Search
Close this search box.
EPISODE 161
Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

EP 161: Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)

Our bi-weekly Inflection Point bulletin will help you keep up with the fast-paced evolution of cyber risk management.

Sign Up Now!

About this episode

July 2, 2024

CIRCIA stands for the “Cyber Incident Reporting for Critical Infrastructure Act”. But what does it really mean? Let’s find out with your hosts Kip Boyle, CISO with Cyber Risk Opportunities, and Jake Bernstein, Partner with K&L Gates.

Tags:

Episode Transcript

Speaker 1: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives thrive as cyber risk managers. Your hosts are Kip Boyle, Virtual Chief Information Security Officer at Cyber Risk Opportunities, and Jake Bernstein, partner at the law firm of K&L Gates. Visit them at cr-map.com and klgates.com.

Jake Bernstein: So Kip, what are we going to talk about today in Episode 161 of the Cyber Risk Management Podcast?

Kip Boyle: This is going to be a good one. They're always good. The reason why I think this is going to be good is because it's really going to be about a subject I don't know too much about. So I'm going to follow your lead. And I always enjoy these. These are always good for me.

What we're going to tackle today is something related to critical infrastructure. And it's new, and people are calling it CIRCIA. And that's really an acronym, right? C-I-R-C-I-A, we're going to unpack all that. And most importantly, as we try to do, we're going to explain why this matters to you, our audience of cyber risk management professionals. So, that's what we're going to do.

Jake Bernstein: Indeed, we are, Kip. So, I kind of like your pronunciation. I've also heard CIRCIA, I've also heard CIRCIA. But what is stands for-

Kip Boyle: That doesn't sound too different to me.

Jake Bernstein: It doesn't. It's CIRCIA or CIRCIA. It's where we want to put the emphasis on the syllable-

Kip Boyle: Yeah.

Jake Bernstein: ... on the syllable, precisely. But here's what it stands for. The Cyber Incident Reporting for Critical Infrastructure Act. And I'm pretty sure we brought this up before, because it passed in 2022, and-

Kip Boyle: When we didn't have any rules.

Jake Bernstein: We didn't have any rules. So what we probably said was, "Hey, CISA," which is the Cybersecurity and Infrastructure Security Agency, "... has 18 months to write the rules, and then there's a comment period, another year before the final rule comes out."

Well, that 18 months is over, more or less, and the rule is out. And let me tell you, Kip, it is a monster of a Notice of Proposed Rulemaking, that's NPRM in federal regulatory speak, clocking in at 133 pages of tiny little font, arranged in that classic three-column federal reporter format.

Kip Boyle: I'm looking at it right now.

Jake Bernstein: Yeah, it is-

Kip Boyle: It's assaulting my eyes.

Jake Bernstein: Yeah, it is. I think that a very valid off-label use of this document is as a sleep aid to help insomnia. Nonetheless, it is honestly very important for cyber risk managers to at least become aware of this rule, which will soon, being relative, a final regulation.

But really, Kip, I think it's pretty important that they understand that. So, what are you thinking right now since I kind of sprung this on you?

Kip Boyle: Well, we have to back up for a second because CISA, that is a relatively new agency. It's actually within the Department of Homeland Security. Some people actually think it's in DOD or NSA or whatever, but no, it's not. And its full name is the Cybersecurity and Infrastructure Security Agency.

Jake Bernstein: Yeah, I always thought... I've been leaving out the 'and', but now it does make more sense now. I still don't like the way... it doesn't really roll off the tongue-

Kip Boyle: No.

Jake Bernstein: ... when you say it out. But everyone does call it CISA.

Kip Boyle: Yeah.

Jake Bernstein: That is its definite name, and-

Kip Boyle: And we should probably do a whole episode on CISA at some point because I actually think they're doing some pretty darn good work over there. They actually have some stuff that a lot of people would probably help them, but they don't even know about it.

Jake Bernstein: Well, that is the God's honest truth, Kip. CISA is doing an incredible amount of work, really, really impressive stuff that it gives away for free.

Kip Boyle: Yep.

Jake Bernstein: And I think we probably should do an episode on CISA because honestly, if you're a cyber risk manager and you're not aware of CISA and the resources that it makes available to you, you're seriously missing out.

Kip Boyle: Yeah.

Jake Bernstein: So we'll do that. But for now, I think you're supposed to ask me-

Kip Boyle: Let's take it back, let's take it back.

Jake Bernstein: Yeah, let's take it back.

Kip Boyle: Let's take it a little bit back to CIRCIA, is that how you-

Jake Bernstein: CIRCIA.

Kip Boyle: CIRCIA, okay, good. All right-

Jake Bernstein: Yeah, we're going to go with CIRCIA.

Kip Boyle: I'll get it, I'll get it. We'll see, all right. Now, I want to understand, what is the role of a cyber risk management professional with respect to this new proposed rule?

Jake Bernstein: Sure, sure. So let's go through what it is and what it isn't. So, CIRCIA, as I said, was passed in 2022, and it's a dedicated law about cyber incident and ransom payment reporting requirements for all covered entities. Now, what's a covered entity, you might ask. Well, it's any entity that is considered to be critical infrastructure.

Kip Boyle: Aha. Okay. Well, so I immediately think about the NIST Cybersecurity Framework. It's Version 1 and Version 1.1 incarnations, because those versions were created specifically for critical infrastructure.
And I know that we have an actual set of critical infrastructure sector. So there's a whole body of knowledge out there on it, but I'm going to guess that it's not that simple.

Jake Bernstein: Yes and no. In some ways it is that simple, but in other ways it really isn't. But before I answer that, I do want to, I'm going to go lawyer here for a moment, and I just want to consider what it is that we're dealing with in this 133-page Notice of Proposed Rulemaking.

Kip Boyle: Thank you.

Jake Bernstein: Now, as with all NPRMs, this is not necessarily a fair statement, but I think most of it is what I might call fluff. Now, I don't mean to say that the fluff isn't useful or important, but most of it is, frankly, explanatory, and it's a discussion of background facts and ideas.

If one wanted to skip to the actual text of the proposed rule, it turns out, Kip, you can flip all the way to Page 122, which means that out of the 133-page PDF, only 11 pages contain the actual rule text.

Kip Boyle: Okay, so when I write for my audiences, I like to do what I call a bluff, a bottom line up-front approach. This would be the exact 180 degree opposite of this.

Jake Bernstein: In fact, Kip, I'm going to admit something that is a little embarrassing. When I first started looking at NPRMs, I couldn't find the proposed text of the rule. I didn't realize that it was literally at the very end.

Kip Boyle: Is there any actual cogent explanation for why it's organized like this?

Jake Bernstein: So, the answer comes down to federal regulatory law and the requirement for federal agencies to be transparent about rulemaking. If you care, it's really good that it's written this way.

Kip Boyle: Okay.

Jake Bernstein: For most of us, it's a lot of stuff we can skip. However, it turns out there's actually a lot of really interesting stuff written in these Notices of Proposed Rulemaking. I have read some of them. By no means have I read all of them. That would just take too much time.

But it is good to know what the Government is thinking. And if I find that, when you read it, you actually feel a little bit more at ease and maybe have a bit more security feeling that the people who have their hand on the tiller-

Kip Boyle: Yeah.

Jake Bernstein: ... the maybe actually do have a clue-

Kip Boyle: Okay.

Jake Bernstein: ... which is good. That's good. And part of it, Kip, the directest answer to your question is that yes, there's a law that says they have to write it this way, to some degree.

Kip Boyle: Okay. Now, okay, so here is the thing. I think that's cool that we can get some insight into the mind of the regulator here, but 122, 121 pages of insight, isn't there some way to just not read all that?

Jake Bernstein: Yeah. So I'm going to admit right now, Kip, that I used ChatGPT-4o, the newest model-

Kip Boyle: Aha.

Jake Bernstein: ... to help create a summary of all 133 pages, although you don't need the AI on the 11 pages of actual rule text, but it is super helpful on the, what I called fluff earlier.

Kip Boyle: Yeah.

Jake Bernstein: And I want to remind people who haven't necessarily already been doing... these large language model AI tools. And look, this is like the Great-Wall-of-China-sized text wall. People say, wall of text. Well, this wall of text is the Great Wall of Text.

Kip Boyle: Oh, I see what you mean.

Jake Bernstein: And it's just massive. And I don't even know, this honestly looks like size eight font to me. Maybe it's a little bit more than that, but it is tiny.

Kip Boyle: Yeah, it is super small. It reminds me of one of those old timey newspapers that never included photographs or illustrations and it was just like this huge wall of text. I appreciate that they wrote it in a Serif font that makes it a little easier to consume.

Jake Bernstein: Agreed, yes.

Kip Boyle: But I love the fact that you used AI to do a summary of it. Now, I want to go off-script. I don't ever do that, but I'm going to do that this time because I'm super interested. How did you do that? Did you feed the PDF into an AI that specializes in PDFs?

Because I've seen some apps now where you can give it a PDF, and then it analyzes it, and then it's like, "What would you like to know," and you can chat with the PDF. Is that what you did?

Jake Bernstein: It's funny you mention that. I actually opened up the PDF in my favorite Mac app for PDFs these days, which is PDF Expert, and there is a chat button. And yes, that does connect to OpenAI APIs, and you could do that, but I didn't do that this time, Kip, because as a paying customer of ChatGPT Teams, I have access and have had access to the GPT-4o model.

So I simply opened a chat, drag-and-dropped the PDF into the chat window and asked ChatGPT-4o if it would be so kind as to read and summarize it for me, which it, of course, did-

Kip Boyle: Okay.

Jake Bernstein: ... in 10 seconds.

Kip Boyle: Nice, nice.

Jake Bernstein: So...

Kip Boyle: Okay, so there you go everybody, there's a little productivity tip for you. Now, I actually have recently picked up a dedicated app that does this. It's called PDF Pals, P-A-L-S. And you can feed it your API key to OpenAI, and then you have this Mac app that you can feed it any PDF you want. And it's all local, so I don't have to expose my line of questioning to the great unwashed-

Jake Bernstein: Although, Kip, since this is the Cyber Risk Management podcast, if you have an API key, isn't that just... I assume it's using your API key, which means it is sending it out.

Kip Boyle: Oh, that's true, that's true. I'm sorry, I was thinking about... I'm using LM Studio as well where I'm downloading a large language model, like Llama 3, and that is where it also stays local.

Jake Bernstein: Yep, that is staying local.

Kip Boyle: Sorry, I got that a little mixed up. But this is what happens when you start playing around with stuff you've never played around with before, "Okay, how does this thing work again?" Anyway, so that's what I'm doing with PDFs is, I'm consuming them locally in this app. I think I paid 15 bucks for it, or something, that I thought it was completely reasonable.

Anyway, all right. So, listen folks, augment yourself with these artificial intelligence generative tools so that you don't have to use this proposed rule in an off-label manner not prescribed by your doctor for insomnia curing.
Okay, now, let's get back to it. So, can we just skip over the public participation section and just go right to the rulemaking? And just so everybody knows, you still have until July 3rd to submit a comment if you want to, right? This isn't final yet.

But the goal of this regulation is to help the US Government coordinate responses to cyber incidents that are affecting critical infrastructure. And Jake, you told me this is not the same as the goal of the SEC's recent 8-K reporting requirements. That's all about empowering investors so that they can make good investment decisions. Did I get that right?

Jake Bernstein: You did, Kip. And I think listening to you say that, it makes me realize just how involved lawmakers and agencies are getting in our space, our cyber risk management space. It really is coming to the point where cyber risk managers, you do need to start looking more and more at the legal requirements and these laws.

Because the problem is that just plain lawyers don't have the cybersecurity background to necessarily understand the implications of these laws. So they need your help. And you won't even know to offer it to them unless you're aware of these rules.

So, here's one where, "CIRCIA is about protecting the nation's critical infrastructure." I really don't think it should be seen another anti-business regulation. It simply isn't that at all. And I'm curious, Kip, from your perspective as a former CISO, as a Virtual CISO, why do you think it's important?

Is it important for the government to have information about cyber incidents and ransom payment? Keep in mind, this one's a little different. It turns out that under this law, under this law and these regulations, if you pay a ransom, you have to tell the Government you've paid, and the amount. That's new. There's no current law that requires that.

Kip Boyle: Yeah.

Jake Bernstein: So with that, do you think this is important to help protect critical infrastructure?

Kip Boyle: What a softball, thank you very much. So, I want to reflect on something that I just wrote and distributed just five days ago. I wrote an inflection point. So for those of you who don't know, if you go to my website, cr-map.com, you can sign up for my inflection points.

It's about a 500-word email that I send every other week, and I talk about, ta-da, inflection points, big things that happen in the world of cybersecurity and cyber risk management that I think should change, potentially, the way we manage cyber risks.

And so, I want to talk about why it's important for the government to have this information, and I'm going to do it with respect to a report that recently came out from the US Cyber Safety Review Board, the CSRB. That's not a TLA, it's actually a 4-letter acronym instead.

But the Cyber Safety Review Board is actually part of CISA, and a lot of people don't know this. It goes back to what we were saying then when we started the episode, that CISA-

Jake Bernstein: This is why we need to do an episode on CISA.

Kip Boyle: That's right, that's right. So, CISA released this report, and it was about Microsoft's high-profile attack by a China-based cyber attacker.

Jake Bernstein: Now wait a second, Kip, wait a second. I want to go back to the history of our podcast. Didn't you say, years ago, that there should be something like the National Transportation Safety Review Board for cyber?

Kip Boyle: Yep.

Jake Bernstein: I feel like this is it.

Kip Boyle: This is it, this is it.

Jake Bernstein: This is it.

Kip Boyle: This is as close as you've come.

Jake Bernstein: Maybe you manifested this Cyber Safety Review Board.

Kip Boyle: Maybe I just repeat a lot of what other people say and I just have a microphone. But you're right, this is like the NTSB's crash investigation capability.

Jake Bernstein: It's 100%.

Kip Boyle: It's a no-fault, no-blame examination of something that happened that was really bad, and the point of it is is to address root cause issues so that this doesn't happen again. And they looked at what happened when a China-based cyber attacker stole a Microsoft account that had a consumer key, a cryptographic key that allowed them to forge access tokens and would allow them to get into Outlook Web Access and Outlook.com so that they could perpetrate information-

Jake Bernstein: Fraud?

Kip Boyle: Yeah. Well, I'm specifically focused on not just fraud in a business way, but that they actually stole information more in an espionage way, I think.

Jake Bernstein: Okay. Yeah, yeah.

Kip Boyle: And so, the CSRB criticized Microsoft's slow response, inadequate communication, lack of transparency, and an insufficient investment in proactive security measures. And guess what? Microsoft responded and at least made commitments to double its security budget in the next three years, hire a 1,000 new cybersecurity experts, establish a dedicated cyber defense operations center, on and on and on and on and on.
Now, will they pay off after all this? I don't know. We'll see. But the point is that when the Government has access to this kind of information, it can then conduct these kinds of root cause analyses and release that information so that, as cyber risk managers, we can be way better informed about what's actually going on in the world so that we can make better decisions.

Jake Bernstein: It's like tell the truth Monday when Pete Carroll was the coach of the Seahawks, like, you looked at the tape and you didn't blame anyone, you didn't have any fault, but you just told the truth as it was.

Kip Boyle: Yep. And that's how we get better.

Jake Bernstein: That is how we get better. Okay, that's really interesting. And Kip, why do you think that this law had to be passed?

Kip Boyle: Because there's just no other central place to provide leadership on this. And so, this is just-

Jake Bernstein: And that's a problem, right?

Kip Boyle: Yeah.

Jake Bernstein: If your goal is to gain useful insights about information, it really does have to be centralized.

Kip Boyle: I think so. And at a federal level and in a safe harbor so that people can talk honestly about what's going on, so that we can actually continue to evolve our practice of reasonable cybersecurity, reasonable cyber risk management. It just really goes back to the fact that we have to have continuous improvement because cyber is a dynamic risk.

Jake Bernstein: Cyber is a dynamic risk. And you know what, Kip, I think it's also about building a more resilient cybersecurity culture. We need the culture change to do this-

Kip Boyle: Yeah.

Jake Bernstein: ... and we can't do that unless we have a true idea of what's going on.

Kip Boyle: Right.

Jake Bernstein: And look, for those worried that CISA will use this information to prosecute companies for being breached, I don't think you need to worry. That's not part of CISA's or DHS's, Department of Homeland Security's jurisdiction.

CISA, like DHS, I mean, this is why CISA is in DHS, it's interested in what, Kip? National security. That is its mission. And look, maybe 10 years ago people would look around and say, "Oh, national security, whatever. There are no threats." It's clearly not the case-

Kip Boyle: Not anymore.

Jake Bernstein: .... in 2024, that there aren't threats. There absolutely are. And I think the threats to our critical infrastructure are really scary, and I think that is one of the reasons that we're really pushing this forward.

Kip Boyle: Yeah. We've got to get better.

Jake Bernstein: Okay, so-

Kip Boyle: And the gulf between-

Jake Bernstein: We do, we've got to get better.

Kip Boyle: ... the gulf between American government and American business has traditionally been very, very wide, right?

Jake Bernstein: Yeah.

Kip Boyle: And I'm sorry to say that I don't believe we can continue in that way into the future because the world is just chained, and we're going to have to figure out how to get along with each other.

Jake Bernstein: And let's unpack that a second, Kip, because I think that there is a lot of people in the modern age who might take that the opposite of the way you intended, which is to say, "Oh, government is not effective, it's..."

And I think a lot of it, Kip, particularly in the military, and you have military experience, is that you can actually just give orders.

Kip Boyle: Right.

Jake Bernstein: And if people don't follow orders, then things happen. Then you go to jail.

Kip Boyle: Yeah.

Jake Bernstein: And outside, I think, the private sector is just too laissez-faire about a lot of these security issues on enforcement.

Kip Boyle: Well, there's a lot-

Jake Bernstein: That is probably going to have to change.

Kip Boyle: Yeah. And there's externalities and the fact that the private sector runs on the invisible hand, the free market telling organizations how they ought to behave to maximize profit. And I'm really careful about recommending whether there should be additional regulations.

And so I don't say this lightly, we have an environmental protection agency because there were too many externalities where rivers were becoming polluted, acid rain. We had all these really awful environmental problems because companies could not be held to account for the waste that they were discharging into the environment.

And so we had to create a regulatory regime and an agency to provide feedback to organizations that the free market wasn't providing. And I think this is similar. There are so many externalities around cybersecurity failures that I don't think the free market really has a mechanism for dealing with it.

Jake Bernstein: No, I think that's right. And delving into all of that is a different podcast, not even a different episode, but a different podcast on Capitalism and regulation.

Kip Boyle: Right.

Jake Bernstein: That would be a fascinating topic. But we're going to go back into this document, and look, the rest of it is going to go into a great deal of detail about definitions and scope, the actual reporting requirements, exceptions to those requirements, data and records preservation rules, obviously enforcement, but also, and helpfully, protections and privacy related to the reports provided to CISA.

And I want to warn everybody now, look, we may not get through all of these topics. We're going to keep these episodes, as we normally try to do, to 35, 40 minutes. And there's a lot to unpack here. So, if you're curious, we'll put a link in the show notes, I'll make sure Kip does that-

Kip Boyle: Yes.

Jake Bernstein: ... that will give you a link to the primary document. Again, you can skip to Page 122 to find the actual rule, and you can read it for yourself. What we will definitely get through, because Kip's about to help us, is the scoping.

And so you will know right in about three or four minutes whether or not you really need to worry about this. And I think that a lot of people will be surprised as to how broad this concept is. So Kip, why don't you go ahead and start with scoping.

Kip Boyle: Absolutely. And that means, I think the first question that everybody wants to know the answer to is, what is critical infrastructure? Well, we've got some really strong information there for me to share with you.

Okay, so this rule says that it applies to an entity in a critical infrastructure sector. And there are two different ways that you can be classified as critical infrastructure. One is that you exceed the small business size standard that's specified in the applicable NAICS code. Wow.

Jake Bernstein: Man, those codes, they just pop up, don't they, Kip?

Kip Boyle: And for anybody who doesn't know, NAICS is, and I'm not going to unpack that acronym, but it's just a way of classifying and organizing the different types of organizations that operate in an economy. So my company, Cyber Risk Opportunities, we have an NAICS code.

I just had to use it the other day because I was filling out some form for something and I needed to put it in there. So that's one way that you can be classified as critical infrastructure. Now the second way is that you can meet sector-based criterion, and that's listed in the rule.

And it doesn't matter if you think you are in a critical infrastructure or not. This is how you... Oh, if you're in it or not. And there's 16 critical infrastructure sectors. And I'm looking at Table 22 in the Federal Register, Volume 89, Number 66, and is this right, Page 23761? In the upper right-hand corner, is that the page number? I've never read these before.

Jake Bernstein: Yeah. Federal Register, so the Federal Register, this is a slight aside for you, the Federal Register, Kip, is literally the official record of the Federal Government... Because there's one for every year-

Kip Boyle: Wow.

Jake Bernstein: ... and they just go on and on and on.

Kip Boyle: Oh, so they just keep publishing. So they just keep adding pages and incrementing the page numbers, isn't that right?

Jake Bernstein: Correct.

Kip Boyle: Ah, okay. Okay, so then it is Page 23761. Don't worry-

Jake Bernstein: That is true.

Kip Boyle: ... I'm just putting that there because if you want to know where Table 22 is, it's actually kind of hard to find unless I give you some sort of a landmark, and there's your landmark. So what are these-

Jake Bernstein: If you click the link and get the downloaded PDF, there should be a specific page number in the PDF-

Kip Boyle: Right. The way that my PDF reader interprets this, it's Page 118. It's just, you won't see that actually on the page.

Jake Bernstein: That's true.

Kip Boyle: Yeah. So that's why I wanted to be careful. Okay, there are 16 critical infrastructure sectors. They're all listed here. And I'm not going to read the list, but it runs the gamut, like-

Jake Bernstein: Well, actually, Kip, there's only 16. I think it's worthwhile, why don't we read the list?

Kip Boyle: Okay. Chemical, commercial facilities, communications, chemical manufacturing, dams. Not damn, but dams. Defense industrial-based, emergency services, energy, financial services, food and agriculture, Government facilities, healthcare and public health, information technology, nuclear reactors, transportation, finally, water and wastewater.

And when I see this list, I'm like, "Well, if I make insulated beverage cups for consumers, am I critical infrastructure?" Probably not, but everybody else probably is.

Jake Bernstein: Yeah. No, I mean, look, there's... And just to be clear, these 16 sectors, these aren't defined by this new rule.

Kip Boyle: No.

Jake Bernstein: These have been around a long time.

Kip Boyle: Yep.

Jake Bernstein: And there's all sorts of places you can go to learn more about them. I think what's interesting here is that... Think about this, what this means is that if you are an entity and you are not a small business but you operate in one of these sectors, CIRCIA applies to you.

Kip Boyle: Yep. And if you still don't know, go find your internal Counsel and get them to tell you.

Jake Bernstein: That's true, yes.

Kip Boyle: Right? That's how I always did it. Whenever I wondered, I just went to the in-house Counsel and I just said, "Is this a thing for us?" And I-

Jake Bernstein: And you can find broad definitions of these sectors in many different places. We'll leave that to the listener.

Kip Boyle: Yeah.

Jake Bernstein: But I want to point out that CIRCIA also applies to you under a host of pretty specific criteria. And I'm not going to read these because this goes on and on for several pages, but here's some of these that are interesting.

Keep in mind that it doesn't matter what sector you are or even if you're a small business necessarily, if you do any of these types of things... So here's one, "If you own or operate a covered chemical facility subject to," get this, "... the Chemical Facility Anti-terrorism Standards pursuant to 6CFR Part 27."

CFR is the code of federal regulations. So what that's saying is that there is a federal regulation that's about the Chemical Facility Anti-terrorism Standards, and if you own or operate a chemical facility subject to it, boom, you're critical infrastructure for purposes of CIRCIA.

Kip Boyle: Do you see why you need a lawyer to help you figure this out?

Jake Bernstein: Do you see? Exactly. "If you provide wire or radio communication services and you have to report outages to the FCC," boom, that one makes sense. "If you own or operate critical manufacturing sector infrastructure, which itself is defined as whatever primary metal manufacturing is; machinery, manufacturing, electrical equipment, appliance and component manufacturing or transportation equipment manufacturing." And look, listeners, this goes on and on and on for several pages of very small text.

Kip Boyle: Make the lawyers do this, make them figure it out. You have enough to do.

Jake Bernstein: But once you figure it out, then it's time to dig into the next section.

Kip Boyle: Right. Yes, absolutely. And I think it should be completely clear to everybody at this point that it takes a lot of critical infrastructure to run our modern world, right?

Jake Bernstein: Oh, it does.

Kip Boyle: And so, even if you don't think you're critical infrastructure, just don't be surprised if you find out that you are.

Jake Bernstein: Yeah. And what's interesting is that this recently came up during the COVID lockdowns, because it turned out that the way to not be locked down, the way to keep a business open was to be declared critical infrastructure. So a lot of companies very recently have made a very...

They told the Government, "We are a critical infrastructure." Government might've said, "Okay, sure," which was great during COVID because you could keep operating, but if it's true that you're critical infrastructure, then now this law applies to you.

Kip Boyle: Right.

Jake Bernstein: Okay. So we've covered scope, applicability of the entity. Now, Kip, I think the next step is pretty clear. What's a covered cyber incident? Well, it's a substantial cyber incident experienced by a covered entity.

Like I said, we just figured out the covered entity part. So let's look into what a substantial cyber incident means. And Kip, it would not be unsurprising to me if we spend the rest of the episode discussing a substantial cyber incident.

And before I let you go into the details on this, I think both of us should reflect on, one, why it's important to... I'll ask you, Kip, why didn't we just say, "You have to report all cyber incidents to us"?

Kip Boyle: That's just too much.

Jake Bernstein: Well, and is it helpful? Well, what's a cyber incident, right?

Kip Boyle: Yeah. And this is something that we've talked about, as practitioners, forever. Is a single TCP ping at my firewall an incident? Well, it is. But is it worthy of reporting as a single incident? No.

Jake Bernstein: No. So, okay, I think we both agree, and I think everybody who knows cybersecurity agrees, and I don't know why I'm getting so excited about this, Kip, but I am really jazzed up, it's really important.

But also, it's really hard to define a substantial cyber incident. And look, the context that you and I have dealt with this over and over and over again is really contracts, right?

Kip Boyle: Yeah.

Jake Bernstein: Because in a business relationship people always want to know what is... they want to know what cyber incidents happened, but they don't really want to know every cyber incident. And it's the same song and dance and debate every time.

Kip Boyle: Yeah.

Jake Bernstein: "Okay. Well, what should we tell you about?"

Kip Boyle: Right.

Jake Bernstein: And let's look at this. Go ahead.

Kip Boyle: Oh, my Lord. This is a very predictably long definition.

Jake Bernstein: I don't think there's a way around it.

Kip Boyle: Really?

Jake Bernstein: I don't think there's a way around it.

Kip Boyle: It's torture for me to even think about reading this. I can imagine what our listeners will think.

Jake Bernstein: I'll do it. I love this stuff.

Kip Boyle: I know you-

Jake Bernstein: But no, you go ahead first. I'm going to force you to do it.

Kip Boyle: Okay, let it be known Jake is pointing a virtual gun at me. Here we go. "A Substantial cyber incident means a cyber incident that leads to any of the following." And I will tell you now, there are six items in this "any of the following," and some of them actually have sub points in them. Okay, here we go.

Jake Bernstein: And to be fair, we might comment on each one so that we don't blow everybody away trying to read... I mean, that's a bunch of texts.

Kip Boyle: Okay, let's take them in turn.

Jake Bernstein: Let's take them in turn.

Kip Boyle: Okay. Number one, "A substantial loss of confidentiality, integrity, or availability of a covered entity's information system or network."

Jake Bernstein: Well, I like the use of the CIA triad, but it's a little circular, maybe.

Kip Boyle: Yeah...

Jake Bernstein: It hasn't really helped, so...

Kip Boyle: I'm defining a substantial cyber incident using the word substantial.

Jake Bernstein: Yeah, that's normally circular, but let's keep going.

Kip Boyle: Okay.

Jake Bernstein: Okay. So, I mean-

Kip Boyle: That's one-

Jake Bernstein: ... I will say this-

Kip Boyle: It's one of six.

Jake Bernstein: ... in defense. Yeah, I will say this in defense. Maybe we didn't add a whole lot to substantial, but breaking down cyber incident, which, remember, and we'll go over this again in an upcoming episode when we review this year's Verizon Data Breach Investigations Report, but remember how the Verizon DBIR really does a good job of breaking down cyber incidents?

And they talk a lot about the different mechanisms and ways that a cyber incident can impact confidentiality, integrity or availability of different network or different assets and different entities. So, it's helpful. Okay, what's number two?

Kip Boyle: "A serious impact on the safety and resiliency of a covered entity's operational systems and processes"

Jake Bernstein: Well, now we've replaced "substantial" with "serious"? This is why this is hard. I feel bad for people who have to write this, and I feel bad for myself when I have to figure it out because-

Kip Boyle: Can you feel bad for me, because as a practitioner it's even worse.

Jake Bernstein: Okay, I suppose I should feel the worst for you. But honestly, can you at least appreciate the difficulty of this, trying to reduce-

Kip Boyle: I can.

Jake Bernstein: ... to language what we're trying to explain?

Kip Boyle: Absolutely. And the other thing that I'll mention too is, loss and impact and disruption and all of these words that we're going to hear, they don't mean the same thing to the same people even in the same organization. So-

Jake Bernstein: Possibly not even to the same person at different times.

Kip Boyle: That's right. There's so much variability. An impact, if I'm a customer of an organization, is going to be different. The same incident is going to impact my customers differently than it impacts me as an employee, do you know what I mean? And investors, it's going to impact investors differently.

So customers might say, "This is a serious impact on these operational systems." And investors might go, "Nah, it doesn't bother me because it's not gonna mess up my stock price," right?

Jake Bernstein: Well, that's a different episode, Kip. The SEC just came out with a commentary a few days ago, on the date of recording about that, but let's continue.

Kip Boyle: But you do grant that impact means-

Jake Bernstein: I do grant...

Kip Boyle: ... different things to different people, even-

Jake Bernstein: Oh, I totally agree grant...

Kip Boyle: ... even on the same incident.

Jake Bernstein: Yes.

Kip Boyle: So I understand why this is hard. Number 3, "A disruption of a covered entity's ability to engage in business, or industrial operations, or deliver goods, or services."

Jake Bernstein: Now this one, this one starts to get, I think, down to it. If you disagree that if you can't engage in business or your industrial operations or deliver goods and services, that it's substantial incident. That one is actually quite helpful.

Kip Boyle: I would even comment that that is a great example of a material business risk.

Jake Bernstein: I agree. Agreed.

Kip Boyle: And I don't see yet the use of that material or materiality.

Jake Bernstein: You won't. I believe you won't because materiality is such a loaded word in the legal context that I think they tried to avoid it, to be honest.

Kip Boyle: Ah. Fascinating. Number 4, "Unauthorized access to a covered entity's information system or network, or any non-public information contained therein that is facilitated through or caused by," and here's where we get to a couple of sub bullets, "... 1, compromise of a cloud service provider, managed service provider, or other third party data hosting provider, or, 2, supply chain compromise." So that's four.

Jake Bernstein: Interesting. So Number 4 is, this is directly targeting the solar-winds event, right?

Kip Boyle: I think so.

Jake Bernstein: That's exactly what it's doing.

Kip Boyle: Yep, yep. So, I like this because I think it demonstrates that the regulators are keeping up with the changing nature of cyber risk, that it's dynamic, and so this, I think, reflects that. But it also continues to pull more and more and more entities into the scope of this rule.

Jake Bernstein: Yep. No, for sure.

Kip Boyle: Okay, Number 5, this one's a little long. "A substantial cyber incident resulting in the impacts listed in paragraphs 1 through 3 in this definition includes any cyber incident regardless of cause, including but not limited to any of the above incidents caused by a compromise of a cloud service provider, managed service provider, or other third-party data-hosting provider; a supply chain compromise; a denial of service attack; a ransomware attack; or exploitation of a zero-day vulnerability."

Jake Bernstein: Interesting. So here, what they're trying to do is, we talked about how, one, which was a substantial loss of confidentiality, integrity or availability of a covered entity's information system or network, and then, two, a serious impact, they're trying to help a bit more by giving some specific examples. Now, of course, these are not limitations-

Kip Boyle: Right.

Jake Bernstein: ... they're examples, but it is interesting. Okay, we're at the endgame here of both this episode and this definition. So why don't you take us home.

Kip Boyle: I have to ask you a question first.

Jake Bernstein: Okay.

Kip Boyle: So, what is the federal law that was promulgated, your favorite word, in, what was it, the 1980s in response to... It wasn't a response to it, but it was the first time they ever used it was with the Morris worm? Do you know what I'm talking about?

Jake Bernstein: Was it the Computer Fraud and Abuse Act?

Kip Boyle: That's it, that's it. For some reason I couldn't bring it up. When I read this definition of substantial cyber incident, I'm thinking about that Fraud and Abuse Act. It seems like anything that would be prosecuted under that Act fits here.

Jake Bernstein: And that... Maybe, maybe.

Kip Boyle: Okay, I know you didn't prepare that, but-

Jake Bernstein: I did not prepare that.

Kip Boyle: ... that's something you can discuss.

Jake Bernstein: And I think it's... The CFAA is the "we can prosecute hackers" law. So it's hard to say that, I mean-

Kip Boyle: But I'm saying the kind of damage that a hacker can cause under that law, which would subject them to prosecution, I mean, I'm just reading all this, "A covered entity's information system or network..."

Jake Bernstein: Yeah. No, it's true.

Kip Boyle: Any bad thing that happens there can be prosecuted under the CFAA.

Jake Bernstein: That is true.

Kip Boyle: Anyway, I just think it's an interesting nexus.

Jake Bernstein: The last piece here, which is not uncommon in federal law is a negation. So go ahead and read this one.

Kip Boyle: Okay, here's the 6th and final one. "The term 'substantial cyber incident' does not include, 1, any lawfully authorized activity of the United States Government entity or SLTT," that means State, Local, Territorial or Tribal government entity, "... including activities undertaken pursuant to a warrant or other judicial process." I can't wait to unpack that one. That's-

Jake Bernstein: Well, that one's actually pretty easy, Kip, but sorry, go ahead.

Kip Boyle: So that's 6.1. 6.2, "Any event where the cyber incident is perpetrated in good faith by an entity in response to a specific request by the owner or operator of the information system, or, 6.3, the threat of disruption as extortion as described in 6USC 650 (22)." Is that how you would read that?

Jake Bernstein: Yeah. USC is the United States Code. So that's the federal laws. So I think this one's actually pretty easy to unpack. I'll start with, 3 is just, they're just trying to say the threat of a substantial cyber incident isn't itself a substantial cyber incident. And I think that's logical and correct.

Kip Boyle: Okay.

Jake Bernstein: 2 is how you do pen testing without being in trouble with the Government
.

Kip Boyle: So I may have permission.

Jake Bernstein: You have permission. And 1 is just the Government executing on its enforcement powers also isn't going to cause a substantial cyber incident.

Kip Boyle: I think it's more than that. I think 6.1 is more than that. I think 6.1 is active defense, hack back, data recovery.

Jake Bernstein: It could be.

Kip Boyle: The disabling of adversary-

Jake Bernstein: Oh, yeah. No, I think that's right. I think you're right, Kip. I didn't initially read it that way, but I think you're right. I think what you're saying is that, sure, if you have a warrant and you come into my computer system, it's not a substantial cyber incident.

Kip Boyle: Right.

Jake Bernstein: I agree with that. But you're saying it's bigger than that, which is that if there is a lawful... If the CIA, maybe bad example because they don't operate, in theory, inside the-

Kip Boyle: FBI.

Jake Bernstein: The FBI. The FBI might come in and do it. So, wow, Kip. Okay, look, this has been a great episode, but we are at 46 minutes.

Kip Boyle: I know. But hey, what do they say, "Go out on a high note." Here you go.

Jake Bernstein: Go down on a high note. And look, we didn't even get to the reporting requirements-

Kip Boyle: Or the exceptions.

Jake Bernstein: ... and the exceptions to the reporting, the data and records preservation, the enforcement there are, the protections and privacy.

Kip Boyle: Is this your backdoor opportunity to create a Part 2?

Jake Bernstein: Yeah, actually I'm, I'm sorry, everyone, this is going to be a two-parter. The good news for us though is that the next episode's script is already mostly written. We'll talk about that next time.

Kip Boyle: Okay. All right, well, you did it again, you caught me flat-footed. I don't know when I'm ever going to get wise to your ways. But that wraps up this Part 1 episode of the Cyber Risk Management Podcast, and today we discussed the massive Notice of Proposed Rulemaking from the CISA that sets forth the rules under the Cyber Incident Reporting for Critical Infrastructure Act.

These rules will be finalized in about a year. So, we want you to get ready, and we'll talk about it again after it's final. But of course, it's going to be another episode where we go through some of the additional areas that you need to know about. Until then, we'll see you next time.

Jake Bernstein: See you next time.

Speaker 1: Thanks for joining us today on the Cyber Risk Management Podcast. If you need to overcome a cybersecurity hurdle that's keeping you from growing your business profitably, then please visit us at cr-map.com. Thanks for tuning in. See you next time.

Headshot of Kip BoyleYOUR HOST:

Kip Boyle
Cyber Risk Opportunities

Kip Boyle is a 20-year information security expert and is the founder and CEO of Cyber Risk Opportunities. He is a former Chief Information Security Officer for both technology and financial services companies and was a cyber-security consultant at Stanford Research Institute (SRI).

YOUR CO-HOST:

Jake Bernstein
K&L Gates LLC

Jake Bernstein, an attorney and Certified Information Systems Security Professional (CISSP) who practices extensively in cybersecurity and privacy as both a counselor and litigator.