New Proposed CISA Mandate Would Require Critical Infrastructure to Report Ransom Payments Within 24 Hours

The Cybersecurity and Infrastructure Security Agency (CISA) has released its yet unpublished proposal to instate new rules that would require covered entities to report cyber incidents and ransom payments.

The agency is focused on protecting critical infrastructure from cyberattacks, and is expected to roll out the following new requirements that were included in updates to the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022:

CIRCIA requires covered entities to report to CISA covered cyber incidents within 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred and ransom payments made in response to a ransomware attack within 24 hours after the ransom payment has been made.

These proposed requirements aim to give CISA a clearer picture of these attacks, allowing them to better understand trends and threats, share information, and help companies defend themselves.

Who is Affected?#

This mandate would apply to companies and entities that are vital to US infrastructure. The document defines critical infrastructure as industries and services such as:

• Power grids
• Financial services (banks)
• Transportation systems (airlines, railways)
• Water treatment facilities
• Healthcare providers (hospitals)
• Support hardware, software, or services provided to the Federal government
• Commercial nuclear power reactors
• Telecommunications facilities

The proposed reporting requirements apply primarily to larger organizations. Entities within a critical infrastructure sector that exceed the U.S. Small Business Administration’s (SBA) small business size standard based on either number of employees or annual revenue, are considered “covered entities.”

What Needs to be Reported?#

CISA is proposing to include within the rule a definition for the term “substantial cyber incident,” which triggers the reporting requirement. The types of covered cyber incidents include the following:

• a substantial loss of confidentiality, integrity, or availability of a covered entity’s information system or network
• a serious impact on the safety and resiliency of a covered entity’s operational systems and processes
• a disruption of a covered entity’s ability to engage in business or industrial operations, or deliver goods or services
• unauthorized access to a covered entity’s information system or network, or any nonpublic information contained therein, that is facilitated through or caused by either a compromise of a cloud service provider, managed service provider, other third-party data hosting provider, or a supply chain compromise

Under the new proposal, entities that provide critical infrastructure would also be required to report certain details about cyberattacks, including:

• The type of attack (data breach, malware infection, etc.)
• When the attack happened
• The impact of the attack (data stolen, systems disabled, etc.)
• What steps the company took to respond

CISA Seeks More Information About Ransomware Attacks#

Ransomware groups are running critical infrastructure ragged, as evidenced by how the health industry has struggled to recover from recent cyberattacks. UnitedHealth allegedly paid $22 million in an attempt to recover access to data and systems encrypted by the Blackcat ransomware gang. The damaging affects trickled down, as thousands of doctors, hospitals, and other providers that rely on UnitedHealth’s subsidiary, Change Healthcare, for billing reimbursements have not been paid.

The U.S. State Department is offering a $10 million bounty for information on the Blackcat hackers. Following the group’s attack on Change Healthcare, Blackcat executed an elaborate exit scam, falsely claiming law enforcement seizure, while swindling affiliates and severely impacting U.S. healthcare infrastructure. Change Healthcare began clearing their medical claims backlog of more than $14 billion last week.

CISA’s proposed changes to ransom payment reporting is an effort to get more information on how to combat these attacks. The document highlights the increasing threat:

In light of the rise of ransomware attacks as a proportion of cyber incidents, the rise of ransomware attacks targeting entities in critical infrastructure sectors specifically, and CISA’s statutory charge under CIRCIA to coordinate and share information with appropriate Federal departments and agencies to identify and track ransom payments,’ it is critical that CISA receive a sufficient number of Ransom Payment Reports from a breadth of entities in critical infrastructure sectors.

These changes would also authorize CISA to request information and engage in administrative enforcement actions to compel a covered entity to disclose information if it does not comply with the new reporting obligations. The goal is to give CISA better visibility into attacks on critical infrastructure to help them warn other companies, develop better defenses, and ultimately keep US infrastructure safe.

The proposed rule is scheduled to be officially published in the Federal Register on April 4, 2024, and the public will be invited to comment on the new cyber incident and ransom payment reporting requirements for a period of 60 days. This feedback will help them understand the potential impact of the rule and make adjustments if needed.