Senate Bill Requires Critical Infrastructure Organisations To Report Cyberattacks – Security Expert Comments

BACKGROUND:

The U.S. Senate has just introduced a bipartisan bill that requires critical infrastructure operators, such as banks and energy companies, to report cyberattacks within 72 hours. 

Other organisations such as state and local governments and businesses with more than 50 employees would also be required to report any ransoms paid following an attack to the federal government within 24 hours of payment.

Top security officials CISA Director Jen Easterly and National Cyber Director Chris Inglis attended a committee hearing last week to support a draft version of the measure.

The Senate bill comes after the House of Representatives passed a similar measure in fiscal 2022 National Defense Authorisation Act (H.R. 4350) on September 23. The House bill, however, does not require ransomware payments to be reported.

Experts Comments

September 30, 2021
George Daglas
COO
Obrela Security Industries

The mandatory reporting of cyber-attacks is a sensitive area, because many organisations do not want to expose the attacks they are facing to government.

While the move is positive, because it provides intelligence to other industrial organisations so they can prepare for attacks, it does have a downside. The objectives of an organisation that has suffered a cyberattack are often very different from the objectives of the government. The government wants as much information as possible to catch

.....Read More

The mandatory reporting of cyber-attacks is a sensitive area, because many organisations do not want to expose the attacks they are facing to government.

While the move is positive, because it provides intelligence to other industrial organisations so they can prepare for attacks, it does have a downside. The objectives of an organisation that has suffered a cyberattack are often very different from the objectives of the government. The government wants as much information as possible to catch the culprits, while the victim often just wants to get back online and operating again, even if it means paying a ransom demand.

Reporting all breaches is a good idea in theory but getting it into action will take a lot of effort. Industrial organisations face a near constant barrage of attacks, some small, others much more significant. The types of attacks that need to be reported will need to be clearly defined before this legislation comes into force.

  Read Less
September 30, 2021
Ron Bradley
VP
Shared Assessments

My sincere hope is this piece of legislation doesn't come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.

The

.....Read More

My sincere hope is this piece of legislation doesn't come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.

The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.

  Read Less
September 30, 2021
Nasser Fattah
Executive Advisor
Shared Assessments

There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures. Ideally, as the government gets timely information related to a ransomware attack, including any payments, then it can formulate an overall response that can best serve businesses of all shapes and sizes.  It is also important to include in the Act very clear and understood definitions for key terms, including incident.

September 30, 2021
Bill Lawrence
CISO
SecurityGate

Whatever the final reporting timelines will be, the proposed legislation is a great deal of “stick” and hardly any “carrot” for owners and operators of critical infrastructure. Wouldn’t it be great for the US Government to be able to say, “report a ransomware attack to us BEFORE you pay any ransom, and we’ll bring the full power of the Federal government to bear to help resolve the incident, decrypt your files, and siphon whatever is already in the criminals’ bank accounts?”

.....Read More

Whatever the final reporting timelines will be, the proposed legislation is a great deal of “stick” and hardly any “carrot” for owners and operators of critical infrastructure. Wouldn’t it be great for the US Government to be able to say, “report a ransomware attack to us BEFORE you pay any ransom, and we’ll bring the full power of the Federal government to bear to help resolve the incident, decrypt your files, and siphon whatever is already in the criminals’ bank accounts?” (Sure, I dream….) Instead, US victims are threatened with subpoenas and civil action and the government will write more quarterly reports, among other things.

  Read Less
September 30, 2021
Tyler Farrar
CISO
Exabeam

Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful -- even in part.  

The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve

.....Read More

Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful -- even in part.  

The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality -- regardless of how small -- should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.

Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk and attacks in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.

  Read Less
September 30, 2021
Danny Lopez
CEO
Glasswall

The senate bill to mandate reporting cybersecurity incidents and ransomware payments is a crucial step in combating the wave of major cyberattacks we have seen in the last two years. While the U.S. government appears to have decided against making ransomware payments illegal, this disclosure structure should still play an important role in encouraging organisations to be proactive rather than reactive in regards to cybersecurity. 

This latest policy move, plus the administration's earlier

.....Read More

The senate bill to mandate reporting cybersecurity incidents and ransomware payments is a crucial step in combating the wave of major cyberattacks we have seen in the last two years. While the U.S. government appears to have decided against making ransomware payments illegal, this disclosure structure should still play an important role in encouraging organisations to be proactive rather than reactive in regards to cybersecurity. 

This latest policy move, plus the administration's earlier executive orders (EOs) on the subject, show that federal cyber leaders are pushing for a more secure future for the U.S. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption, which we applaud. These are critical elements in an effective cybersecurity stack, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ proactive protection to the next level. 

Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported.

  Read Less
September 30, 2021
Neil Jones
Cybersecurity Evangelist
Egnyte

With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that current approaches to addressing ransomware just aren't working. So, I'm excited to see bipartisan support for this proposed measure that will require financial institutions and critical infrastructure operators to promptly report cybersecurity incidents and ransomware payments to the federal government. 

It is especially reassuring to see a CCPA or GDPR-style incident reporting timeframe of 72

.....Read More

With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that current approaches to addressing ransomware just aren't working. So, I'm excited to see bipartisan support for this proposed measure that will require financial institutions and critical infrastructure operators to promptly report cybersecurity incidents and ransomware payments to the federal government. 

It is especially reassuring to see a CCPA or GDPR-style incident reporting timeframe of 72 hours, so that organisations in those industries will no longer be able to delay reporting of potential data breaches for months and months, without informing the government. Finally, I'm reassured to see that organisations in industries that haven't traditionally invested significantly in IT security such as non-profit organisations, small- and medium-sized businesses (SMBs) and local governments will be required to report potential ransomware payments.

  Read Less
September 30, 2021
Garret F. Grajek
CEO
YouAttest

The CISA is in information gathering mode. By requiring all most organizations to report incidents of ransomware and collating this information, the CISA can start determining the real extent of the threat.  Once this information is collated - many believe more stringent cybersecurity requirements are expected to follow.  Like the CMMC, Cybersecurity Maturity Model Certification mandates for the U.S. DoD contractors.

September 30, 2021
Tom Garrubba
Senior Director and CISO
Shared Assessments

I applaud and welcome the US Congress for taking such action, as cyber security threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident), however, not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures.

September 30, 2021
Saryu Nayyar
CEO
Gurucul

The United States Senate is considering a bill to open the window on ransomware and other hacking attacks on many organizations. The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance.

Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness.  Nevertheless, disclosure helps everyone

.....Read More

The United States Senate is considering a bill to open the window on ransomware and other hacking attacks on many organizations. The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance.

Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness.  Nevertheless, disclosure helps everyone understand the nature of the threat, and gives organizations the opportunity to share detailed information and work together to combat existing and future threats.  In this regard, this bill is a step, albeit small, in the right direction.

  Read Less
September 30, 2021
Saryu Nayyar
CEO
Gurucul

The United States Senate is considering a bill to open the window on ransomware and other hacking attacks on many organizations. The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance.

Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness.  Nevertheless, disclosure helps everyone

.....Read More

The United States Senate is considering a bill to open the window on ransomware and other hacking attacks on many organizations. The penalties for non-compliance are weak, so even if the bill is signed into law, don’t count on immediate and total compliance.

Transparency is almost always better than secrecy. In the case of ransomware attacks, the inclination of organizations is to keep attacks and ransomware payments private, to not publicize weakness.  Nevertheless, disclosure helps everyone understand the nature of the threat, and gives organizations the opportunity to share detailed information and work together to combat existing and future threats.  In this regard, this bill is a step, albeit small, in the right direction.

  Read Less
September 30, 2021
Dr. Chenxi Wang
General Partner
Rain Capital

Most businesses and organizations lack the skills, tools, and experienced personnel to accurately determine or validate that a covered incident has occurred without assistance or outside investigation.  It is not clear that 72 hours is a sufficient period of time for an organization to report an incident to CISA versus a focus on comprehensive assessment, validation, isolation, and remediation of the potential incident to reduce the risk of further damage.  In addition, the disclosure of an

.....Read More

Most businesses and organizations lack the skills, tools, and experienced personnel to accurately determine or validate that a covered incident has occurred without assistance or outside investigation.  It is not clear that 72 hours is a sufficient period of time for an organization to report an incident to CISA versus a focus on comprehensive assessment, validation, isolation, and remediation of the potential incident to reduce the risk of further damage.  In addition, the disclosure of an incident that is ongoing or still being actively investigated may lead to unintended consequences such as the perpetrators covering their trails or inadvertently making the breach more difficult to remediate.

  Read Less
September 30, 2021
Doug Britton
CEO
Haystack Solutions

At Haystack Solutions, we fully agree that our national cyber defense is of the highest importance. Our country has been slow to respond in a comprehensive manner to a growing threat. Now after high-profile attacks that have impacted Main Street, we find a newly proposed legislation.

Unfortunately, this appears to be a clumsy approach to penalizing victims of cyber-attacks. It appears the motivation of this legislation is to hold attackers accountable yet the "how" is not apparent. There are

.....Read More

At Haystack Solutions, we fully agree that our national cyber defense is of the highest importance. Our country has been slow to respond in a comprehensive manner to a growing threat. Now after high-profile attacks that have impacted Main Street, we find a newly proposed legislation.

Unfortunately, this appears to be a clumsy approach to penalizing victims of cyber-attacks. It appears the motivation of this legislation is to hold attackers accountable yet the "how" is not apparent. There are many details left to be sorted out by CISA. Reporting a breach in 72 hours can be challenging as there needs to be sufficient time to validate flags and ensure the breach is real (e.g T-Mobile). Also, what constitutes a reportable breach? With penalties so high, an appeal process will surely be on the horizon. At this time, it appears to be heavy on the "stick" and light on the "carrot". 

Congressional efforts could be spent in more productive ways. The real focus needs to be on building our collective defense with a preventative posture.  Can we establish industry standards to ensure that basic and highly effective protections are put in place? We have modern policies and procedures, many of which are highly effective in preventing data breaches. Can we consider legislation that would encourage companies to adopt policies akin to financial accounting that could be audited and enforced by regulators? 

What investment is going into developing the next generation of cyber security professionals? Our cyber defenses are woefully behind as indicated by a severe shortage in cyber talent. We have the tools to pull more folks into the industry. We need to push full steam ahead by developing a significant pipeline of cyber security talent. Despite this legislative attempt, these battles will be won with world-class teams rather than reporting penalties. 

Even with full deterrents in place, hackers, organized crime, nation state actors, and nebulous attack groups will remain ever present. Attempts to hold them accountable in the short-term will not become the "deterrent" we think it will be. Building talent from the four corners of our nation will be the strongest course forward. We need to remain focused on that tack.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.