Written by Adam Huenke
Cybersecurity has been a focal point of discussion since the early 2010s, with growing concerns about data breaches, cyberattacks, and the general security of online infrastructure. As someone with experience in the cybersecurity field, I've always thought there were aspects of incident reporting that could be improved. Specifically, the process of reporting a cybersecurity incident—whether it’s a Distributed Denial of Service (DDoS) attack, ransomware, or a data breach—has always felt too slow and disjointed.
One notable example that comes to mind is the Equifax data breach, which I personally experienced while working in the financial industry. The timeline of events surrounding this breach felt inadequate in terms of response, and the reporting of it could have been faster. The breach wasn't fully disclosed to the public until September 8th, 2017, despite Equifax having knowledge of the issue as early as July 29th of that year. This delay in public notification is something that will be addressed by the new Cybersecurity Incident Reporting for Critical Infrastructure Act (CIRCIA), which is set to be fully implemented by 2026.
Before we dive deeper into how CIRCIA will change incident reporting, let's first take a look at the specific provisions of the act. The legislation mandates that the Cybersecurity and Infrastructure Security Agency (CISA) develop regulations requiring covered entities to report cyber incidents within 72 hours of detecting a potential breach. Moreover, if the incident involves ransomware payments, the covered entity must notify CISA within 24 hours of the payment.
Federal agencies are automatically required to adhere to the reporting requirements set by CIRCIA. However, commercial entities are not automatically included. The term "covered entities" refers specifically to those organizations within one of the 16 critical infrastructure sectors, such as energy, financial services, healthcare, and information technology.
Small businesses not falling within these sectors will not be bound by the reporting requirements of CIRCIA, at least until the act is fully implemented. While this provides some breathing room for smaller entities, it raises concerns over the potential risks associated with businesses that handle sensitive data, such as personally identifiable information (PII), but are not required to report cybersecurity incidents.
For now, voluntary reporting remains the standard, but as the regulations are finalized, CIRCIA will significantly reshape the reporting landscape.
The Equifax data breach serves as an important case study in understanding the potential impact of CIRCIA on incident reporting. As one of the most significant breaches in history, it serves as a critical example of why timely reporting is crucial. Equifax detected the breach in late July 2017 but did not publicly disclose it until more than a month later, on September 8th, 2017. This delay had wide-ranging consequences, as millions of people were affected by the breach, which compromised personal information such as Social Security numbers, addresses, and other sensitive data.
Under CIRCIA’s guidelines, Equifax would have been required to notify CISA within 72 hours of detecting the breach. This rapid reporting timeline is crucial, as it allows impacted parties to take immediate steps to mitigate the risks posed by the breach. However, there are concerns that such quick notifications could result in panic or misinformation before the full scope of the incident is understood.
The implementation of CIRCIA introduces both benefits and challenges. On one hand, faster reporting allows for quicker responses, both from federal agencies and from organizations that may be affected by a cyberattack. This could ultimately help mitigate the damage caused by the breach and reduce the risk of further exploitation of vulnerabilities.
On the other hand, there is a potential downside to hastily reporting incidents. Cybersecurity incidents are often complex, and understanding the root cause of a breach takes time. Prematurely reporting an incident could lead to knee-jerk reactions or incomplete information, which may cause more harm than good. For example, organizations may find themselves forced to make public disclosures without fully understanding the nature of the attack or its long-term implications. This could lead to confusion and unnecessary panic among affected parties.
As a cybersecurity professional, I’m torn between the need for quick notifications and the necessity of ensuring that the information shared is accurate and comprehensive. Timely reporting is undoubtedly critical, but a balance must be struck to ensure that the data provided is reliable and actionable.
While CIRCIA will have significant impacts on how organizations report cybersecurity incidents, there is still some uncertainty surrounding its implementation. The landscape of cybersecurity regulation could shift, especially with potential changes in the political climate. The future of CISA and its role in overseeing cybersecurity incident reporting remains unclear, and it is possible that the act could be amended or repealed in the coming years.
Regardless of what happens, the key takeaway is that organizations, both public and private, must improve their ability to report incidents in a way that is timely, accurate, and thorough. In the cybersecurity community, we must continue to strive for better incident reporting practices that can protect not only organizations but the individuals whose data is at risk.
As we await the final regulations, the importance of proactive cybersecurity measures and transparent incident reporting cannot be overstated. CIRCIA may be a step in the right direction, but it is only one part of the larger puzzle that will determine the future of cybersecurity.