The U.S. Senate has just introduced a bipartisan bill that requires critical infrastructure operators, such as banks and energy companies, to report cyberattacks within 72 hours.
Other organizations such as state and local governments and businesses with more than 50 employees would also be required to report any ransoms paid following an attack to the federal government within 24 hours of payment.
Top security officials CISA Director Jen Easterly and National Cyber Director Chris Inglis attended a committee hearing last week to support a draft version of the measure.
The Senate bill comes after the House of Representatives passed a similar measure in fiscal 2022 National Defense Authorization Act (H.R. 4350) on September 23. The House bill, however, does not require ransomware payments to be reported. Cyber c-level execs reacted to the news positively:
Alex Pezold, CEO, TokenEx
“The proposed Senate bill to mandate cyberattack and ransomware reporting is what we expect to see from the federal government. It is a positive step, to ensure that cybercrimes are reduced, and that critical infrastructure is protected, as well as the private sector. We've already seen related activity when President Biden met with technology industry leadership. Now, the government is taking action, which will move everyone further toward the prevention of cybercrime and data breaches in the future.”
Tyler Farrar, CISO, Exabeam
“Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful -- even in part.
The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality -- regardless of how small -- should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.
Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk and attacks in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.”
Danny Lopez, CEO, Glasswall
“The senate bill to mandate reporting cybersecurity incidents and ransomware payments is a crucial step in combating the wave of major cyberattacks we have seen in the last two years. While the U.S. government appears to have decided against making ransomware payments illegal, this disclosure structure should still play an important role in encouraging organisations to be proactive rather than reactive in regards to cybersecurity.
This latest policy move, plus the administration's earlier executive orders (EOs) on the subject, show that federal cyber leaders are pushing for a more secure future for the U.S. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption, which we applaud. These are critical elements in an effective cybersecurity stack, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ proactive protection to the next level.
Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported.”