According to The Washington Post, financial institutions have reported more than $590 million in payments tied to ransomware attacks in the first half of 2021. Among the networks impacted by this ransomware concern are those supporting critical infrastructure. Attacks such as the ones carried out on JBS USA, which affected the country’s meat supply, and Colonial Pipeline, which caused gas shortages, have exposed the vulnerabilities they face. Now, proposed legislation seeks to implement reporting guidelines in order to prevent future disruptions.
Since President Biden stated that such cybersecurity attacks are a “core national security challenge,” not only has cybersecurity been included as a main part of the infrastructure budget, but a few bills have been introduced in Congress that aim to build up the government’s response measures. All outline reporting requirements, however, according to the Post’s “Cybersecurity 202,” they each differ in detail like timeframe allowances. For instance, a bipartisan proposal from Senate Intelligence Committee Chairman Mark R. Warner gives a 24-hour deadline for infrastructure operators to report cyberattacks, whereas Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters has suggested a 72-hour deadline.
CNN recently covered the legislation brought forward by the senators on the Homeland Security Committee. In addition to mandating critical infrastructure owners and operators to report cyber incidents within 72 hours to the Cybersecurity and Infrastructure Security Agency, the proposal also provides a 24-hour window for nonprofits, businesses with more than 50 employees and state and local governments to disclose any ransomware payments made. Under the bill, the Cybersecurity and Infrastructure Security Agency would be granted the authority to subpoena entities that fail to meet these requirements.
Although she has voiced concern over the power of the subpoenas, Cybersecurity and Infrastructure Security Agency Director Jen Easterly has stated that such reporting will both help victims and bolster the ability to address future issues. “We absolutely agree it’s long past time to get cyber incident reporting legislation out there…,” she said.
“Cybersecurity legislation is waiting in the wings” – Aaron Schaffer, The Washington Post
“Senators introduce cyber bill to mandate reporting on ransomware and critical infrastructure attacks” – Geneva Sands, CNN