Earlier this month Congress passed a huge bill, which included a 9,099 word section on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. But don’t worry, because you don’t have to read it.
In this post, we’ll let you know the highlights of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 and other things that might be of interest and while we are not legal experts, this recap is solely in hopes of saving you some time going through the bill yourself.
If all else is lost in this recap of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, just remember when it feels like we’re beating our head against a wall with the same message over and over, the government had to enact a law to direct their employees to “…strengthen cybersecurity measures to mitigate vulnerabilities, including those resulting from the use of personal email accounts or servers outside the .gov domain, improve the process to identify and remove inactive user accounts, update and enforce guidance related to the control of national security information, and implement the recommendations of the applicable reports…”
Sounds familiar, doesn’t it!?
In a statement released by Congress on March 10th, “The Cyber Incident Reporting for Critical Infrastructure Act, included within the Consolidated Appropriations Act, 2022, is one of the most significant pieces of cybersecurity legislation in the past decade. Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA will mean greater visibility for the Federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so they can defend against future attacks.
To add to that, Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) added, “CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks. CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”
So What Do I Need to Know About the Cyber Incident Reporting for Critical Infrastructure Act of 2022?
H.R.2471, otherwise known as the “Consolidated Appropriations Act, 2022” became public law on March 15, 2022. “Cyber” was mentioned 301 times within the Act, everywhere from Agriculture and Energy to Ukraine. In fact, nearly $5 Billion (with a capital B) has been allocated for potential cybersecurity, intelligence, and infrastructure between 2022 and 2024.
Needless to say, echoing the words of Director Easterly, “this is a game-changer.” From including cryptocurrency and other forms of ransom payment to defining important terms and criteria for reporting, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 was about as dense as you could expect from a group of lawyers and politicians.
Relevant Additions to the Cyber Incident Reporting for Critical Infrastructure Act of 2022
The CISA and other agencies will be drastically looking “to enhance the situational awareness of cybersecurity threats across critical infrastructure sectors.
There are 16 critical infrastructure sectors that fall under the purview of this act:
- Commercial Facilities (think large crowds of people for shopping, business, entertainment, or lodging)
- Critical Manufacturing
- Defense Industrial Base
- Emergency Services
- Financial Services
- Food and Agriculture
- Government Facilities
- Healthcare and Public Health
- Information Technology
- Nuclear Reactors, Materials, and Waste
- Transportation Systems
- Water and Wastewater Systems
Cryptocurrency and Other Forms of Ransom Payment
The bill confirms the inclusion of cryptocurrency and other payment forms within the definition of Ransom Payment.
The term ‘ransom payment’ means the transmission of any money or other property or asset, including virtual currency, or any portion thereof, which has at any time been delivered as ransom in connection with a ransomware attack.
The term ‘virtual currency’ means the digital representation of value that functions as a medium of exchange, a unit of account, or a store of value.
The term ‘virtual currency address’ means a unique public cryptographic key identifying the location to which a virtual currency payment can be made.
Important Definitions Added
We also get further clarification on and additions of a few important definitions.
The term ‘ransomware attack‘–
- means an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment; and
- does not include any such event where the demand for payment is—
- not genuine; or
- made in good faith by an entity in response to a specific request by the owner or operator of the information system.
- Receiving, aggregating, analyzing, and securing reports to assess the effectiveness of security controls, identify tactics, techniques, and procedures adversaries use to overcome those controls and other cybersecurity purposes
- Identifying and tracking ransom payments, including those utilizing virtual currencies
- Providing appropriate entities with timely, actionable, and anonymized reports of cyber incident campaigns and trends, including, to the maximum extent practicable, related contextual information, cyber threat indicators, and defensive measures
- Establishing mechanisms to receive feedback from stakeholders on how the Agency can most effectively receive covered cyber incident reports, ransom payment reports, and other voluntarily provided information, and how the Agency can most effectively support private sector cybersecurity
- Facilitating the timely sharing between relevant critical infrastructure owners and operators of information relating to covered cyber incidents and ransom payments, particularly with respect to ongoing cyber threats or security vulnerabilities and identify and disseminate ways to prevent or mitigate similar cyber incidents in the future
- Conducting reviews of the details surrounding the cyber incident or group of those incidents and identify and disseminate ways to prevent or mitigate similar incidents in the future
- Pertaining to an ongoing cyber threat or security vulnerability, immediately reviewing those reports for cyber threat indicators that can be anonymized and disseminated, along with defensive measures, to appropriate stakeholders
- Publishing quarterly unclassified, public reports that describe aggregated, anonymized observations, findings, and recommendations based on covered cyber incident reports
- Proactively identifying opportunities to leverage and utilize data on cyber incidents in a manner that enables and strengthens cybersecurity research carried out by academic institutions and other private sector organizations, to the greatest extent practicable; and
- As soon as possible but not later than 24 hours after receiving a covered cyber incident report, ransom payment report, voluntarily submitted information, or information received, make available the information to appropriate agencies.
- A description of the covered cyber incident including:
- Identification and description of the function of the affected systems, networks, or devices
- A description of the unauthorized access with substantial loss of CIA of the affected information system or network or disruption of business or industrial operations
- The estimated date range of the incident
- The impact to the operations of the organization
- Where applicable, a description of the vulnerabilities exploited and the security defenses that were in place, as well as TTP used to perpetrate the incident
- Where applicable, any identifying or contact info related to each actor reasonably believed to be responsible for the incident
- Where applicable, identification of category or categories of info that were accessed or acquired by an unauthorized person.
- The name and other information of the impacted organization
- Contact information for the impacted organization
- If a ransom payment was made:
- The date of the ransom payment
- The ransom payment demand including the type of currency, virtual currency, or other comedy requested
- The ransom payment instructions
- The amount of the ransom payment
- Prioritize intelligence-driven operations to disrupt specific ransomware actors
- Consult with relevant stakeholders to identify needs and establish mechanisms for providing input
- Identify a list of highest threat ransomware entities
- Disrupt ransomware criminal actors, associated infrastructure, and their finances
- Collect and share ransomware trends
- Create after-action reports to identify successes and failures that can help guide recommendations