Combating Ransomware – Senate Homeland Security Committee Introduces Legislation

Recently, ransomware attacks have jeopardized the cybersecurity measures of companies across all industries, including gas pipelines, meat processing plants, and schools throughout the U.S. Due to the influx of these attacks, the U.S. Senate’s Homeland Security Committee has made combatting future ransomware attacks a top priority for its agenda. Specifically, the Committee has proposed legislation that will discourage hackers who demand multimillion-dollar cryptocurrency ransoms.

This legislation would be a step-up from previous cybersecurity measures taken in prior administrations. For example, a cybersecurity bill during the Obama Administration died in the Senate as some argued that government intervention in the private sector would be too intrusive and place a significant financial burden on companies. Additionally, in 2015, legislation that created a voluntary program for companies to disclose ransomware attacks barely passed.

However, this proposed legislation also aims to create more robust communication between government and critical industries when ransomware attacks occur. The bill is likely to require companies of specific sectors to notify the Department of Homeland Security within 24 hours of an attack. These critical sectors could be anything from companies in energy, transportation, telecommunications, emergency services, and many more.

Currently, states have legislation regarding whether companies must disclose their cyberattacks to the government. This bill would induce a federal reporting mandate that would override those laws. Additionally, fines would also be attached to companies who do not disclose their breaches to the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) and give them the power to ban government contractors from future contacts to those who do not accurately report.

This legislation stems from a cyber-attack and data breach on SolarWinds linked to Russia in late 2020. The breach threatened hundreds of companies and various government agencies in North America, Europe, Asia, and the Middle East. FireEye, a cybersecurity company, caught wind of the violation and instantly notified the government. Notifying government forces allowed them to call forth a broader investigation and helped protect U.S. company data from Russia. Advising the government prompts more extensive studies, leading to increased safety and information about an attack.

The draft bill would authorize the CISA to conduct these studies during and after cyberattacks to piece together previous attacks and mitigate future ones. Additionally, it will give insight into how common and frequent cyberattacks are in these sectors, providing a way towards understanding the severity of the attacks.

This legislation does not go without criticism. Opponents of the bill say it’s just too broad and would have an increased likelihood to pass if it applied to a narrower set of companies and sectors. Additionally, opponents said it places an increased burden on companies within the critical sectors and that notifying the CISA within 24 hours could lead to confusing reporting.

Regardless of critics, the cybersecurity legislation was introduced on July 21st. A draft of the bill can be viewed here.