The US Senate has just introduced a bipartisan bill that requires critical infrastructure operators, such as banks and energy companies, to report cyberattacks within 72 hours. Other organisations such as state and local governments and businesses with more than 50 employees will also be required to report any ransoms paid following an attack to the federal government within 24 hours of payment.
The Senate bill comes after the House of Representatives passed a similar measure in fiscal 2022 National Defense Authorisation Act (H.R. 4350) on September 23. The House bill, however, does not require ransomware payments to be reported.
Cybersecurity companies Exabeam, Egnyte and Glasswall have spoken out on the bill.
Tyler Farrar, CISO, Exabeam says: "Critical national infrastructure (CNI) is at the top of the target list for adversaries, given the impact if successful, even in part.
"The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality -- regardless of how small -- should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale.
"Working smarter with automation technologies in managing large volumes of data streams, analysing them for anomalies and reporting risk and attacks in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.”
Neil Jones, cybersecurity evangelist, Egnyte adds: “With the escalating volume of ransomware attacks and ballooning ransom payments, it's clear that current approaches to addressing ransomware just aren't working. So, I'm excited to see bipartisan support for this proposed measure that will require financial institutions and critical infrastructure operators to promptly report cybersecurity incidents and ransomware payments to the federal government.
"It is especially reassuring to see a CCPA or GDPR-style incident reporting timeframe of 72 hours, so that organisations in those industries will no longer be able to delay reporting of potential data breaches for months and months, without informing the government. Finally, I'm reassured to see that organisations in industries that haven't traditionally invested significantly in IT security such as non-profit organisations, small- and medium-sized businesses (SMBs) and local governments will be required to report potential ransomware payments.”
Danny Lopez, CEO, Glasswall concludes: "The senate bill to mandate reporting cybersecurity incidents and ransomware payments is a crucial step in combating the wave of major cyberattacks we have seen in the last two years. While the US government appears to have decided against making ransomware payments illegal, this disclosure structure should still play an important role in encouraging organisations to be proactive rather than reactive in regards to cybersecurity.
"This latest policy move, plus the administration's earlier executive orders (EOs) on the subject, show that federal cyber leaders are pushing for a more secure future for the U.S. Previous EOs have emphasised the importance of stronger multi-factor authentication and encryption, which we applaud. These are critical elements in an effective cybersecurity stack, but an overarching zero trust approach will take businesses’, government agencies’ and critical infrastructure organisations’ proactive protection to the next level.
"Zero trust security sees the world differently. No one is trusted by default, regardless of whether they are inside or outside a network. Without a zero trust approach organisations run the risk of attackers having a free reign across a network once they are inside. If more security teams turn to this approach, fewer attacks and payments will need to be reported.”