U.S. legislators, fueled by ongoing cyberattacks against critical infrastructure—including ransomware and extortion-style data theft—continue to march toward definitive incident reporting legislation.
Last week, U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), chairman and ranking member of the Homeland Security and Governmental Affairs Committee, introduced the bipartisan Cyber Incident Reporting Act. The act is the latest iteration of mandatory notification legislation requiring covered entities to report incidents that could impact national security and the U.S. economy.
Within the last two weeks, The House of Representatives passed the Cyber Incident Reporting for Critical Infrastructure Act of 2021, an important salvo in this effort to improve critical infrastructure cybersecurity. The Act would establish a Cyber Incident Review Office within CISA and designate the agency as the incident reporting clearinghouse responsible for receiving, analyzing, and sharing information on incidents with private sector owners and operators and the intelligence community.
The newly introduced Cyber Incident Reporting Act builds on that bipartisan bill—written by Rep. Yvette Clarke (D-NY) and John Katko (R-NY)—to not only mandate incident reporting to CISA within 72 hours, but also for businesses with 50 or more employees as well as nonprofit organizations and state and local governments to report within 24 hours if a ransom demands are met in the event of a ransomware attack or the threat of an attack that could disrupt operations of information systems.
Ransomware attacks against critical infrastructure sectors such as oil & gas, pipelines, and food and agriculture have dominated 2021. Organizations such as Colonial Pipeline, JBS Foods, and two farming cooperatives in the Midwest shut down operations in an abundance of caution after ransomware attacks locked down business systems. Colonial Pipeline and JBS Foods reportedly paid millions in cryptocurrency to meet ransom demands and restore affected systems.
Paying ransoms has been a hot-button issue for years among law enforcement and cybersecurity experts, both of whom strongly oppose meeting an attacker's demands. Not only would such payments fund a criminal's or adversary-state's efforts, but experts caution there is no guarantee that payment results in full system recovery. In the case of Colonial Pipeline, for example, the recovery key provided by the attacker was so slow, Colonial reportedly continued using its own backups to speed system restoration.
From Claroty's perspective, both bills are critical steps toward not only securing critical infrastructure from malicious activity, but also facilitating the sharing of actionable information from the private sector in order to reach that end. Claroty counts among its partners and customers some of the world's largest critical infrastructure providers, and those relationships enable us to understand the role of diverse private-sector ownership, the need for government to have better visibility into threat intelligence, and the importance of sharing that data with others across all critical infrastructure sectors.
We'd like to share our perspective, above, on some of the facets included in the Cyber Incident Reporting Act, which we support and endorse. Claroty has also drafted a letter in favor of this legislation to the Senate's Homeland Security & Governmental Affairs Committee, which meets today at 10:15 a.m. EST to discuss the act.
Including Cyber-Extortion a Step in Right Direction
Ransomware has evolved beyond simply a malware attack that encrypts data and demands are made for money in exchange for a decryption key. Attackers are targeting large enterprises with the resources to pay an exorbitant ransom demand. They spend time conducting reconnaissance, quietly infiltrating networks, and at times, moving from system to system siphoning data they can threaten to leak if demands aren't met.
These advanced types of attacks can be devastating to critical infrastructure operators and Claroty believes it is imperative to address all facets of extortion-style attacks in the Cyber Incident Reporting Act. All-inclusive language such as: "the threat of use of unauthorized or malicious code on an information system, or the threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed," is fundamental to the success of this legislation because it also addresses the threat of extortion before a cyberattack.
The requirement to report ransom payments strikes at the heart of Congressional debate over whether to make the practice illegal. The Cyber Incident Reporting Act strikes the right balance of enabling payments while forcing accountability, which ultimately could improve covered entities' governance over cybersecurity programs, cultures, and practices.
Relief for Small Businesses a Must
Previously proposed legislation did not offer any relief for small businesses impacted by cyberattacks. These can be devastating for organizations with fewer human and financial resources to deal with incident response and potential reputational fallout. Earlier bills required notification regardless of size, and critics raised concerns over small businesses' ability to comply and the burden of investment required that would impact their ability to operate. By excluding businesses with fewer than 50 employees that are not classified as critical infrastructure, there is some relief. While Claroty does not offer a perspective on whether 50 is the correct delineation, the direction is the right one.
Strengthen Disincentives, Simplify Process for Compelling Notification
The Cyber Incident Reporting Act threatens to bar organizations that fail to report ransom payments from doing business with the federal government. This aspect of the proposed legislation should create sufficient disincentives to adjust the financial calculus for decision makers in favor of reporting. Additionally, given the increasing frequency and impact of cyberattacks, we believe that this legislation serves to simplify the process to compel action from non-compliant organizations.
Claroty would also ask legislators to strengthen disincentives for failing to notify for incident reporting. At present, organizations are open to substantial brand and reputational risk for reporting on a cyber incident. The executive decision is therefore tipped all too frequently in favor of not reporting cyber incidents and working to quietly fix them behind the scenes. Using GDPR as a benchmark, breach notification compliance was half-hearted until high fines were instituted for violating the notification provision.
Claroty believes that given the risk to U.S. national security and economic interest, we must adjust the financial calculus in favor of notification. This should be done through penalties and enforcement for organizations that are clearly in violation. We also believe that this new set of risks will drive Boards of Directors to govern and manage cyber risk, which will drive funding and action through the organization more effectively.
