When cybercriminals target sensitive data or charge companies or agencies a ransom to retrieve their encrypted information, the consequences can be dire. In response, Congress has passed a bill that will require that entities who deal with critical US security-related information must now report when digital criminals victimize them.
Should they fail to comply with any subpoena generated by this process, they will be referred to the Justice Department for Investigation. Thanks to this increased governmental oversight, federal officials will be able to have a complete picture of the ongoing effects of hacking on our nation’s well-being.
The measure has been implemented in response to a surge in ransomware attacks and other digital crimes in the US and worldwide. In the past year alone, criminals targeted the largest US fuel pipeline and the world’s biggest meat-packing company, disrupting the economy and traumatizing affected citizens.
Additionally, state terrorists continue to attack critical infrastructure. The most notable instance is the Russia-backed SolarWinds espionage campaign. Experts are concerned that the Russian war in Ukraine will open the door to an uptick in cyberattacks by state actors and their proxies, many of whom reside in Russia.
“As our nation rightly supports Ukraine during Russia’s illegal, unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against US critical infrastructure will increase,” said Sen. Rob Portman, a Republican from Ohio. The solution is to be proactive.
The reporting legislation, written by Michigan Sen. Gary Peters and approved by the House and Senate, is expected to be signed into law by President Joe Biden soon. The rule stipulates that any entity deemed part of the country’s critical infrastructure must report any “substantial cyber incident” to the government within three days. If a ransomware payment is made, officials must be notified within 24 hours.
When hacking and ransomware incidents occur, reports should be sent to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. In an unusually public disagreement, the FBI expressed concerns and unsuccessfully pressed for tweaks to the bill. Specifically, the agency’s officials were concerned that the reporting methods to be instituted might be too complex, resulting in delays in accessing critical information.
Furthermore, they worry that victims who report security incidents to the FBI may not enjoy the same liability protections as those through the Cybersecurity and Infrastructure Security Agency. The legislators who wrote the law assure critics that these concerns were addressed in the final draft of the legislation.