On Tuesday, as part of the omnibus bill, President Biden signed into law the Cybersecurity Reporting Act. This act requires companies operating in critical infrastructure to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours after they discover they are under cyberattack. It also requires these same companies to report to the CISA within 24 hours if they choose to make a payment due to ransomware. This is an effort by the federal government to remove the plausible deniability of these companies regarding cyberattacks. Like many companies, these corporations choose to under invest in cybersecurity or rely on cybersecurity insurance to avoid investing in better cybersecurity. This has been prompted by the difference between reported incidents in 2021, amounting to about $29 million, and the much larger amount discovered by Chainalysis Inc. (which tracks cryptocurrency transactions) of $406 million (see Ransomware 2021: Critical Mid-year Update.)
What It Means
Several line items on this new law have changed the game completely.
- The CISA has the authority to subpoena companies that fail to report cybersecurity incidents or ransomware payments. Failure to comply with the subpoena can result in the case being sent to the Department of Justice.
- Companies will need to show they are taking cybersecurity more seriously. Those without a CISO will probably need to hire one, and give the CISO veto over the CIO regarding cybersecurity– related decisions.
In return the CISA is required to warn organizations of vulnerabilities that ransomware actors exploit. The director of CISA (currently Jen Easterly) will need to establish a joint ransomware task force to coordinate federal efforts working with the industry to prevent and disrupt ransomware attacks.
The sixteen critical infrastructure sectors are chemical, communications, dams, emergency services, financial services, government facilities, information technology, transportation, commercial facilities, critical manufacturing, defense industrial, energy, food and agriculture, healthcare and public health, nuclear reactors (including materials and waste), and water and wastewater systems. For more information about what is included in each sector see (CISA – Critical Infrastructure Sectors).