[BreachExchange] Senate passes major cybersecurity legislation to force reporting of cyberattacks and ransomware

Thu Mar 3 10:15:15 EST 2022

https://www.msn.com/en-us/news/politics/senate-passes-major-cybersecurity-legislation-to-force-reporting-of-cyberattacks-and-ransomware/ar-AAUwFE0

The Senate on Tuesday passed major cybersecurity legation, moving one step
closer toward forcing critical infrastructure companies to report
cyberattacks and ransomware payments.

The passage comes as federal officials have repeatedly warned of the
potential for Russian cyberattacks against the United States amid the
escalating conflict in Ukraine.

The legislation, which still has to pass in the House, would require
critical infrastructure owners and civilian federal agencies to report to
the Cybersecurity and Infrastructure Security Agency within 72 hours if
they experience a substantial cyberattack.

It would also require critical infrastructure companies to report
ransomware payments to the federal government within 24 hours.

"As our nation continues to support Ukraine, we must ready ourselves for
retaliatory cyber-attacks from the Russian government," Democratic Sen.
Gary Peters of Michigan, who was the co-author on the package of bills,
said in a statement, noting that online attacks have the potential to
disrupt the economy, drive up gasoline prices and threaten supply chains.

The reporting requirements were introduced in the Senate after several
high-profile cybersecurity and ransomware incidents put pressure on
lawmakers to better protect critical infrastructure and discourage attacks.
Last May, a ransomware attack on Colonial Pipeline prompted the company to
shut down thousands of miles of pipeline and led to increased prices and
gas shortages. That incident, was followed several weeks later by a
cyberattack on a major US meat producer, highlighting the impact ransomware
can have on vital services in the US.

Peters said that the "landmark, bipartisan bill" would ensure that CISA is
the lead agency helping critical infrastructure operators and the
government respond to hacks.

The Strengthening American Cybersecurity Act, which combines language from
three bills, would also require the government to take a risk-based
approach to cybersecurity and would also authorize the Federal Risk and
Authorization Management Program (FedRAMP) to ensure federal agencies can
adopt cloud-based technologies.

"This is a very substantial piece of cyber legislation," Padraic O'Reilly,
co-founder of cyber risk firm, CyberSaint, told CNN.

O'Reilly said the current geopolitical landscape has made the legislation
"significantly less controversial" as the US braces for a potential
cyberattack from Russian actors.

The "risk-based" cybersecurity requirements for the federal government
"jumped out," he said of the legislation.

This type of cybersecurity takes into account the likelihood of something
bad happening, its impact and deciding how best to spend money to make it
better.

The legislation would require federal agencies to use this approach, which
would likely spill over into the private sector, said O'Reilly.

"To see that risk-based approach written into law ... is really quite
powerful," he said.

The 72-hour reporting deadline raised concern for some companies, according
to Danielle Jablanski, an operational technology cybersecurity strategist
at Nozomi Networks, who noted that information sharing may not be the top
priority in a crisis. The focus instead might be on safety and critical
operations, she said.

"The deadline is difficult, because there's so many priorities at stake,"
Jablanski said, adding that the legislation doesn't holistically help
critical infrastructure owners and operators prioritize everything that's
at stake during an attack.

However, she said the government is in the best position to encourage
information sharing that can benefit multiple companies and industries.

Several members of the US House of Representatives, including Democrat
Yvette Clarke and Republican John Katko, both of New York, are working with
Peters and GOP Sen. Rob Portman of Ohio to pass the bill in the House.

Portman also said he is concerned about retaliatory cyber and ransomware
attacks from Russia as the US "rightly" supports Ukraine.

"The federal government must quickly coordinate its response to potential
attacks and hold these bad actors accountable," he said in a statement.

During her first congressional hearing after taking office, CISA Director
Jen Easterly called for cyber incident reporting to help victims of hacks,
as well as to analyze the information and share it more broadly to see if
similar intrusions are found elsewhere.

"We absolutely agree it's long past time to get cyber incident reporting
legislation out there, and we're excited to work with you on this,"
Easterly told Peters in September.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220303/19bc10db/attachment.html>