In a recent podcast interview with Cybercrime Magazine's Host, Heather Engel, Scott Schober, Cyber Expert, Author, and CEO of Berkeley Varitronics Systems, discusses the introduction of federal rules for reporting not only cybersecurity incidents but also ransomware payments for critical infrastructure operators. The podcast can be listened to in its entirety below.
Heather: Scott, welcome to the podcast.
Scott: Hey, great to be here with you, Heather.
Heather: Yep, always good to talk with you.
Scott: Definitely.
Heather: Today, we're talking about a recent article in the Wall Street Journal regarding Federal rules for reporting not only cyber incidents but also ransomware payments for critical infrastructure sectors. President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act, known as CIRCIA, into law in 2022, and the U.S. Cybersecurity and Infrastructure Security Agency has now published draft rules for what this will look like. Scott, can you start by taking us through this article?
Scott: Yeah, absolutely. It is certainly an important step that they're taking. So from the standpoint of what CISA's doing, and the director, Jenny Easterly. I certainly applaud it because taking steps for reporting this, it's really, gonna ultimately enhance America's cyber security, ultimately the nation's national security. And I guess they've been working on this for a while because initially, it was back in what? September 2022 that CISA kind of solicited input from the public as well as the private sector, all the different stakeholders, and in particular, as you mentioned, their critical infrastructure community as far as cyber incident, reporting and really tightening that gap requiring companies to report much quicker within 72 hours for substantial attacks is what they kind of classify it as, and then any type of ransom payments within 24 hours.
So that's pretty aggressive and pretty tight. And in part, I think, in the research I've done. It's kind of somewhat in line with the GDPR rules that are in place within Europe, and maybe some of that regulatory framework is what they're trying to parallel. So there's some consistencies with reporting and things. What has worked versus what hasn't worked, because I think the bottom line is what they're finding is most within the critical infrastructure are not reporting it in a timely fashion.
If we go back to the Colonial Pipeline and many other critical infrastructure-specific attacks. It took a very long time before really the government was fully aware of what happened, to what extent so they can actually provide assistance which they actually did, and helped get back a lot of the money that was paid out in that particular case. So I think, really, these are just the rules and regulations, but a tightening of it to get some organization, and it sets a pattern, I think, for businesses as well. There are some businesses that need to comply here, especially if the business is maybe tied in, it's got a critical need, and it supports national security or things of that nature. And that's important to remember, too. So it's not just if you're in the critical infrastructure, and you're managing sewage and electric and things like that. It goes outside that scope as well. So these are important rules that people need to understand.
Heather: The DoD has had something like this in place for several years for companies that do business in the Defense Industrial Base. They've had to report cybersecurity incidents within 72 hours, and that's been in place for several years now. So, what prompted the development of CIRCIA at the Federal level?
Scott: Well, I think especially because they're getting inundated with a lot of attacks and potential attacks within the critical infrastructure segment, and they're trying to support them, and it's really hard to support when you don't get timely information and don't get timely reporting. So it's smart that they're kind of aligning it with what already is in place and mandated through the US DoD community. And it's going to be a challenge, it's gonna take some time to get everybody up to speed, but I think if you don't put some of these goalposts out there, it'll just never happen, and it'll drag on. Critical infrastructure will receive an attack or a threat, and it really is serious. They don't even realize how serious it is, and months may go by, and sometimes the damage is done, and that becomes a serious issue. So I think just really trying to align things and bring it all in. So everybody's kind of on the same page, and it also educates everybody what is considered a substantial cyber-attack. A lot of people don't understand that. So the more they get the sense of that, I think they'll be able to respond in a timely fashion, and they'll know what's expected of them as this draft becomes more finalized and becomes something that people have to actually act upon.
Heather: So this rule so far only applies to critical infrastructure companies. Can you take us through some of the sectors that this includes? And why doesn't it just apply to every company?
Scott: It does really focus in on what we call critical infrastructure, but that's a pretty wide scope, too, because a lot of times we think of that as some of us just mentioned before, like, "Oh, that's our electric or our gas, or sewage, or water," and that is all true. However, it does hit other verticals as well that are really important. If you think about logistics, think about rail. The rail industry and alone is moving so many goods. Our business is tied into that. So we, in fact, have to actually fall under this as well and report because we're considered a critical business supporting the rail industry, which is critical. So it's kind of interesting how other companies branch out. So it affects a lot of actual companies, with exception of really small businesses that don't qualify. If they have really small employee counts, small revenue, there are certain exemptions, and if a company is not sure, they could certainly reach out and talk to CISA and get a better understanding of what's required of them or not. But there's a lot of verticals, and it does consume many different areas there. So I think that's an important factor.
We'll be right back after a quick word from our sponsor.
Cimcor develops innovative next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes.
Securing your infrastructure with CimTrak helps you get compliant and stay that way.
You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
And now, back to the podcast.
Heather: So, one of the things that I think is unique to this rule that the DoD rules don't have is a requirement to report ransomware payments. How will CIRCIA impact critical infrastructure companies and their reporting practices? And do you think the requirement to report a ransomware payment will have an effect on companies' decision as to whether or not to pay?
Scott: That one is a little fuzzy. My personal opinion on it - It's a little bit aggressive. And why do I say that? Because within the nuances of a ransomware attack, specifically, there are other things that need to be considered. One of them is the negotiation stage. So if you find out you're a victim of ransomware, it takes time to kind of do the digital forensics, as it were, going through your network, finding out how did this happen? What specifically happened? What can we do? To sure it up before things get worse? That can't always happen within a short period of time. So if now, you're reporting what happened, and you're kind of spotty on the information, and you're getting that stuff together, you're focusing on reporting it. You're not doing your due diligence to prevent things from getting worse. And it puts you in a bad position, too, from a negotiation standpoint because oftentimes, groups, and this could be critical infrastructure or even a small business or business that falls under that that's considered critical, will typically bring in experts, third parties from a cyber security perspective. But they're also going to bring in legal and likely insurance companies who will negotiate in part for them to reduce the ransom payout. You give too much tell to where you are and what happened. Guess what? The bad guys read the headlines in the media just as we all do. So it's gonna help them. Say, we've got some leverage here, let's hold out. Let's do this. Let's do that, because they're trying to get the big guys to help back, so it could be a little bit dangerous. So the 24 hours may be a little bit aggressive. I would like to see that a little bit longer, so they could really properly assess and perhaps negotiate the situation so it doesn't get worse. But again, that's just my opinion.
Heather: So one of the reasons cited for this rule is to help identify targeted adversarial activity, which basically means we're looking for attack patterns, indicators of attack. What role does CISA play in analyzing incident data and then ultimately sharing information with other entities?
Scott: You make a great point. That's one of the most important things about this whole thing is they're gathering this information from the field in a sense from different critical infrastructures and companies that are getting these serious, substantial cyber attacks and ransomware attacks in particular. That data comes back to them, and that allows them to say, "Oh, okay, wait a minute. This looks like a state-sponsored attack. Here's the particular of malware for this ransomware attack, and we happen to have the decryption keys, maybe," and that allows them to in turn, respond. Imagine they hit 3 or 4 different critical infrastructures simultaneously, and it's a nation-sponsored attack. Well, guess what? CISA can now go in there and say, "Hey, we got the decryption keys, keep the water flow, and keep the electric on. Do not pay the ransom. Let's do these things to short it up. So it doesn't happen again." And all of that information that they gather is evidence so they could go after the bad guys.
So it's really important, the sharing of information, and in turn to the second part of what you were saying. When they learn all these things quickly, that they, in turn, share this information back to other critical infrastructure that maybe hasn't been targeted so they can have their defenses up. So they can really be alerted. This might happen. Be prepared. Here's what you should do beforehand. Hey - Back up your data. Hey - do this, do that. It's really important. So, I think it works on both sides of the pre and post of these cyber incidents.
Heather: Right, and sharing information across these sectors, like you said, can really provide some advance warning to maybe some of the sectors or companies that haven't been hit yet.
Scott: One additional thought I had just in closing here: I think what's important, too, that companies have to realize they must really comply with this. If they don't comply, then actually, CISA can pursue administrative penalties. It sounds kind of silly, but they really want everybody on board, and that's an important factor, I think. If a ransom's paid and they're not reporting it, or, again, a substantial cyber attack happens, and not sharing that information, they may take it to the next level. They may actually go out and get a subpoena and go after somebody. Hopefully, that doesn't happen, and companies and those in the critical infrastructure space are willing to comply and be an open book and share this information because, ultimately, it's really going to be about the safety of all of us.
Heather: Well, I think this has been a really interesting conversation. Definitely news that everybody needs to hear, Scott thanks for being on the podcast
Scott: Thanks again for having me on.
