Last Call at the “Star Wars Bar”: Harmonizing Incident and Breach Reporting Requirements
In an interview last month, Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), acknowledged the challenges that the U.S. government’s complex patchwork of cyber incident reporting requirements imposes on industry.
“It’s sort of the Star Wars bar,” she told a reporter, referring to the motley dive in the Star Wars franchise to highlight how confusing and diverse the requirements are. “If we are making demands on different industries with different timelines and different definitions of a covered incident,” she continued, “we are just going to create chaos.”
It’s an apt analogy. In the United States, there are currently at least two dozen individual federal cyber reporting and breach requirements. They are generally sector- or industry-specific, and are promulgated separately by more than a dozen agencies and departments under various legal authorities. Some sectors critical to national security are not covered by reporting mandates at all, while others are overseen by multiple agencies. Perhaps most frustrating for industry, the threshold for what constitutes a “reportable” event is often poorly defined or vague—triggered by phrases such as the need to report “suspicious activity” or “a cyber incident”—that are difficult if not impossible for industry to define and comply with. The wide variety of timelines for reporting also causes headaches: deadlines can range from hours to days, weeks, and even months.
The system is, to put it mildly, a bit of a maze—though not by design. Over the past several decades, as cyber power and cyber threats have grown exponentially, the relationship between the U.S. government and industry has transformed in turn. Today, there is an increasing consensus that stronger, more cohesive oversight of critical infrastructure is needed for national security reasons. As such, what were once “voluntary” sector-by-sector reporting measures are now becoming enshrined in regulation—in a way that improves insight into the overall threat landscape but also preserves and magnifies the idiosyncrasies and inconsistencies of the sector-specific model.
The current setup is frustrating for both industry and government. For their own part, private industry largely supports the concept of incident reporting mandates in the name of national security. They understand that they are at the front lines of the continuous, low-grade cyber conflict that has become endemic between powerful nation-state adversaries today. But when requirements are unclear or duplicative, or when they divert resources in the midst of incident response efforts—or when information goes only one way—the relationship between government and industry is strained and security itself is undercut. Similarly, the U.S. government’s experience is suboptimal. The highly sector-specific and limited nature of existing reporting requirements means that they have only partial insight into the threat landscape—something that limits their ability to accurately gauge and respond to the full scope of cyber threats to the country.
It doesn’t have to be this way. Easterly’s comments came in the context of a discussion about a new law passed by Congress earlier this year, known as the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). CIRCIA directs CISA to create a set of incident reporting rules for U.S. critical infrastructure—which it defines as those “assets, systems, and networks [that are] … so vital to the United States that their incapacitation or destruction would have a debilitating effect on security.” CIRCIA’s directive to establish federal incident reporting rules for critical infrastructure is an important step toward ensuring that all key sectors alert the U.S. government in the event of a substantial cyber incident.
Yet in order for CIRCIA to truly transform the incident reporting landscape, policymakers need to fully take advantage of a second, less flashy mandate written into the legislation: a call to harmonize any new requirements with "existing regulatory reporting requirements, similar in scope, purpose, and timing ... to the maximum extent practicable." It also requires the Department of Homeland Security to establish a “Cyber Incident Reporting Council” to help coordinate across the federal government and to review and avoid duplicative reporting requirements.
In other words, Congress has recognized that simply layering a new, powerful reporting requirement on top of the existing sector-specific system is a recipe for disaster. They are attempting to solve this in two ways: by requiring CISA to make sure that its new regulations do not create any new problems, and by requiring the Department of Homeland Security to review existing federal rules to try to improve the system more broadly. As important as the first part of this equation is, it is this second goal—to facilitate harmonization efforts across the federal government—that will ultimately determine the success of the incident reporting system in the United States.
This will not be an easy task. It will require both the Department of Homeland Security—via the Cyber Incident Reporting Council, when it is eventually stood up—and CISA— through its role as the country’s lead cyber agency—to facilitate harmonization efforts despite having no formal or additional regulatory authority over other agencies and departments in this space. (Existing reporting requirements are, of course, issued under various legal authorities and by different independent agencies or departments). But what the Department of Homeland Security—and, in particular, CISA—can do is use their collaborative operational and information-sharing processes to advise, coordinate, facilitate, and educate across and between government and industry.
Establishing federal incident reporting rules for critical infrastructure will require an approach that is tailored to the needs of different sectors with different levels of reporting maturity. Each type will come with its own challenges.
Certain sectors that have never been subject to reporting. Several critical sectors have no existing reporting requirements—whether because of robust voluntary measures, a lack of available authorities or resources, perceived lack of cyber risk, or some other factor. For example, the water and wastewater sector is not subject to any federal incident reporting mandate. It is likely that CIRCIA will establish new requirements for this sector, as well as some dam facilities, and other sectors or subsectors, such as certain commercial facilities.
Sectors that already have established reporting requirements. CIRCIA’s impact in these spaces could be influential if it works closely with other entities to plug gaps in coverage while helping to coordinate or standardize reporting timelines or thresholds for materiality when appropriate.
For example, while there should be differences in reporting timelines depending on the severity of the incident, deadlines can often seem arbitrary. They range from 15 minutes—for a root-level intrusion with high impact on the Department of Defense’s networks, escalated within six hours to the Joint Incident Management System, if needed—to 24 hours—for freight railroad carriers, which are required to report to CISA—to 30 to 60 calendar days for some data-breach reporting. And several timelines are unclear, undetermined, or at least not publicly known because the rulemaking or guidance has yet to be formalized, is confidential or classified, or is simply not written clearly.
Sectors that have duplicative or contradictory reporting requirements. Duplication may occur if CISA issues a new reporting mandate that applies to a sector covered by an existing mandate, instead of information-sharing with that sector’s lead authority. Of course, it would be particularly disruptive if the timelines or threshold for reporting between the new and existing mandates were substantially different.
Flat-out contradictions in requirements are rarer but may still arise. One such example may arise within the rules proposed recently by the U.S. Securities and Exchange Commission (SEC), which require public companies to disclose incidents to shareholders within four days. As the draft rule stands, there is no ability to delay public reporting for law enforcement or national security reasons. This could potentially create a situation in which a public company that also qualifies as a critical infrastructure entity could report a supply chain compromise privately to CISA within the timeline established by CIRCIA. Then CISA, together with the FBI, may investigate the incident and determine that they need more time to remediate the extent of the compromise before it becomes public. Yet, pursuant to the SEC’s mandate, public disclosure would still be required within four days. At the very least, this would result in the need for some quick behind-the-scenes interventions. At worst, it could cause more harm by tipping off threat actors that may still be active in the system.
In short, the success of CIRCIA will depend on not just how it goes about extending reporting mandates to new sectors but also how it understands its role to “harmonize” across existing ones. And in fact, given the multiplicity of different actors in this space, the latter is likely to be the more difficult of the two.
As the importance of federal cybersecurity incident and data-breach reporting requirements is only increasing—given the pace of recent cyberattacks and in the face of a seemingly increasingly volatile geopolitical environment—now is the time to get this right. It’s closing time at the Star Wars bar.