The Senate passed a piece of legislation on Tuesday, detailing new cybersecurity measures that would force businesses to report cyberattacks and ransomware payments. The Strengthening American Cybersecurity Act aims to continue the Biden administration’s effort to make both the public and private sectors better defended online. With the act passing through the Senate, it will now head to the House for voting.
The act, composed of three separate bills, would require critical infrastructure organizations to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a substantial cyberattack. In addition, those who make ransomware payments would be required to report the incident to the CISA within 24 hours. The 200-page act’s main goal is to update the federal government’s cybersecurity posture in response to the United States’ support of Ukraine in its war with Russia.
“Since the Colonial Pipeline ransomware attack, the government has been in a reactionary course to pass legislation relating to cybersecurity to protect various private supply chains that impact the critical infrastructure of the United States,” said James McQuiggan, security awareness advocate at KnowBe4. “However, what is yet to be determined is the specific incidents that organizations will need to report, the timeframe required, in other words, the time from when the organizations classify an event as an incident, and which types of incidents. Regarding ransomware attacks, will it be based on a dollar amount or system impacted amount? CISA has to develop these requirements, but it will require organizations to shift their incident handling procedures to address the new laws set forth.”
The move towards cloud-based technologies was another focus of the act after several ransomware attacks, as the piece of legislation attempts to streamline critical infrastructure operators and the government’s response to cyber attacks moving forward.
The industries most affected by the potential passing of this bill are as follows:
- Commercial facilities (hotels, arenas, convention centers, commercial real estate)
- Critical manufacturing (machinery, electrical equipment, transportation equipment)
- Defense industrial bases
- Emergency services
- Financial services
- Food & agriculture
- Information technology
- Nuclear reactors
- Water and wastewater systems
How does this affect businesses?
Just one example of an industry that could be affected by the passing of this bill are businesses within the energy market. These enterprises have already seen the potential effects of a cyberattack when looking at the Colonial Pipeline attack last May. In that attack, a hacker group’s ransomware forced the extortion of cryptocurrency in exchange for returning control of the pipeline back to the Colonial Pipeline Company, but not before the company paid the ransom of $4.4 million.
Another factor is businesses further down the supply chain and not just the enterprises suffering the attack. Much like with the Colonial Pipeline hack, it was not just the pipeline and its company feeling the effects. Stemming from that raid on the pipeline itself, businesses further down the supply chain like gas stations and airports started being affected by the lack of oil from the pipeline itself.
As highlighted by McQuiggan, another aspect that must be considered for businesses is what constitutes a “substantial” cyberattack as outlined in the act. With a more robust reporting process, there will be an increase in the amount of cyberattacks reported by the media, says Paul Furtado, senior research director at Gartner.
“The bill applies to federal civilian agencies and industries deemed to be critical infrastructure. Critical infrastructure industries make up a large percentage of the US economy,” said Furtado. “The bill impacts these organizations regardless of size or revenue. Once the bill is passed into law we may see a surge of ransomware incidents reported in the media. People need to understand that the wave of new reports doesn’t mean we are under a greater volume of attacks, but rather will highlight the fact of how many of these attacks historically have gone unreported.”
To assist with combatting this, Furtado says that enhancing the scale and detail of reactions to attacks to meet the new governmental requirements will be key, along with intense monitoring of systems to prevent potential and future attacks.
“CIOs and security leaders will need to update existing incident response plans to reflect the new reporting requirements,” Furtado said. “Additionally, executive management needs to be educated on the new legislation and the impact to the business should they be the victim of a ransomware attack. Outside of the additional regulatory notification requirements, companies should continue to implement [constant] security monitoring and preventative tools to mitigate the risk of ransomware taking hold in their organization.”
With many different industries under the potential umbrella of this new bill, many organizations will want to increase not only their security protocols to prevent attacks, but also their reporting systems to fall into compliance with the bill.