On April 7, 2022, the U.S. Cybersecurity & Infrastructure Security Agency (“CISA”) announced the publication of its Sharing Cyber Event Information Fact Sheet (“Fact Sheet”) intended to provide clear guidance to critical infrastructure owners and operators and government partners on voluntary information sharing about “unusual cyber incidents or activity.”  In its announcement, CISA explained that it will use the information provided to fill “critical information gaps,” deploy resources, analyze trends, issue warnings, and “build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure sectors.”

CISA’s announcement of the Fact Sheet encourages entities to visit its Shields Up website for more information; the Shields Up website was recently updated with guidance in response to the heightened risk of Russian cyber attacks.  The Shields Up website recommends that “all organizations—regardless of size—adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets” and provides detailed guidance that entities can use to protect themselves.

Overview.  The Fact Sheet urges critical infrastructure owners and operators and their government partners to undertake three overarching steps:  (1) observe the activity; (2) act to mitigate the threat; and (3) report the event.  The Fact Sheet also provides guidance on the types of activities that should be shared with CISA and the “ten key elements” that should be included in any incident report.

Types of Activities to Report.  The Fact Sheet explains that entities should report the following types of activities:

  1. Unauthorized access to a system;
  2. Denial of Service (“DOS”) attacks that last more than 12 hours;
  3. Malicious code on systems, including variants of the code, if known;
  4. Targeted and repeated scans against system services;
  5. Repeated attempts to gain unauthorized access to a system;
  6. Email or mobile messages associated with phishing attempts or successes; and
  7. Ransomware attacks against critical infrastructure, including the ransomware variant and ransom details, if known.

Elements of an Incident Report.  The Fact Sheet describes the “10 key elements” of an incident report, the first nine of which are considered a priority:

  1. Incident date and time;
  2. Incident location;
  3. Type of observed activity;
  4. Detailed narrative of the event;
  5. Number of people or systems affected;
  6. Company/organization name;
  7. Point of contact details;
  8. Severity of event;
  9. Critical infrastructure sector, if known; and
  10. Anyone else that was informed of the incident.

Reporting Mechanism and Post-Reporting Response.  The Fact Sheet provides multiple reporting mechanisms.  CISA encourages information sharing through its Incident Reporting Form or, alternatively, by emailing Report@cisa.gov and providing as much detail as possible.  The Fact Sheet further explains that CISA will triage the reports it receives and may share anonymized information about the activity with others.  It may also contact the reporting entity, using an official CISA account, for further details.

Additional Resources.  The Fact Sheet notes that CISA “partners with the Anti-Phishing Working Group . . . to collect phishing email messages, mobile messages and website locations to help people avoid becoming victims of phishing scams,” and phishing information can be shared with CISA through phishing-report@us-cert.gov.

Next Steps.  The publication of the Fact Sheet comes shortly after the passage of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”) which, once implemented, will establish mandatory cyber incident and ransomware payment reporting requirements for critical infrastructure entities.  CISA states in the Fact Sheet that it will undertake a rulemaking process to implement CIRCIA, but will continue to encourage voluntary information sharing about cyber-related events in the interim.  Critical infrastructure owners and operators may find it useful to review and familiarize themselves with these reporting mechanisms in advance of the implementation of CIRCIA, as these requirements may ultimately provide insight into the procedures that will be required under CIRCIA once it is implemented.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Ashden Fein Ashden Fein

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients…

Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks.

Ashden currently serves as a Judge Advocate in the
U.S. Army Reserve.

Photo of Moriah Daugherty Moriah Daugherty

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients…

Moriah Daugherty advises clients on a broad range of cybersecurity, data privacy, and national security matters, including government and internal investigations, regulatory inquiries, litigation, and compliance with state and federal privacy laws.

As part of her cybersecurity practice, Moriah specializes in assisting clients in responding to cybersecurity incidents, including matters involving Advanced Persistent Threats targeting sensitive intellectual property and personally identifiable information. Moriah also assists clients in evaluating existing security controls and practices, assessing information security policies, and preparing for cyber and data security incidents.

As part of her litigation and investigations practice, Moriah leverages her government experience to advise clients on national security and law enforcement related compliance issues, internal investigations, and response to government inquiries.

Prior to becoming a lawyer, Moriah spent eight years working for the Federal Bureau of Investigation and U.S. Department of Justice.

Photo of John Webster Leslie John Webster Leslie

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare…

Web Leslie represents and advises emerging and leading companies on a broad array of technology issues, including on cybersecurity, critical infrastructure, national security, investigations, and data privacy matters.

Web provides strategic advice and counsel on cybersecurity preparedness, cyber and data security incidents, healthcare privacy and security, cross-border privacy law, and government investigations, and helps clients navigate complex policy matters related to cybersecurity, national security, and critical infrastructure protection.

In addition to his regular practice, Web also counsels pro bono clients on technology, immigration, and criminal law matters.

Web previously served in government in various roles at the Department of Homeland Security, including at the Cybersecurity and Infrastructure Security Agency (CISA), where he specialized in cybersecurity and critical infrastructure, public-private partnerships, and interagency cyber operations. He also served as Special Assistant to the Secretary of Homeland Security.