The United States Senate unanimously passed cybersecurity legislation that would require companies in critical sectors to alert the government of potential hacks or ransomware. The Strengthening American Cybersecurity Act – a package that consisted of three bills sponsored by Sen. Gary Peters (D-Mich.) – came as lawmakers warned the private sector to expect potential Russian cyberattacks in retaliation for U.S. sanctions imposed by the Biden administration.
“Cyber warfare is truly one of the dark arts specialized by Putin and his authoritarian regime. And this bill will help protect us from Putin’s attempted cyberattacks against our country,” said Senate Majority Leader Charles Schumer (D-N.Y.) following the passage of the legislation.
One of the bills requires companies to report any “substantial cyberattack” within 72 hours, and to report ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). In addition, another bill called for an update to federal cyber laws to improve coordination between federal agencies. It would further require that agencies share information related to cyber incidents with the CISA.
Necessary Response
Cybersecurity researchers have praised the passage of the legislation.
“Since the Colonial Pipeline ransomware attack, the government has been in a reactionary course to pass legislation relating to cybersecurity to protect various private supply chains that impact the critical infrastructure of the United States,” explained James McQuiggan, security awareness advocate at research firm KnowBe4.
McQuiggan told ClearanceJobs via an email that the requirement to report a cyber incident to CISA within 72 hours could present some challenges to private organizations, but added, “it is worth noting that U.S. and Canadian electricity organizations already have to report within 24 hours of an incident as required by the NERC CIP (North American Electric Reliability Committee Critical Infrastructure Protection) standards.”
There could be other challenges ahead.
“What is yet to be determined is the specific incidents that organizations will need to report, the timeframe required, in other words, the time from when the organizations classify an event as an incident, and which types of incidents,” added McQuiggan. “Regarding ransomware attacks, will it be based on a dollar amount or system impacted amount? CISA has to develop these requirements, but it will require organizations to shift their incident handling procedures to address the new laws set forth.”
Attack Vector
While the timing of the passage of the law is notable, the situation is likely to only get worse. Even though the United States may not have boots on the ground, some cybersecurity experts are warning we’re already very much in a cyber conflict with Russia.
“Yes, 100%. We are under a cyber war,” said Hugo Sanchez of cloud-based cybersecurity provider rThreat.
“The current situation with the ‘Russia-Ukraine’ conflict has uncover many cyber organized groups – or Advanced Persistent Threat (APT) – that were under the radar for the past years, now they are taking sides and therefore we could see numerous attacks against allied countries, we just experienced in Japan Toyota attack (last) week, more to come,” Sanchez told ClearanceJobs.
“Attackers are more advanced than our cyber security protocols can currently keep up with, and the public and private sector aren’t doing enough to encourage innovation to protect against the attacks,” Sanchez warned.
Proactive Security
In addition to reporting that an attack has occurred, firms must increase their due diligence when it comes to fending off an attack. That could include the use of machine learning and artificial intelligence into many commercial solutions, including those used in cyber-defense, but the private sector may need to follow the government’s lead when it comes to trust.
“The first thing organizations need to do is adopt a ‘Zero Trust’ mindset, which means building and managing your cyber-defenses based on the assumption that attackers will be inside your systems environment – or already are,” said Sanchez. “The weakest aspect of current cyber protocols that fail to adhere to this mindset is that by the time they discover a threat, it’s too late. The threat actor or virus is already inside their system and defending against it becomes nearly impossible.”
A Zero Trust mindset could provide an organization the chance to be proactive about their defenses and more innovative with regards to their strategy. The government’s adoption of Zero Trust could also show that it is finally taking the crucial lead.
“Cybersecurity is finally becoming an important topic for the government, considering the number of attacks the various agencies have dealt with over the past number of years,” added McQuiggan. “However, with CISA, they are taking a more robust and proactive stance to ensure the nation’s infrastructure is secure and protected.”
