The Cyber Incident Reporting Act, which was signed into law on March 15, is federal legislation aimed at bolstering the ability to prevent and more rapidly respond to cybersecurity attacks. While it won’t take effect until final rules are determined, it’s one of three parts of the Strengthening American Cybersecurity Act that is aimed at bolstering the cybersecurity of critical infrastructure and the federal government. The need for such an act has become intensified by the situation in Eastern Europe, as cyber warfare has proven to be a key and effective attack tactic for Russian nation-states.
Under the Cyber Incident Reporting Act specifically, critical infrastructure operators and federal agencies are required to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours, and ransomware payments within 24 hours.
The overarching Strengthening American Cybersecurity Act will update current federal government cybersecurity laws to improve coordination between federal agencies, ensure the government takes a risk-based approach to cybersecurity, and require all civilian agencies to report all cyberattacks to CISA.
Overall, the act demonstrates increased recognition of the need for better policy in place to prevent attacks on a larger scale, and highlights the impact the US government can have on cybersecurity efforts within organizations.
But to truly understand the magnitude of the act's potential impact, we must first gain insight into the current threat environment, while acknowledging the legislation's benefits and limitations. Let's explore.
Cyber Threats Show No Signs of Slowing Down
The recent cyber threats against Ukraine have signaled the need for heightened protection measures, while also demonstrating the large-scale consequences of a cybersecurity attack on an entire country. For example, several Ukrainian government and bank websites were recently offline as a result of a massive distributed denial-of-service (DDoS) attack.
Shortly following these attacks, a new "wiper" malware targeting Ukrainian organizations was discovered on hundreds of machines. These security incidents are suspected to be carried out by Russian cybercriminals, creating a new digital warfare environment that has taken organizations by storm.
One cause for concern for countries that have imposed sanctions against Russia is the potential of cyberattack retaliation. In addition to the escalating geopolitical tension in Eastern Europe, security teams continue to face an overwhelming amount of ransomware attempts, with malicious actors – not just from Russia, but across the world. In fact, approximately 37% of global organizations said they were the victim of a ransomware attack in 2021 — and that figure is only expected to increase this year.
Through the Strengthening American Cybersecurity Act, a new foundation is created for both public and private sector organizations, enabling them to create larger-scale defenses against nation-state actors while better bolstering protection against the continuous cyber threats they grapple with each day.
Need for Information Sharing and Ransomware Reporting
Upon reviewing the comprehensive piece of legislation, one aspect that stood out to me was a call for "the rapid centralized aggregation and dissemination of real-time attack data." Through the passing of the act, the government and security community at large publicly recognize that speed, collection, and sharing of real-time attack data is critical to properly protect private and public networks, especially as ransomware groups and attack methods mature and become more frequent. What is more important than ensuring the right people get the right information at the right time, especially when this type of information sharing is possibly the key to preventing the next cyberattack?
Another noteworthy aspect of the legislation is the process of ransomware attack reporting. Today, there are more than 250 ransomware families, and that figure only continues to grow. This, coupled with the rise in more sophisticated and targeted ransomware, exposes organizations to increased risk.
As such, it's essential to have the proper reporting tools and systems in place. The Cyber Incident Reporting Act, which is an act within the larger legislation, will ensure that all critical infrastructure attacks are reported in a timely manner. Traditionally, these types of events go unreported or underreported; through these new reporting protocols, security teams can better gauge the size and scope of the attacks potentially facing their own organization, and society at large.
Too Good to Be True? Recognizing Potential Pitfalls
While the act brings immense benefits, it's also important to acknowledge several potential limitations exist within the legislation. For instance, while increased transparency is crucial to help prevent damaging attacks, many security teams may be hesitant to report attacks so openly. Increased attack reporting could potentially cause companies to face litigation, which could trigger significant reputational and financial losses as attacks are made public.
To eliminate some of this worry, organizations may consider an increased investment in cyber insurance. While once a fairly new concept, the cyber insurance market is growing exponentially, forecast to become a $20 billion industry by 2025. In the boardroom, CFOs should prioritize conversations on cyber insurance during planning and budgetary meetings. After all, if an organization isn't proactive and instead takes a laggard approach to cybersecurity, they are leaving their companies at risk of attack and lost corporate funds.
Additionally, the act will only be effective if all applicable parties work to ensure that the quality and timeliness of information collected, and the corresponding reporting processes, are taken seriously and done properly. This is not a one-time process; data sharing and incident reporting must be done continuously. The success of the new legislation is dependent on the cooperation of security teams within the public and private sectors it reaches. Simply put, a lax approach will equate to an ineffective bill.
The Strengthening American Cybersecurity Act's passing is a true acknowledgment from the public sector that the frequency and severity of cyberattacks cannot go unresolved. The onus is on both public and private organizations to uphold its principles as these incidents take place – regardless of the size or scale of the attack. Overall, the public sector should continue prioritizing security-related legislation, and the private sector must follow the guidelines provided to them. A concentrated effort from both parties is the best way to protect the nation's most sensitive assets.