incidents, arguing that it would allow organizations to “transmit sensitive information security.”
It says, “A portal should also provide a third-party submitter, that is, an entity the covered entity is using to transmit reports, the ability to pre-register as a third-party submitter through the portal. By accepting pre-registration, CISA can increase its confidence that a third-party submitter is a reputable organization, prepared to work on behalf of the covered entity.”
Expanding on reporting requirements, BSA wants the “covered entity” definition to apply only to the victim and not be the responsibility of its third-party service provider. In “many” circumstances, BSA says the third-party service provider isn’t “positioned” to determine whether an incident should be considered a “covered cyber incident” under CIRCIA.
“Additionally,” BSA says, “third party service providers are trusted partners for government agencies and businesses alike. Creating a legal obligation to report such speculation will alter the relationship between a third-party service provider and its customer from one of collaboration to one of conflict. This change would undermine trust and degrade cybersecurity.”
On reporting, BSA says CISA should use its incident and vulnerability response playbooks publication to “to consider where “reporting a covered cyber incident” would fit, how inserting reporting requirements would impact a covered entity that is the victim of a covered cyber incident, and how CISA can reduce the negative impact through narrow but effective reporting requirements.”
The publication was developed to fulfill a requirement in the 2021 cyber executive order and is targeted at government agencies.
For “reasonable belief,” BSA recommends structuring the definition around “a covered entity’s belief that, upon investigation, the reliable information it considered at the time provided clear and convincing evidence that it was the victim of a covered cyber incident.” It says, “This definition will reduce false positives and help CISA focus on the most impactful cyber incidents.”
Harmonization is also a priority for BSA and the group argues that it would be helpful to work with international partners as well as addressing federal and state-specific incident reporting requirements.
CISA has received a wide range of feedback from stakeholders across critical infrastructure sectors including information technology, communications, banking, pipelines, electric utilities, health care and water. The U.S. Chamber of Commerce submitted comments as well as individual companies interested in helping CISA shape the regulation.
A coalition of banking groups urged CISA to set a “malicious intent” threshold for reporting to help the agency achieve its desired outcome to share information back out to industry for preparation and response efforts. -- Sara Friedman (sfriedman@iwpnews.com)