The technology sector raises several questions in its submission to the Cybersecurity and Infrastructure Security Agency on what constitutes a need for incident reporting under the upcoming mandatory regime, including how to address product security and potential reporting on vulnerabilities.
CISA’s sector-specific definition of a covered entity for information technology “seems to state that IT Sector companies must report substantial cyber incidents experienced through ‘the products’ of the covered entity. This is confusing, as a substantial cyber incident is defined as impacting the operations of the covered entity. An issue in a product may not be disruptive to that product manufacturer’s business operations,” according to the July 2 industry filing.
The joint filing was submitted by the IT Sector Coordinating Council and the IT Information Sharing and Analysis Center. It is in response to CISA’s notice of proposed rulemaking to implement the 2022 Cyber Incident Reporting Act. The NPRM comment period closes today.
The filing asks specific questions on “what constitutes a reportable event in terms of product security,” including:
- Must a company that makes an IT product report all known exploits of a vulnerability, even if the exploited vulnerability is not known to have caused a substantial cyber incident within any customer?
- Must a company report as a substantial cyber incident that an exploit of a vulnerability was used to cause a substantial cyber incident for a customer?
- What if the substantial cyber incident was caused by a customer not deploying a fix that was available to it?
- What if the incident was caused by a customer turning off or reducing the deployed default enhanced security setting (the vendor ships the product with MFA enabled, but it is turned off by the customer)?
Further, the filing says, “As a general matter, we do not believe that a vulnerability in a product or service is a ‘covered cyber incident’ for either the manufacturer of the product or its customer. Not every vulnerability results in an exploit. … It is not plausible, efficient, or fiscally responsible to require entities to report on every vulnerability in their product line or in their enterprise.”
The tech sector also questions CISA’s definition of a “cyber incident” which for the IT sector includes “an occurrence that actually jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system; or actually jeopardizes, without lawful authority, an information system.”
The filing asks, “What does ‘actually jeopardize’ mean, and how is that determined? Merriam Webster defines ‘jeopardize’ as: ‘to expose to danger or risk.’ A discovery of a vulnerability on a system can increase risk to a system or ‘jeopardize’ data hosted on it. However, having a vulnerability on a system does not mean that the system or data was actually accessed.”
The filing says it is confusing that CISA’s definition of a “cyber incident” does not include the actual impact of a cyber incident.
On definitions, the filing concludes, “Finally, we are seeking clarity as to whether a covered cyber incident relates to only systems or impacts in the U.S., or if covered entities will be required to report on substantial cyber incidents regardless of whether they take place on, or impact, U.S.-based networks. We suggest that the requirement be focused on U.S. networks or, in terms of supply chain compromises, if the incident impacts covered entities in the U.S.”
The tech sector wants CISA to make a change on the reporting timeline for the 72-hour clock to start when “from when a Covered Entity ‘confirms’ or ‘determines’ that it has experienced a substantial cyber incident.” CISA’s proposed timeline starts at when a covered entity “reasonably believes” that they have “experienced a substantial cyber incident,” according to the filing.
The filing says the proposed change “provides the Covered Entity clarity on what the reporting requirements are, thereby reducing potential liabilities and misunderstandings. Further, it helps companies balance the need to investigate an incident with the requirement to report an incident.”
Submitting reports
The filing leverages the work of the IT-ISAC to provide input on how the reporting process should work and an allowance for accepting third party submissions.
“The proposed regulations indicate that submissions will need to be made through a CISA portal. CISA provides examples of other technologies that it has chosen to not implement at present; however, we urge CISA to allow other methods of submission as quickly as possible,” the filing says.
Under the proposed rule, the filing says CISA will “preclude email submissions” because the Department of Homeland Security claims there is difficulty in digesting them.
“However,” the filing says, “there are ample technologies in the market that enable organizations to accept secure email into ticketing systems. Email submissions provide substantial benefits to covered entities who are submitting incident reports; key among these is that they provide the opportunity for legal review of the submission. Standard incident response procedures include close engagement and coordination with internal legal counsel.”
The filing continues, “This is especially the case when a company is ensuring compliance with a vast number of regulations and incident reporting mandates across various state, federal, and international governments. Requiring a web-based submission process with unpredictable and unknown questions, as described in the proposed regulations, will prevent adequate legal review of a company’s submission. This exposes companies and, potentially the submitter, to greater liability.”
On third party submissions, the filing notes that the proposed rule allows them and says “this function could be filled by a sector-specific ISAC. We ask, however, that the regulations take a more expansive view of this provision and enable a covered entity to conduct joint submissions.”
“One goal of an expanded approach would be to enable a covered entity to submit incident reports to its ISAC and have that information be forwarded to CISA. This way the ISAC and its members will have quick access to information on an incident that occurred within that sector,” the filing says.
The joint filing also responds to the NPRM’s provisions on the protection and distribution of information; the proposed request for information process for covered entities that do not report a covered cyber incident and fall under the new regulation; and harmonizing incident reporting requirements. -- Sara Friedman (sfriedman@iwpnews.com)