New rules passed by Congress will require companies that are critical to the national interest of the United States to report hacking incidents or pay ransomware.
These rules are part of an overall effort by Congress and the Biden administration to strengthen the nation’s cybersecurity defenses following a string of high-profile cyber espionage campaigns, and disruptive ransomware attack. This reporting will provide the federal government with greater visibility into hacking attempts that target private businesses, which sometimes have not sought help from the FBI or other agencies.
“It is clear that we must take bold actions to improve our online defenses,” said Sen. Gary Peters (a Michigan Democrat) in a Friday statement. He heads the Senate Homeland Security and Government Affairs Committee and authored the legislation.
On Thursday, the Senate and the House approved the reporting requirement legislation. President Joe Biden is expected to sign it into law soon. Any entity considered to be part of the nation’s critical infrastructure (finance, transportation, and energy) must report any “substantial hacker incident” within three days to the government. Ransomware payments must also be reported within 24 hours.
Ransomware attacks are where criminals hack into targets and keep their data hostage until ransoms are paid. Last year’s attacks on the largest U.S. meatpacking company, and the largest U.S. fuel pipe, which caused days of gas station shortfalls on East Coast, have highlighted how hacker gangs can disrupt an economy and place lives and livelihoods at stake.
Russia and China continue to hack into and spy on U.S. targets. This includes critical infrastructure targets. Most notable was Russia’s SolarWinds cyberespionage operation. It was discovered at the beginning of 2020.
Experts and government officials are concerned that Russia’s war in Ukraine has raised the risk of cyberattacks on U.S. targets by state actors or proxy actors. Many ransomware hackers live and work in Russia.
Sen. Rob Portman is a Republican from Ohio.
The legislation names the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency the lead agency for ransomware notices and hacks. The FBI was concerned about this as it had publicly lobbied for changes to the bill in a rare public disagreement over the overall White House legislation.
Christopher Wray, FBI Director, stated last week that “one call should be a call to all of us,” at a cyber conference at the University of Kansas. “We don’t need a lot of different reporting, but real-time access for all those who require it to the same report. That’s the key point: not multiple reporting chains, but multiple access, multiple contemporaneous actions, to the information.
The FBI expressed concern that liability protections for companies reporting breaches to CISA wouldn’t extend to reporting breaches to the FBI. This issue, the FBI believes, could unnecessarily complicate law enforcement efforts in response to hacks and aid victims.
The bill was drafted by lawmakers who argued against the FBI. They claimed that the FBI’s concerns regarding hacking and liability were adequately addressed in its final version.
CISA can now subpoena companies who fail to report hacks and ransomware payments to CISA. Those that do not comply with a subpoena may be referred to Justice Department for investigation.