“Fairly consequential and it is coming.”
That is how President Biden described the magnitude and likelihood of a Russian cyber attack when addressing a group of business leaders late last month. This advance warning would be in line with the Administration’s strategy of releasing intelligence findings and preemptively calling out Russia’s military plans before their invasion of Ukraine. The conflict has prompted a renewed focus on cybersecurity at both the state and federal levels. In February, New York Governor Kathy Hochul announced a joint cyber command center to bolster the state’s cyber defense capabilities. Now, President Biden and the federal government are taking steps to streamline the reporting and subsequent response to cyber attacks on critical systems.
In March, the Senate passed the Strengthening American Cybersecurity Act (SACA) which would require all civilian federal agencies and the “critical infrastructure sector” to report all cyber attacks and ransom payments to the Cyber Security and Infrastructure Agency (CISA). Among the sixteen critical infrastructure sectors listed on the CISA website are energy, financial services, information technology, manufacturing, food production, and healthcare.
Here are the minimum reporting requirements contained in SACA:
- Notice to be provided to CISA within 72 hours
- A full description of the incident including the vulnerabilities exploited, along with what defenses were penetrated
- Contact information or additional details about the attacker
- The type and amount of information that may have been compromised
- Details and contact information from the impacted parties
Other components of the bill include enforcement mechanisms for non-compliance as well as expansions to the federal cloud-based information security technology, FedRAMP.
One major consideration is that the Department of Justice openly opposes the bill, with Deputy Attorney General Lisa Monaco saying, “The bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.” The bill would mandate reporting to CISA, but would not require similar notification to the FBI, which estimates only 25% of annual cybercrime is reported.
Co-sponsor Senator Gary Peters (D-Mich) said “This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in America is reporting cyber attacks and ransomware payments to the federal government.”
Fellow Co-sponsor and Republican Rob Portman (R-Ohio) said the legislation will “give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyber attacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks.”
Leave a Reply