Eric Goldstein, CISA’s executive assistant director for cybersecurity, has outlined three goals for the agency’s upcoming incident reporting regulation, providing initial insights following the end of a public comment period that generated significant feedback across several critical infrastructure sectors.
The Cybersecurity and Infrastructure Security Agency put out a request for information in September to inform implementation of the regulation required under the Cyber Incident Reporting for Critical Infrastructure Act. The deadline for comments was Nov. 14 and the agency has received 129 responses in the formal rulemaking docket.
Goldstein thanked stakeholders for submitting comments at a Wednesday event, calling the feedback “extraordinarily valuable.” He didn’t go into specifics on individual responses, and instead provided a big picture view of CISA’s goals.
“We have three goals with incident reporting,” Goldstein said. “The first is to offer help to those who need it,” he said, emphasizing that the U.S. government’s support is “solely voluntary.”
“But we do want to make sure we are able to reach out and offer help to organizations that may request it whether it is incident response, hunting, mediation, etc.,” Goldstein said.
Second, CISA wants to ensure that they are “rapidly sharing information that is actionable and grounded in a reliable sample of adversary activity across the country,” Goldstein said. This includes sharing indicators of compromise and tactics, techniques and procedures quickly.
Goldstein said, “It also means as we are promulgating mitigations, those mitigations and control are grounded in how intrusions are actually happening.”
One of the biggest challenges is to provide details on the “most effective mitigations against what adversaries are doing today,” Goldstein said, because CISA’s current “sample size of size” of incidents isn’t complete.
For example, CISA should see where actors from Chinese hacking group APT41 are “executing their intrusions” and provide “much more targeted guidance and direction to help organizations manage their risk.”
The third area looks at the broader landscape, Goldstein said. CISA wants to make recommendations on product security features that should be built in by default and Goldstein said “grounding” it in “actual incidents and aggregated trends therein is going to be really impact for the community in driving investments in the right areas.”
Goldstein said, “Our goal is to use incident reporting to harden the landscape so our adversaries have increased costs before executing intrusions on American companies.”
Goldstein was the morning keynote at the CyberNextDC event, hosted by the Cybersecurity Coalition and Cyber Threat Alliance. He highlighted current agency initiatives including the cybersecurity performance goals, encouraging market incentives for secure by default products and the “persistent collaboration” model.
Goldstein said, “We absolutely see mandatory reporting as the floor not the ceiling.” While CISA will establish a timeframe for reporting and data elements required in the final incident reporting rule, Goldstein said the hope is the “reporting process will kick off a voluntary collaboration with the government.”
Goldstein emphasized the need for a partnership to drive collaboration and figure out what happened in an incident. “So our goal would be that the required reporting is not going to be lieu of robust collaboration, it is going to be just an input into the process,” he said.
The CyberNextDC event featured a fireside chat with Principal Deputy National Cyber Director Kemba Walden and a panel on incident reporting featuring Ben Miller of Dragos, Megan Stifel of the Institute for Security and Technology, Coleman Metha of Palo Alto Networks and moderator Harley Geiger of Venable. -- Sara Friedman (email@example.com)