The U.S. Senate has just introduced a bipartisan bill that requires critical infrastructure operators, such as banks and energy companies, to report cyberattacks within 72 hours.
Other organisations such as state and local governments and businesses with more than 50 employees would also be required to report any ransoms paid following an attack to the federal government within 24 hours of payment.
Top security officials CISA Director Jen Easterly and National Cyber Director Chris Inglis attended a committee hearing last week to support a draft version of the measure.
The Senate bill comes after the House of Representatives passed a similar measure in fiscal 2022 National Defense Authorisation Act (H.R. 4350) on September 23. The House bill, however, does not require ransomware payments to be reported.
<p>The mandatory reporting of cyber-attacks is a sensitive area, because many organisations do not want to expose the attacks they are facing to government.</p>
<p>While the move is positive, because it provides intelligence to other industrial organisations so they can prepare for attacks, it does have a downside. The objectives of an organisation that has suffered a cyberattack are often very different from the objectives of the government. The government wants as much information as possible to catch the culprits, while the victim often just wants to get back online and operating again, even if it means paying a ransom demand.</p>
<p>Reporting all breaches is a good idea in theory but getting it into action will take a lot of effort. Industrial organisations face a near constant barrage of attacks, some small, others much more significant. The types of attacks that need to be reported will need to be clearly defined before this legislation comes into force.</p>
<p>The CISA is in information gathering mode. By requiring all most organizations to report incidents of ransomware and collating this information, the CISA can start determining the real extent of the threat. Once this information is collated – many believe more stringent cybersecurity requirements are expected to follow. Like the CMMC, Cybersecurity Maturity Model Certification mandates for the U.S. DoD contractors.</p>
<p>I applaud and welcome the US Congress for taking such action, as cyber security threats against our infrastructure morph, grow, and intensify. Organizations historically (and rightly) don’t want to air their dirty laundry in public (i.e., a cyber incident), however, not sharing such details with federal authorities in a timely manner diminishes the country’s ability to leverage federal and even international resources and greatly reduces any response time required for countermeasures.</p>
<p>My sincere hope is this piece of legislation doesn\’t come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important.</p>
<p>The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.</p>
<p>There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructures. Ideally, as the government gets timely information related to a ransomware attack, including any payments, then it can formulate an overall response that can best serve businesses of all shapes and sizes. It is also important to include in the Act very clear and understood definitions for key terms, including incident.</p>