Inside Congress’s ‘Game-changing’ Incident Response Legislation

Last month, the U.S. Congress passed the CIRCIA (Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires organizations involved in critical infrastructure to report cybersecurity incidents within 72 hours.

Jen Easterly, the head of the CISA (Cybersecurity and Infrastructure Security Agency), said the legislation is a “game-changer” that “marks a critical step forward in the collective cybersecurity of our nation.”

Although the second of those things is undoubtably true, it would be generous to call this a ‘game changer.’ At best, it represents long-overdue tiny steps toward a national cybersecurity policy.

What are its requirements?

The most significant requirement of the CIRCIA is its 72-hour deadline for reporting security incidents.

Although this seems straightforward – mirroring the breach notification requirements of the EU GDPR (General Data Protection regulation) – the scope of the requirement reveals complications.

The law states that only “covered entities” must disclose data breaches. This includes organizations across 16 sectors, many of which are understandably incorporated due to the inherent cybersecurity risks related to their business.

For example, it covers organizations in the defense industrial base, emergency services, the energy sector, financial services, government facilities, and health care firms.

However, the act also covers five sectors that are ill-defined and leave uncertainty as to who must comply. These are:

  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Food and agriculture
  • Information technology

Many organizations will be unsure what exactly a “commercial facility” is or what “critical manufacturing” includes. Similarly, it’s unclear how “food and agriculture” is defined. Does it include individual farms? Street vendors?

It’s hard to determine how effective this legislation will be when it’s not yet clear how ambitious its scope is. And those who want to probe more will have to wait, because the proposed regulations don’t have to be published for another 24 months.

Ransomware requirements

One of the more positive, and unique, requirements of the CIRCIA is that an organization must report when it has paid a ransom following a ransomware attack.

Cybersecurity experts often warn against paying ransoms, because there is no guarantee that criminal hackers will keep their word and provide a decryption key to restore the victim’s systems once they have been paid.

Experts also believe that negotiating with attackers encourages further attacks and could mark the victim as a soft target.

However, while federal law criminalizes ransomware attacks, it doesn’t criminalize making ransomware payments.

There are federal laws that heavily restrict transactions with certain parties, which could implicitly make ransomware payments to such parties a crime. For example, if the payer knows that the money is going to terrorists, they could be subject to civil penalties.

To protect organizations reporting cybersecurity incidents or ransomware payments, the law provides numerous immunity provisions.

The information in the report cannot be used for any federal enforcement action. Likewise, the submission of a report cannot lead to any lawsuits, and the information is exempt from Freedom of Information requests.

The law essentially treats information in the report as a trade secret and the property of the sender. Organizations do not have to submit the required report in person, and they can hide their identity behind a third party, such as a law firm.

Is it really a ‘game changer’?

For the praise that the CIRCIA has received in revolutionizing incident response legislation, the ransomware requirement is the only significant addition.

The majority of its rules already exist in the current regulatory environment, and this law is limited to companies that are part of the critical infrastructure.

By contrast, every state has an incident response law that generally applies to all organizations. While most do not have such strict time limits, they also do not have any of the protections.

Those breach laws are often limited to “sensitive” information. What constitutes sensitive information varies, but it usually includes any health or financial information. Notice has to go to the owner of the data and usually to the state’s attorney general as well. Many of these laws require notice without unreasonable delay.

In addition to the states, there are also securities laws. The size of most companies involved in critical infrastructure implies that many would be listed on a national stock exchange and subject to the rules of the SEC (Securities and Exchange Commission).

Securities laws require these companies to notify the SEC and the press of any material information. Material information is defined as any information for which there is a substantial likelihood that a reasonable investor would consider it important in making their investment decisions.

Price movements in listed stocks are very sensitive to reports of a breach; any cybersecurity breach would likely require the listing firm to disclose the information. The SEC has proposed new rules that would require disclosure within four days of determination of a breach.

The only thing historic about the CIRCIA is that it got passed at all.

Last year, a similar version of this law failed to get through the Senate, and we have seen many other proposed cybersecurity laws fall at the final hurdle, with regulators reluctant to pass bills that would substantially change the legislative outlook.

If the CIRCIA does anything, it demonstrates that privacy compliance laws in the U.S. can be strengthened, even if does prove that significant change will remain a challenge.

Subscribe to our Weekly Round-up to get the latest industry news and tips delivered straight to your inbox.