Why Critical Infrastructure Sectors Should Provide Data to the Government during the CIRCIA Rulemaking Process

By CHHS Extern Jacquelyn Creitz

More than one year ago, Colonial Pipeline, America’s largest fuel pipeline, which carries 100 million gallons of fuel a day, paid a ransom of nearly $5 million in cryptocurrency. The May 2021 cyberattack that led to the ransom caused Colonial Pipeline to stop operations for 5 days, creating mass fuel shortages along the East Coast. The ransomware attack encrypted Colonial Pipeline’s data, disabling their computer network. Ultimately, Colonial Pipeline paid ransom to the DarkSide ransomware actors in exchange for a decrypting tool that should have allowed the Pipeline to regain access to their data and restart operations. However, the decrypting tool was not fast enough, resulting in Colonial Pipeline using their own data backups to restore their networks, causing the shutdown to last longer than anticipated. Due to the multi-day shutdown, Washington D.C. and 17 states issued emergency declarations, and the federal government, along with state governments and the public, acknowledged the immediate need for law to address how critical infrastructure sectors should handle cyberattacks, specifically ransomware.

Ransomware is a type of malware that encrypts device files, forcing file owners to pay a ransom in exchange for the decryption of their data. According to Homeland Security and Government Affairs Committee Chairman Gary Peters (D-MI), “ransomware attacks have caused significant disruptions to daily life and impose serious economic costs.” According to the FBI’s Internet Crime Report, in 2020 there were 2,474 ransomware complaints from the American public resulting in over $29.1 million in losses. As a result of the increase in ransomware attacks, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) was drafted and signed by President Biden in March 2022.

Originally authored in October 2021 by Senator Peters and Senator Rob Portman (R-OH), CIRCIA is a direct response to the uptick in ransomware attacks, including the 2021 Colonial Pipeline attack. CIRCIA requires covered entities to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after the entity “reasonably believes the incident occurred” and 24 hours after the entity pays a ransomware payment. CIRCIA also directs CISA to define “covered entities” such that the definition includes the 16 critical infrastructure sectors, as stated in Presidential Policy Directive/PPD-21. Since CIRCIA rulemaking by CISA is ongoing, it is likely the CIRCIA will not go into effect for at least a year. However, entities should provide information as requested by the government to ensure CISA appropriately defines and creates rules to prevent ransomware attacks and lessen the threats they pose.

To highlight CISA’s need for entities to provide information to them and to fully comprehend the threat of ransomware attacks, Chairman Peters held a committee hearing on June 7th, 2022. The committee hearing’s purpose was to discuss the need for better data from industry and stakeholders as well as obtain valuable information from industry experts to assist in the quick and efficient execution of CIRCIA.

Expert witnesses at the hearing included Megan Stifel, Chief Strategy Officer for the Institute for Security and Technology, Bill Siegel, Chief Executive Officer for Coveware, and Jacqueline Burns Kovenn, Head of Cyber Threat Intelligence for Chainalysis. All three witnesses applauded the new CIRCIA reporting requirements while also emphasizing the need for consistent data collection from reported ransomware attacks. They also acknowledged the unique nature of ransomware attacks since they are usually financially motivated but may also stem from geopolitical objectives and can pose national security risks. To combat the risks of ransomware attacks, as Ms. Stifel states, “scope and quality of information about ransomware incidents must improve” because this “will better equip governments and stakeholders in developing [an] international strategy to reduce ransomware on a global scale.” Specifically, information obtained from entities reporting ransomware attacks is essential while the CIRCIA is undergoing the rulemaking process. This information will be used by CISA to help create rules and definitions for the implementation of CIRCIA.