The US Senate has passed legislation that promises to both help drive greater transparency around data breaches and ransomware payments and improve support for impacted organizations.
The Russian invasion of Ukraine has upended the geopolitical climate. Cyberattacks hitting both countries are proof that threat actors are playing a major role in the early days of the war. Cyberthreats have long been a top concern but the current turmoil is lending an increasing urgency around threats to critical infrastructure beyond the current conflict.
Russian-based threat actors proved their effectiveness with the SolarWinds attack in which multiple US government agencies including the Department of Defense, the State Department, and the Department of Homeland Security were breached.
One of the major challenges both public and private sector organizations face is a lack of information. This is in part because of actual security incidents getting buried in an impossibly high volume of false positives. But it is also the result of a lack of information sharing between and among peers.
US legislation has its critics
The strengthening of American Cybersecurity Act promises to bolster critical infrastructure security via a number of methods including improving the security postures of US government agencies and pressing public and private sector organizations to report breaches and ransomware payments. The bi-partisan legislation would require organizations in 16 sectors of critical infrastructure including transportation, energy, and financial services to report a breach within 72 hours and ransomware payments within 24 to the Cybersecurity and Infrastructure Security Agency (CISA)
If the legislation passes the House of Representatives, CISA will provide guidance as to the types of companies will be categorized as critical infrastructure. The legislation identifies 16 sectors. There is also a promise of CISA providing more support for the breached organizations.
The bi-partisan legislation, which passed unanimously, is not without its critics. Senior leaders at the Department of Justice called out the legislation for not requiring breached organizations report incidents to Federal Bureau of Investigations (FBI). In a statement, Deputy Attorney General Lisa Monaco noted that the legislation “as drafted, leaves one of our best tools, the FBI, on the sidelines.” The FBI is the agency that takes the lead on breach investigations.