The US Congress passed a new legislature that demands cyber breach reporting to the Cybersecurity and Infrastructure Security Agency (CISA). The entire bill is available for review and planning here. This comes a third of the way through 2021, a year of record cyberattacks in the US, including several successful attacks on large-scale US infrastructure. It entitles the “Cyber Incident Reporting Act,” the new legislation to enforce companies operating critical infrastructure to report within 72 hours if they have experienced a cyber-attack and within 24 hours if they make a ransom payment. The bill affects contractors and operators of critical infrastructure, including non-profits, state and local governments, and all businesses with more than 50 employees. The requirements seek to allow the US government increased insight to track cyberattacks at the national level and respond to nation-state APT threat actors. In addition, the orchestrated broad visibility will contribute to accurate trend-reporting, threat-intelligence, and response engineering and coordination.
Some uncertainty remains regarding the threshold for an event to meet the definition of "cyber-attack." Virtually all public-facing IP addresses endure constant attacks in one shape or another. The bill requires CISA to cooperate with other national security and intelligence agencies to establish clear guidelines and definitions for what constitutes a reportable "cybersecurity intrusion." CISA has 270 days from the bill’s enactment to comply with this demand for a reporting framework. However, until the final reporting guidelines are established, the extent of the low-level technical reporting requirements is unclear, and these requirements will impact the framework’s ability to provide applicable technical advisories.
The bill also includes liability protection provisions that shield entities that submit a report from liability due to submitting a cybersecurity notification and would prevent cyber incident notifications from being used as evidence in criminal or civil actions. In contrast, the identity of entities will be anonymized if the information is provided to critical infrastructure operators or the general public. The bill's wording also indicates that submissions are exempt from being disclosed via the Freedom of Information Act, although disclosure itself does not exempt submitting entities from additional pursuant action according to other Federal or State laws.
Paying the ransom may be more cost-effective than restoring large volumes of systems from backup, and details from cyber victims detail a well-oiled victim support system making ransom-based recovery an efficient option. However, is it technically legal to pay the ransom? There are no existing laws in the US that directly prohibit ransom payment unless the payment is directed to an organization on a "Sanctions List". The Sanctions List includes governments, organizations, and individuals who engage in terrorist activities or sponsor terror. Furthermore, the newly appointed (December 2020) Ransomware Task Force (RTF), a coalition subcommittee appointed by the US DOD, views the outright banning of ransom payments anytime soon as infeasible. The RTF committee is a who’s who of prominent US corporate stakeholders and IT security firms, including Deloitte, Amazon, Microsoft, Palo Alto Networks, CrowdStrike, and a host of other large enterprises. Despite not banning ransom payments outright, the new bill calls for consideration of alternative remediation strategies, including: Attempting alternative decryption methods Seeking assistance from non-federal entities to assist with recovery through other means Consultation with federally provided services offered by DHS, the Federal Bureau of Investigation, or the Office of Foreign Assets Control
The Cyber Incident Reporting Act also includes vigorous enforcement for non-compliance. Non-reporting organizations can be hit with a fine of as much as 0.5% of gross revenue for every day of delayed notice, and CISA has been granted authority to establish a process for contesting civil penalties and subpoena entities that fail to report. In addition, companies that violate U.S. Treasury restrictions by making payments to entities on the Sanction List may be punished. Cyber-Insurance: In 2021 insurance companies have moved to explicitly remove coverage for ransom payments from their policies after Colonial Pipeline filed a claim for the $4.4 Million ransom they paid. There has been growing concern that increased moves toward cyber-insurance policies will merely shift the focus from better security to simply transferring risk, making the problem worse by providing a monetary incentive for ransomware gangs. At the same time, insurance companies that do offer cyber disruption policies will increase demand on policy holders' cyber-hygiene and adherence to IT Security Best Practices and will refuse to payout when those standards are not met.
While the new bill does not explicitly make paying ransom illegal, existing laws in the US already make paying ransom precarious considering many companies may not know the complete identity of attackers. The expectation is that reluctance to hold companies accountable for paying the ransom will continue. However, more funded cybercriminal organizations will be enabled to launch more numerous and sophisticated attacks on US critical infrastructure. However, some pressure is coming from the insurance industry, hinting at less coverage for a lax attitude on corporate cyber-security.