CISA’s CIRCIA Asks A Lot of Critical Infrastructure
4–29–2024 (Monday)
Hello and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for growth stage companies, investors, and management teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, April 29, 2024, and I had someone say that beyond the mustache, all I needed was a camouflage hat, so I dug one out of the sample run and here you go.
CISA’s CIRCIA Asks A Lot of Critical Infrastructure
The big news of the week is continued discussion about CISA’s proposed CIRCIA requirements - CIRCIA, of course, being the Cyber Incident Reporting for Critical Infrastructure Act of 2022.
While the proposal itself wasn’t released last week - it dropped on April 4, 2024 - maybe the reason folks are only just now starting to talk about it is because it took them most of a month to read it!
The proposed rule - available in the Federal Register and open for comment until June 3, is hundreds of pages with dozens of requirements, but boil down to this:
For entities in a critical infrastructure sector (of which there are 16, including financial services, healthcare, technology, communication, energy, food & agriculture, water, etc.) the rule would require them to report a “covered cyber incident” that is “substantial” within 72 hours, and within 24 hours of making a ransomware payment.
The report needs to include some interesting details - including a section called “vulnerabilities, security defenses, and TTPs” as well as “information on the identity of the perpetrator” and any “mitigation / response” activities.
Because they’ve been a hot topic since 2022, there are additional details required around ransomware payments, including: whether exfiltrated data was returned or decryption provided after payment; and details of the demand and payment, including type of currency, payment instructions, and the amount demanded.
All of this, of course, is well-meaning and will take a tremendous amount of effort for these 16 Sectors to implement (though there are some exceptions for smaller firms - those larger than the SBA’s “small” size regulation). The report itself notes a cost of $2.6 Billion over 11 years, impacting an estimated 316,000 entities who would need to comply - a number which I find woefully low.
In fact, the Congressional Research Service and CISA themselves “recognize a great deal of uncertainty in both their calculation for affected entities and their costs.”
CRS notes that cybercrime in the US is trending dramatically upwards - $220B in 2022, $320B in 2023, and an estimated $452B in 2024 - reaching $1T/year in 2027.
So if we’re looking at $2.6B over 11 years to implement CIRCIA, we’re looking at roughly $9T in cybercrime over the same time at the current rate.
Percentage wise, that’s just over a quarter of a percent.
Which is pathetic when you compare it to the impact.
That “cost” number could rise 1000 fold and still not even reach 1/3rd of the impact of the cyber crime. We watched Wonka recently, so this idea of the Oompa Loompa’s thousand fold payback top of mind.
But all of this, I think, raises the question of what we in industry should be expecting of government in these situations - and whether it’s enough.
While CISA can’t run the networks for every entity in the 16 Critical Infrastructure Sectors, there’s plenty of functions that industry can’t do but government can - including law enforcement, diplomacy, and military / intelligence functions.
When we look at the proposed rule, the cost, and the impact that cyber crime is having - including the note from our friends at Change Healthcare that they’ve now lost healthcare data on “a substantial portion of people in America” - including 15 million Veterans - I don’t think we’re amiss in asking our government(s) to do more.
While the recent LockBit “takedowns” have resulted in a decryptor release and some seized crypto, it only netted two arrests. Sanctions and charges and indictments and rewards of $15M don’t seem to be cutting it.
If the government is going to ask more of our critical infrastructure, we should also feel equipped to ask more of it. This public/private partnership is needed to serve as the foundation of tackling what may very well be the problem of our generation - and while it’s not going to change overnight, or with any one effort, we’ve got to get started and deserve to see some progress.
Fundraising
From a fundraising perspective, a very light week, we clocked just under $11B in newly committed capital, with a couple of larger, multi-billion dollar announcements, but also some other interesting notes, including a tidbit that Shasta Ventures failed to get LP approval for a continuation fund, and not one but two “single-asset extension funds” were announced.
Hold periods continue to extend, which adds risk - whether from the market or from cybersecurity - as that next transaction continues to be somewhat of a brass ring we just can’t quite grasp.
You can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links