The Cybersecurity and Infrastructure Security Agency (CISA) is looking to set an “aggressive” pace to conduct the rulemaking proceeding necessary to implement recently approved cyber incident reporting legislation, but also indicated today that completion of a rulemaking could be a couple of years away.
Speaking on June 1 at a cybersecurity conference organized by Boston College, CISA Executive Director Brandon Wales ran down the lengthy timeline for an incident reporting rulemaking as spelled out in the Cyber Incident Reporting for Critical Infrastructure Act approved by Congress earlier this year as part of full-year FY2022 spending legislation.
The legislation – once implemented by a rulemaking from CISA – will obligate critical infrastructure owners and operators to report certain cyber incidents to CISA within 72 hours, and to report ransomware payments they made to attackers within 24 hours.
The long lead time allowed by that legislation for the CISA rulemaking means it could be three years or more before the law’s provisions are implemented, and Wales said today that his agency is trying to hustle the process along faster than that.
“We have two years to publish a draft rulemaking, and then 18 months after that” to put forth a final rule, Wales said today.
“Obviously, we are going to try to move sooner than that,” he said. “We will be working aggressively on that for the next couple of years.”
The CISA Executive Director promised that the private sector will have plenty of input into the process.
“There will be a number of opportunities for the private sector to provide feedback,” Wales said. “People will start hearing from us extremely quickly on ways that we will be soliciting industry input,” he pledged.
“There are some big questions we have to answer” in the rulemaking, he continued. These include what entities are covered by the law, what are the precise trigger thresholds for reporting, and what kind of information will be required to be reported.
“We will solicit information on that in a couple of different ways,” and then publish a proposed rule, he said.
Wales gave a warm endorsement of the law’s aims during his remarks today.
He explained that only between 20 percent and 30 percent of cyberattacks are reported to the Federal government currently. That means CISA and its Federal partners “can’t spot [cyber attack] campaigns early, and there is less information to share” about them with government and industry entities who may also be targeted.
“We don’t see enough of what is happening in the cyber ecosystem in the U.S.,” he said. “The earlier that kind of [attack] information is shared, the more tools the government” can bring to bear to stop attacks, perhaps claw back ransom payments already made and warn other potential attack victims. But, he said, “those tools are perishable, and time is of the essence.”
“Over the long term, [the reporting requirement] will really be a seismic change” in CISA’s ability to take action to protect U.S. critical infrastructure sectors,” he said.
Asked about CISA’s eventual ability to require private sector entities to comply with the law, Wales said that his agency will be able to issue subpoenas, and if that fails to produce results, can pass matters along to the Justice Department.
But he also emphasized that CISA doesn’t envision much in the way of compliance problems.
Instead, he said CISA wants to be positioned as a partner to the critical infrastructure community. “We are not big or bad,” he said, adding, “we are a kinder, gentler Federal agency. We are here to help you … our only job is to help the critical infrastructure community.”