Not all cyber incident data is created equal

Earlier this year, we welcomed in the United States’ first-of-its kind critical infrastructure cyber incident reporting mandate. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) became law after a decade of hard work to negotiate the right balance between the desires of government and the private sector—government wanting corporate incident information for a more complete cyber threat picture and the private sector expressing concerns about the risks of sharing that information.

But in some ways, the real work has just begun—especially for the Cybersecurity and Infrastructure Security Agency (CISA). Congress set out some use limitations and liability protections within CIRCIA and left much of the detail to be handled by CISA’s rulemaking process, including defining exactly which organizations have to report and what the report should include.

Recently, CISA asked the public for feedback before it publishes those new rulemaking proposals. The approach got us thinking: as two practitioners who spend our days (and often nights) gathering threat intelligence and responding to cyber incidents around the world, if we were in CISA’s shoes, what would we want organizations to share—and what would we do with that information?

Stick to the facts

Oversharing can hamper governments. For near-time reporting – the law requires a report within 72 hours – and just like an incident response scenario, the priority should be to get the facts as they’re known to help piece together the bigger picture.

In the first 72 hours, an organization experiencing a cyberattack may have some initial answers to the who, what, where, when and how behind the incident. Who experienced it? What happened and what was the type of cyberattack? Where did it occur on the systems? And perhaps there may be some initial evidence of tactics that the threat actor used successfully. Maybe the organization is clear about the initial impact on its operations but doesn’t have enough information to understand the full scope yet.

The most important aspect here is not to speculate. What’s needed is a narrative statement of what happened and the impact as it is known in that moment. This avoids drawing conclusions or wondering about the other “who” involved—that is, the identity of the threat actor. In our experience, organizations fixate on answering this question, when in reality, it’s a distraction from the priorities at hand.

After providing all the important information about what they’ve observed, we’d want the organization to tell us what they’ve already done and what they’re going to do next. If we were CISA, we’d want to know which agencies the organization has already notified so we could help make sure that all relevant parties who can assist are informed. Ideally, agencies can use that information to coordinate among themselves and help reduce some of the reporting burden for the organization while it’s dealing with the aftereffects of the attack.

Give and take

Having a central repository for all incident data clearly offers government a more complete picture of the cyber threat landscape. It also means that CISA can not only more quickly warn other organizations that could be affected about a possible attack in the immediate term, but also analyze the data to find trends in threat actors’ actions—and potentially identify future threats.

But it’s a two-way street. In exchange for their efforts to report on cyber incidents, industry players could expect, not unreasonably, that government provides more timely, actionable data to them in return. In particular, organizations should look for more indicators of compromise (IOCs) from near real-time events. What’s more, if CISA is seeing meta trends with similar IOCs, then they can collaborate with the industry players too—sharing specific, actionable information and counter measures and providing resources to help them work through the alerts and improve cyber resilience quickly.

As much as CISA may want to encourage this kind of collaboration, it is far from simple in practice. CISA will need to weigh other important considerations with its partner agencies that may have different priorities or other concerns with publicly releasing information, such as potential impacts on law enforcement or intelligence investigations. Inevitably, there will be times when decisions have to be made for the greater good. It may need to hold back from sharing information to prevent sophisticated attackers from realizing they’re being watched, closing up shop and erasing their footprints. The situation demands patience. The private sector should give government some breathing space to improve protocols around these matters.

Trust in transparency

However the new rule evolves, the aims of the law will be best achieved with transparency. CISA’s rule should be as clear as possible about which organizations are covered, their responsibilities and what needs to be shared. Organizations that struggle to understand the law’s requirements, or worse, don’t know whether they’re working within it could contribute to CISA failing to get the information it needs to operate successfully. Once this information cycle works efficiently—with information coming in to CISA and quickly flowing back out to inform a broader, potentially-at- risk community—there’s no doubt that we could all be safer for it.

About Accenture

Accenture is a global professional services company with leading capabilities in digital, cloud and security. Combining unmatched experience and specialized skills across more than 40 industries, we offer Strategy and Consulting, Technology and Operations services and Accenture Song — all powered by the world’s largest network of Advanced Technology and Intelligent Operations centers. Our 721,000 people deliver on the promise of technology and human ingenuity every day, serving clients in more than 120 countries. We embrace the power of change to create value and shared success for our clients, people, shareholders, partners and communities. Visit us at www.accenture.com.

Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence.