May 52022

CISA: “We don’t stab the wounded.”

Joyce Yeager and Alan Charles Raul
, , , ,

Jen Easterly, Director of the U.S. Cybersecurity and Infrastructure Security Agency (“CISA”), repeatedly emphasizes CISA’s cooperative approach with the U.S. private sector. During her interview with Sidley’s Alan Raul on April 13, 2022, Easterly emphasized that CISA’s role was not to “name, blame, shame, or stab the wounded” victims of cybersecurity incidents. Instead, she described the Agency as a coequal partner with the private sector in securing U.S. infrastructure. CISA desires to partner with other agencies as well, operating as the “front door” to federal agency support and cyber security resources, she stated. During the Raul interview, she also provided insight into the Agency’s perspective on the newly enacted Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).

Much of the nation’s infrastructure is privately owned, Easterly noted, rich in research and other coveted information, yet often poor in resources. CISA offers readily available expertise and resources. Indeed, CISA is uniquely positioned to offer this assistance to the private sector because it does not play a role as the primary regulator of the victims of cyber incidents. However, attributing much of the current “badness” in “cyber land” to poor cybersecurity, she emphasized CISA’s aim is to rally the community to remediate cyber vulnerabilities. For example, she noted that the Agency’s vulnerability scoring system and exploited vulnerability advisories can be a useful guide to the private sector as it prioritizes its cyber security IT hygiene and its remediation obligations.

Easterly also provided insight concerning newly enacted CIRCIA (while also expressing her preference that the anacronym be pronounced as SEAR sha). Easterly pointed out that CISA remained the appropriate agency to receive reporting mandated by CIRCIA, having been the lead federal agency for reporting since 2015. CISA, she added, will coordinate with other federal agencies to create a coherent ecosystem, capitalizing on the differing authorities and skills of various federal authorities to address cyber threats. “One of our best superpowers is our ability to share information very expansively while protecting privacy, civil liberties and liability,” she added. (subscription access) Noting that CISA has no subpoena power to collect documents from victims, Easterly emphasized that the agency intended to act as “a safe learning environment” for victims of cyber incidents. She added that mandatory reports required by CIRCIA will not be subject to Freedom of Information Act (FOIA) disclosure obligations.

Critically, as concerns the reporting mandates in the Act, the private sector should begin now, Easterly said, to set up an internal communication structure to report discovered vulnerabilities, also noting that no one will be given “absolution” from reporting obligations mandated by the Act. The private sector should also look for opportunities to contribute in the Agency’s planned listening sessions as it builds out the forthcoming regulations. She added that the applicable rulemaking agencies intend to move quickly through the rulemaking process.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

Joyce Yeager

Knowledge Management Lawyer

jyeager@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Regulatory Update: National Association of Insurance Commissioners Spring 2024 National Meeting

The National Association of Insurance Commissioners (NAIC) held its Spring 2024 National Meeting (Spring Meeting) March 15 through 18, 2024. This Sidley Update summarizes the highlights from this meeting in addition to interim meetings held in lieu of taking place during the Spring Meeting. Highlights include proposed updates to the regulatory review process for affiliated investment management agreements, continued discussion of considerations related to private equity ownership of insurers, and continued development of accounting principles and investment limitations related to certain types of bonds and structured securities.

FinCEN Seeks Input on Banks’ Collecting Partial Social Security Numbers for Customer Identification Programs

On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the U.S. banking agencies and the National Credit Union Administration, issued a request for information (RFI) regarding the customer identification program (CIP) requirement for depository institutions (referred to herein as banks) to collect tax identification numbers (TINs).Comments are due by May 28, 2024.