What a new cyber bill could mean for critical infrastructure
A bill introduced between members of the Senate (the Cyber Reporting Incident Act), specifically Gary Peters (Democrat, Michigan) and Rob Portman (Republican, Ohio) seeks to create a stricter timetable when reporting cybersecurity events. Specifically, after a breach regarding critical infrastructure.
Owners and operators of enterprises with critical infrastructure would be required to notify CISA of a potential malicious breach or “cyber incident,” if they reasonably believe said event occurred.
The bill also contains a stipulation that businesses operating with 50 staff or more must also notify CISA and appropriate agencies if they made a ransomware payment. This would be required within 24 hours of the payment. Additionally, this would require businesses to manifest a “due diligence report.” In other words, the affected business would need to list alternatives they had versus paying the demanded ransom, if any. The bill seeks to create data protection obligations from infrastructure industries.
The FBI and CISA have long discouraged paying ransoms, because it only emboldens threat actors. The bill would be used to discover as much information as possible about the attack while also finding what methods, if any, companies employed to resist ransom payments. A large problem with the continuous onslaught of cyber attacks is a lack of information, typically because companies downplay the full impact of a breach.
Because critical infrastructure is a fresh target for ransomware attackers, cybersecurity defense action is necessary.
The bill in action
Were the bill to receive enough support and pass, other stipulations would be met. While companies falling under the categories set by the bill, the head of CISA combined with federal agencies would be responsible for setting the reporting rules and requirements. The bill also aims to create a new office for CISA, the “Cyber Incident Review Office.” Like the name suggests, the office would be responsible for deep reviews of cyber events while sharing voluntary information about data, threat consolidation, and prevention.
More so, the bill requires CISA to develop a program that warns against ransomware attacks and provides information on how to best mitigate them. Lastly, and where the bill may find resistance, it would grant the CISA director the power to issue subpoenas to parties that willfully disregard the obligations set in place about incident reporting. Those malcompliances would be referred to the Justice Department for appropriate civil enforcement.
Granting authority like this, of course, is certain to meet resistance. But by introducing fees and penalties by not upholding basic ransomware and defense hygiene, infrastructure companies are certainly incentivized to take an active role in their own cyber defense.
How it could affect your business and the future of cybersecurity
It’s been a common issue where breaches are routinely downplayed after the fact. Some enterprises want to keep cyber damage minimized from the public eye, to reduce brand damage/trust, and not “spook” their investors.
But providing intel about attacks is one of the key foundations for building better defense methods. Until this point, businesses have been asked to provide key details about cyber-attacks, as a guideline. But even then, the provided data is often insufficient to create meaningful action.
If the bill passes, this means organizations fitting the criteria would carry a greater responsibility to their data. If your organization qualifies as critical infrastructure with at least 50+ employees, you would need to follow the enforced elements of the bill.
Even if this bill does not pass, however, it’s clear a stronger emphasis on cybersecurity legislature will become the norm.