By ALAN SUDERMAN and ERIC TUCKER – Associated Press
WASHINGTON (AP) — Companies vital to U.S. national interests are now required to report when they are hacked or pay for ransomware, under new rules approved by Congress.
The rules are part of broader efforts by the Biden administration and Congress to bolster the nation’s cyberdefenses following a series of high-profile digital spy campaigns and disruptive ransomware attacks. The coverage will give the federal government much greater insight into hacking efforts targeting private companies, which have often skipped turning to the FBI or other agencies for help.
“It is clear that we must take bold action to improve our online defenses,” said Senator Gary Peters, a Michigan Democrat who chairs the Senate Homeland Security and Governmental Affairs Committee and authored the law.
The reporting bill was approved by the House and Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity considered part of the country’s critical infrastructure, including the financial, transportation and energy sectors, to report any “significant cyber incident” to the government within three days and any ransomware payment within 24 hours Report.
People also read…
Ransomware attacks, in which criminals hack targets and hold their data hostage through encryption until a ransom is paid, have proliferated in recent years. Attacks on the world’s largest meatpacker and the largest US fuel pipeline over the past year – leading to days of gas station shortages on the east coast – have highlighted how gangs of extortionate hackers can disrupt economies and put lives and livelihoods at risk.
State hackers from Russia and China have continued success in hacking and spying on US targets, including critical infrastructure targets. Most notable was the Russian cyberespionage campaign SolarWinds, which was discovered in late 2020.
Pundits and government officials fear Russia’s war in Ukraine has increased the threat of cyberattacks on US targets by state or proxy actors. Many ransomware operators live and work in Russia.
“As our nation rightfully supports Ukraine during Russia’s illegal, unjustifiable attack, I am concerned that the threat of Russian cyber and ransomware attacks on critical U.S. infrastructure will increase,” said Senator Rob Portman, a Republican from Ohio.
The legislation designates the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency as the lead agency receiving notifications of hacks and ransomware payments. This raised concern from the FBI, which had openly lobbied for changes to the bill amid an unusually public disagreement over legislation approved overall by the White House.
“We want a call to be a call for all of us,” FBI Director Christopher Wray said at a cyber event at the University of Kansas last week. “What is needed is not a whole bunch of different reports, but real-time access to the same report for everyone who needs it. So that’s what we’re talking about – not multiple reporting chains, but multiple access, multiple simultaneous actions on the information.”
The FBI has also expressed concern that the liability protection that would cover companies that report a violation to CISA would not extend to reporting a violation to the FBI, an issue the FBI believes will hamper law enforcement efforts responding to hacks and assisting victims unnecessarily.
Lawmakers who helped draft the bill have fought back against the FBI, saying that the FBI’s concerns about being notified of hacks and concerns about liability have been adequately addressed in the final version.
The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those who fail to comply with a subpoena could be referred to the Justice Department for investigation.
Suderman reported from Richmond, Virginia.
Copyright 2022 The Associated Press. All rights reserved. This material may not be published, broadcast, transcribed or redistributed without permission.