November 14, 2022
Jennifer M. Easterly
Cybersecurity and Infrastructure Security Agency
Department of Homeland Security
SUBMITTED VIA Federal eRulemaking Portal: http://www.regulations.gov
RE: [Docket ID: CISA–2022–0010] Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022
To Whom it May Concern:
IBM welcomes the opportunity to contribute to CISA’s stakeholder consultation on key questions and concepts associated with the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) to help shape the forthcoming Notice of Proposed Rulemaking (NPRM). We commend CISA for its continued partnership with industry and look forward to working with CISA to develop an informed rule that will build a stronger, more collaborative cybersecurity environment and enhance U.S. cyber resilience. A whole-of-government approach along with true collaboration with industry is the best way to secure modern digital environments and tackle global cybersecurity threats.
IBM is uniquely positioned to help with these efforts as a leading global enterprise technology and consulting company helping clients in many critical infrastructure sectors around the world to secure their environments and protect their data while securing our own global infrastructure.
Mandatory incident reporting can assist with the information prong, but it must be crafted precisely to avoid unintended consequences of wasted resources and providing irrelevant information to stakeholders. To that end, IBM believes that any mandatory incident reporting regime should:
• Focus on the real risk: confirmed significant incidents on truly critical infrastructure. To be reportable by a covered entity, an incident must lead to a substantial loss of confidentiality, integrity, or availability of an information system or network or a serious impact on the safety and resiliency of operational systems or processes the security for which the covered entity is responsible. And the definition of covered entity must be based on existing globally-recognized risk-based criteria.
• Establish clear reporting roles. Only the victim of the cyber incident should have the obligation to report. The covered entity that is primarily affected and whose business is directly impacted by the incident should be in control of the information reported about them and obliged to provide relevant reports.
• Keep it simple, consistent, and collaborative. A complex cyber threat landscape does not warrant an equally complex compliance regime. Cybersecurity professionals tasked with investigating and resolving incidents should not be unduly distracted – particularly during those critical initial hours – with determining whether, when, and to whom the incident must be reported. A simple incident reporting regime with confidentiality and liability protections built in will also help create the collaborative and transparent environment envisioned by CIRCIA that provides actionable concrete information for both government and industry.
We respectfully submit the following more detailed suggestions, correlated with the objectives above to guide CISA in providing clarity in scope and definitions in the forthcoming rule.
Focus on the real risk
Item (1).a-b, meaning of “covered entity”
To effectively focus on cyber threats that pose the greatest risk and to avoid duplication and confusion, CISA should leverage, and hone, existing globally agreed upon definitions of critical infrastructure. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, Section 9, (“Section 9 entities”) is the best place to start as it requires DHS to identify and maintain a list using a risk-based approach. Section 9 can provide a more limited representative sample of covered entities – narrowing PPD-21 of critical infrastructure entities to a subset defined by “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security.”1
Because CISA’s National Critical Functions List is associated with interdependencies of critical infrastructure, it can serve as another qualifier should CISA need to adjust the list after evaluating the implementation of the regulation.2 The rule needs to be clear in communicating to companies whether or not they qualify as a covered entity and provide entities with the opportunity to consult CISA in assessing this.
Item (2).b, what constitutes “reasonable belief”
The regulation should clarify that “reasonable belief” means that the entity (a) determined that an actual cyber incident has occurred and (b) reasonably concludes that it is highly likely that the incident meets the criteria of a covered cyber incident based on the information known to the covered entity at the time.
Requiring certainty that an actual incident has occurred is both reasonable and beneficial. Reporting false positives when it is ultimately determined that there is no incident at all is wasteful and confusing and does not further the cybersecurity goals of CISA or industry. The rule also should maintain the statutory reporting timeline of not less than 72 hours, providing a reasonable standard for notifying CISA about confirmed covered cyber incidents. The 72 hour timeframes would also recognize the challenges that follow in the immediate aftermath of a potential cyber incident, and particularly the need to focus resources on determining whether an incident occurred, the extent of the incident, and how to contain it, as relevant.
Clear reporting roles
Item (1).c-d, meaning of “covered cyber incident”
Reporting Entity. Only the victim of the covered cyber incident should be obligated to report. Where there may be multiple victims involved, – an entity and its cloud supplier, for example – the reporting obligation should be distinguished between the parties, with each determining whether an incident meets the criteria for a covered cyber incident based on the impact on its business and operations. In this way, each victim organization is in a better position to accurately describe the likely impact of the incident and provide the important context necessary for CISA to properly evaluate it.
In addition, cloud suppliers and other service providers should not be placed in the position of reporting on the activities of their clients or suppliers. To do so could risk forcing the cloud supplier to reveal confidential business information in violation of their contractual obligations, and could result in inaccurate or incomplete reporting. Additionally, reporting of the same incident by multiple, tangentially related entities would create confusion and give CISA the burden of deciphering distinct incidents from multiple, potentially inconsistent, reports.
Criteria for Covered Cyber Incident. The criteria should be actual, confirmed cyber incidents that have or are likely to have any of the following effects:
a. Disruption of a Covered Entity: The incident impairs the ability of the covered entity to conduct the business operations that qualify it as a covered entity.
(i) The impairment must be sufficiently severe that the covered entity is unable to continue, or there is a material risk that it will become unable to continue, for longer than just a transient period to conduct a majority of those business operations; or
(ii) The impairment creates a material risk of serious personal injury or death to the covered entity’s clients or the general public in the United States.
b. Substantial Economic Impact: The incident creates a material risk of reduced economic
activity, directly by the covered entity, more broadly within the relevant critical infrastructure industry, or elsewhere within the United States, and the reduction would exceed five hundred billion dollars or such other objective metric as is identified by the Director.
c. Novel TTP Developments: A substantial cyber incident reveals tactics, techniques, or procedures of the threat actors that (i) are novel for that threat actor and which are targeting or are likely to target the critical information systems of a covered entity or (ii) identify non-public vulnerabilities in commonly used software or hardware within the relevant critical infrastructure industry, where the continued use of those tactics, techniques, or procedures or further exploitation of those non-public vulnerabilities would raise a serious risk of causing cyber incidents that meet the requirements of a. or b. above for one or more covered entities.
d. Compromise of Highly Sensitive Cybersecurity Vulnerability Information: The incident involves the exfiltration of highly sensitive cybersecurity vulnerability information or penetration testing tools or techniques that would would raise a serious risk of causing cyber incidents that meet the requirements of a. or b. above for one or more covered entities.
Be simple, consistent, and collaborative
Maintain the Statutory Liability and Confidentiality Protections Provided in CIRCIA
The rule should continue to provide adequate confidentiality and liability protections for victims of covered cyber incidents. These protections will encourage reporting covered entities to share appropriate levels of information without concern that what they are reporting will be used against them in a future enforcement action or that it will be made public. This furthers the goal of the underlying legislation to provide meaningful and actionable information to the government quickly. Diluting these protections runs the risk of revictimizing the victim and places reporting covered entities in a difficult position of balancing information sharing with protecting themselves against legal and reputational risk.
A good model is that adopted by the Aviation Safety Reporting System.3
Item (3) Other Incident Reporting Requirements and Security Vulnerability Information Sharing
This incident reporting rule should not take the place of or undermine the success of CISA’s existing and successful voluntary vulnerability program. Rather it should augment or complement it and focus on those cyber incidents that pose the greatest and most immediate risk to US critical infrastructure and national security.
IBM believes that all software producers must fully establish and participate in a strong Vulnerability Disclosure Program (“VDM”). The vulnerability transparency to software consumers provided through VDM programs, based on NIST and other industry best practices, is an essential aspect of supply chain security. Similar to CISA’s Known Exploited Vulnerability (KEV) Catalog, the focus of these programs should be on exploitable vulnerabilities (those vulnerabilities which can actually be exploited in malicious ways) and prioritize exploited vulnerabilities (those vulnerabilities which have been observed to be exploited by malicious actors.) CISA should not require organizations to disclose details about vulnerabilities before they are appropriately patched and fixed. This incident reporting rule should avoid vulnerability disclosure requirements that could create an easy road map of potential interim security weaknesses that could be exploited by malicious actors.
Item 3.a, other federal, state, regs or directives with similar policies that would create duplication/overlap/conflict with CIRCIA’s reporting requirements
We fully support harmonization and streamlining of state and federal laws and standards to avoid duplication of effort or undermining existing programs, and to focus this rule on the highest risk areas. Consistency between national and relevant international standards would be ideal. Additionally, while technology vendors already collaborate with state and local jurisdictions during incidents, CISA’s incident reporting rule should encourage and enable this collaboration when covered incidents occur. Adding new rules and requirements to an already crowded regulatory landscape without harmonizing them presents a complex challenge for any business with a multinational presence. The current regulatory complexity is exacerbated by the increased proliferation of new and often conflicting legislation, which are increasingly focused on data location, localized incident response, and cybersecurity frameworks that incorporate geo-specific requirements.
Item 3.h, principles governing timing and manner in which information relating to security vulnerabilities may be shared, including any common industry best practices and US or international standards
Employ Responsible and Equitable Security Vulnerability Disclosure and Remediation Practices. Sensible vulnerability disclosure and remediation practices by all parties are essential to the security of the digital ecosystem. The technology sector takes timely action to analyze and mitigate the risk of discovered vulnerabilities and follows responsible coordinated disclosure practices to notify suppliers, resellers, customers, and others of such vulnerabilities as appropriate. We advise CISA to avoid including vulnerability disclosure requirements in this incident reporting rule and instead to continue to leverage CISA’s existing Coordinated Vulnerability Disclosure (CVD) process. The existing CVD process provides a transparent disclosure policy that enables technology vendors to respond to vulnerabilities in a timely fashion before public disclosure to better protect against cybersecurity attacks. This existing process also encourages the responsible disclosure of vulnerabilities by security researchers to technology vendors.
Thank you for the opportunity to comment. For further information or questions, please contact Katie Ignaszewski, Government and Regulatory Affairs, email@example.com.