Russia’s invasion of Ukraine, and the possibility that the Kremlin may escalate its cyberespionage against the West after being heavily sanctioned, has convinced the US Senate to unanimously pass a bipartisan cybersecurity bill.
This draft law would, among other steps, force critical infrastructure companies to report attacks and ransomware payments.
The Strengthening American Cybersecurity Act of 2022, which now goes to the House, would put into law some of the regulations the Biden Administration and some members of Congress have been advocating for since the onslaught of high-profile ransomware attacks last year, including those on such companies as Colonial Pipeline and meat processor JBS Foods.
Both attacks were made by cybercriminal groups – DarkSide and REvil – with links to Russia.
The bill passed by the Senate this week would require civilian federal agencies and the owners of US critical infrastructure organizations – such as power plants, hospitals and shipping ports – to report cyberattacks to Homeland Security within 72 hours. In addition, they would have to report a ransomware payment within 24 hours.
While the White House has given its support to the bill – though an official there has said administration staff will work with the House to ensure all the necessary provisions are in it – the Department of Justice (DOJ) reportedly pushed back on it, saying the FBI should also be on the list of agencies contacted by companies that have been attacked. The bill currently requires companies to notify the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security.
Deputy Attorney General Lisa Monaco told Politico the “bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats.” FBI Director Christopher Wray agreed, adding that it would hurt the agency’s response to attacks.
In addition, some in the cybersecurity field have questions about the proposed law, including the requirement to alert Homeland Security of a ransomware payment.
“Reporting ransomware payments can be immensely useful if there is immunity for making the payments,” John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register.
“There is no, nor ever has been, any evidence that banning ransomware payments will work or be successful. Creating a reporting mechanism to report one’s own ‘wrongdoing’ hasn’t worked in the past. If – and only if – the government stops its saber rattling towards victims who make payments, then this policy has a chance at success.”
Horse, meet stable door
The Biden Administration has made cybersecurity a priority. The President has signed executive orders and a memorandum pushing to improve the cybersecurity posture of the government and US businesses.
The National Security Council in June 2021 sent a memo urging them to take the ransomware threat seriously and in October ran out several initiatives that included going after the criminals orchestrating these attacks and requiring the reporting of incidents and ransomware payments.
In January, the FBI, NSA, and CISA warned US businesses about the threat of Russian state-sponsored gangs as tensions rose between Russia, the United States, and European nations over President Putin’s intentions for Ukraine.
Government agencies and cybersecurity companies have urged ransomware victims not to pay the demanded ransom to get their scrambled or deleted data restored, arguing that doing so pays for future attacks, makes companies more likely to be attacked and attacked again, and doesn’t guarantee they will get back control of all their data.
A study in October 2021 by cybersecurity firm ThycoticCentrify – now known as Delinea – claimed 83 per cent of ransomware victims in its survey paid their extortionists.
Spokespeople for Senators Gary Peters (D-MI) and Rob Portman (R-OH) said the cybersecurity bill included many changes both the DOJ and FBI pushed for and disagreed it would make the country less safe.
The escalating war in Ukraine and the ongoing threat of Russian cyberattacks seems to have helped accelerate the Senate’s passage of the legislation, which was taken out of the defense budget appropriation in December.
The requirements included, which go beyond just reporting incidents, are largely common-sense measures to protect organizations
“It’s no surprise with recent incidents and an increased threat of cyberattacks that this bill has gained bipartisan support,” Tim Erlin, vice president of strategy at cybersecurity company Tripwire, told The Register. “The requirements included, which go beyond just reporting incidents, are largely common-sense measures to protect organizations. Making progress on cybersecurity has been a clear objective for the administration and the passage of this legislation in the Senate is evidence of that progress.”
That said, some cybersecurity experts said more needs to be done. Erlin noted that the “scope of this legislation is limited to civilian federal agencies and critical infrastructure. The vast majority of commercial organizations won’t be directly impacted.”
Netenrich’s Bambenek said that those that will be most affected are federal government vendors that are required to use FedRAMP, a government program designed to address security assessment and monitoring of cloud products and services.
“The new legislation, and whatever implementing regulations are passed to support it, will start to tackle, among other things, software supply-chain issues,” he said.
“How organizations begin to tackle that will also impact the B2B ecosystem as well. It will, by no means, solve the problem of supply-chain compromises, but it is definitely a step down the road to visibility and risk management.”
Alex Ondrick, director of security operations at incident response specialist BreachQuest, told The Register that the legislation is well intentioned but doesn’t define specifics.
“This seems to be a good first step towards formalizing cybersecurity policy at the national level, but this is only the beginning of the journey,” Ondrick said. “In an ideal world, further policy developments would ‘nest’ considerations at the director [and] C-level, with further-developed and fully-defined technical next steps at the analyst level.” ®