What CIRCIA Demands

            The rules require covered organizations to report ransomware payments to CISA within 24 hours and all
            covered  cyber incidents  within 72 hours. The  rules apply to a broad  array of entities across  16 critical
            infrastructure  sectors  as  defined  by  CISA,  including  energy,  water,  transportation,  healthcare,  and
            financial services, among others.

            CISA anticipates CIRCIA will affect more than 316,000 entities, result in around 210,525 reports and cost
            critical  infrastructure  providers  an  estimated  $2.6  billion  in  rule  familiarization,  data  and  record
            preservation, and reporting expenses.



            Why Critical Infrastructure


            We have substantial evidence from governments  and private sector threat researchers that nation-state
            threat actors are attempting to compromise  and pre-position  cyber-attack infrastructure  within U.S. and
            allied critical infrastructure systems.

            The Volt Typhoon revelations of the last several months have helped expose the extent of these efforts.
            They also highlight that 85% of U.S. critical infrastructure is run by private sector organizations.

            Any nation-wide  effort  to detect, contain,  and recover  from cyber attacks  on U.S. critical  infrastructure
            would  require  speed  in  situational  awareness  and  greater  visibility  into  the  nature  and  scope  of  an
            adversary's offensive cyber operations.

            Without  visibility into cyber  incidents across  critical infrastructure  sectors, it will be very difficult for the
            government,  private  sector operators,  and the threat research  community  to understand  and pre-empt
            future attacks, let alone coordinate effective responses to minimize impact during major incidents.



            What CIRCIA Means for CISOs

            Every new rule, requirement and guideline initially tends to pose more questions than clarity. Fortunately,
            the  CIRCIA  draft  rules  will  likely  answer  many  CISOs’  questions  around  definitions,  compliance
            requirements,  and  potential  costs  associated  with  them.  The  comprehensive  nature  of  the  rules
            demonstrates how serious the U.S. government is about the information sharing required to protect these
            systems.  It  also  acknowledges  previous  private-sector  concerns  around  reporting  definitions,
            confidentiality, and accountability.

            CISA acknowledged incident reporting concerns raised by the SEC reporting mandates of 2023. In areas
            such  as  the  confidentiality  of  shared  cyber  attack  information,  CISA  commits  to  only  releasing  such
            information  as  anonymized,  aggregated  data  within  quarterly  reports.  The  agency  states  it  will  not
            consider information  shared in good faith early in a cyber incident as false or misleading  if subsequent
            information shows initial disclosures were inaccurate. CISA even commits to working with other agencies
            to harmonize all U.S federal incident reporting requirements, hopefully making the CISO's already difficult
            role of complying with them somewhat easier.




            Cyber Defense eMagazine – August 2024 Edition                                                                                                                                                                                                          28
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.