A new cyber incident reporting bill that has been introduced to the Senate would create new ransomware payment reporting requirements if passed, including a strict 24-hour limit for any business with more than 50 employees.
Cyber incident reporting terms would put tight requirements on many businesses
Put forward by the leaders of the Senate Homeland Security and Governmental Affairs Committee, the bipartisan legislation focuses on some unsurprising categories: critical infrastructure, non-profit organizations and state & local government agencies. But it would also require any type of business with at least 50 employees to report any ransomware payments that they make within 24 hours. That number meets the cutoff point for a “small business” designation in the view of various federal government programs (such as the Affordable Care Act), and would subject about half of American businesses to the rule.
Businesses that fall under the new cyber incident reporting requirement would be directed to report to the Cybersecurity and Infrastructure Security Agency (CISA). Organizations that fail to report would be subpoenaed and referred to the Justice Department. Chairman Gary Peters, one of the lead sponsors of the bill, said that prompt cyber incident reporting was necessary to issue warnings to other potential victims and prepare for “potential impacts.”
The cyber incident reporting bill is part of an ongoing response to major cyber attacks in recent months, a string that has threatened both critical infrastructure and the internal networks of government agencies. As the attacks on Colonial Pipeline and meat packer JBS demonstrated, organizations very often make the ransom payment in the belief that it is the simplest or most viable way of solving the issue.
The push for tight reporting windows has met resistance from several different quarters. A number of industry groups, including those representing utilities and the financial industry, have said that the 24-hour window is not feasible and that a 72-hour window is more realistic. Some government agencies, including primary point of contact agency CISA, are also not in favor of subpoenas as an enforcement mechanism and would prefer to see fines for non-compliance. The House Homeland Security Committee’s version of the 2022 National Defense Authorization Act (NDAA) establishes a 72 hour window.
There are already some existing cyber incident reporting legislation proposals on the table that may be merged, with the ultimate goal of a uniform measure for inclusion in the final version of the 2022 NDAA. The Cyber Incident Notification Act, introduced to the Senate in July, seeks to establish a similar 24-hour reporting window for any business that plays a support role in a national security function; this proposal offers liability protection and anonymization to companies that come forward. Sen. Mark Warner, lead sponsor of the bill, told the Amazon Web Services’ Public Sector Summit that he expects “compromise” and that the final measure will blend elements of both proposals.
Enforcement penalties for failure to comply
If the enforcement terms of the more recent proposal stand, federal government contractors could be barred from the Federal Contracting Schedule for failure to comply. Other businesses could face daily penalties of up to 0.5% of gross annual revenue as reported the prior year.
Ron Bradley, VP of Shared Assessments, says that the final penalty amount the government settles on should not be such a concern as organizations should be prepared for this eventuality: “My sincere hope is this piece of legislation doesn’t come as a surprise to organizations, particularly those in critical infrastructure. Having a well documented incident response plan, which is tested on a regular basis, is a crucial component to good cybersecurity hygiene. It would be unwise for any company to contemplate paying a ransom without first contacting the FBI. In fact, knowing who to contact at the FBI and establishing that relationship ahead of time is extremely important. The same thing holds true with the Cybersecurity and Infrastructure Security Agency (CISA). Any incident response program associated with critical infrastructure must have clear and complete processes for contacting government agencies in the event of a major ransomware attack, including the potential of paying the ransom.”
Any ransomware attack would meet the cyber incident reporting under the Cyber Incident Notification Act’s proposed rules. However, they would also include more general “security incidents” that meet certain criteria. These include signs of involvement of a nation state or known Advanced Persistent Threat (APT) group, potential harm to US national security interests or the economy, or potential to impact CISA systems.
Addressing ransomware attacks by cutting off payments
The surge in ransomware in recent years has sparked debate about how legislators should address payments. There is widespread belief that the issue will not be brought under control without cutting off payments, but companies often face devastating consequences such that they see no real option but to pay. The issue has only become more thorny since 2020 as ransomware groups increasingly threaten to publicly reveal confidential company information if payments are not made, and have a growing appetite for hitting vital public resources such as utilities and medical facilities.
Bill Lawrence, CISO of SecurityGate, sees the government’s present approach as taking too heavy of a regulatory hand (in spite of seemingly drawing the line at outlawing ransomware payments: “Whatever the final reporting timelines will be, the proposed legislation is a great deal of “stick” and hardly any “carrot” for owners and operators of critical infrastructure. Wouldn’t it be great for the US Government to be able to say, “report a ransomware attack to us BEFORE you pay any ransom, and we’ll bring the full power of the Federal government to bear to help resolve the incident, decrypt your files, and siphon whatever is already in the criminals’ bank accounts?” (Sure, I dream….) Instead, US victims are threatened with subpoenas and civil action and the government will write more quarterly reports, among other things.”
Doug Britton, CEO of Haystack Solutions, agrees that many companies (particularly small to medium businesses) will have trouble complying with these rigid terms even if they fully desire to: “Unfortunately, this appears to be a clumsy approach to penalizing victims of cyber-attacks. It appears the motivation of this legislation is to hold attackers accountable yet the “how” is not apparent. There are many details left to be sorted out by CISA. Reporting a breach in 72 hours can be challenging as there needs to be sufficient time to validate flags and ensure the breach is real (e.g T-Mobile). Also, what constitutes a reportable breach? With penalties so high, an appeal process will surely be on the horizon … Congressional efforts could be spent in more productive ways. The real focus needs to be on building our collective defense with a preventative posture. Can we establish industry standards to ensure that basic and highly effective protections are put in place? We have modern policies and procedures, many of which are highly effective in preventing data breaches. Can we consider legislation that would encourage companies to adopt policies akin to financial accounting that could be audited and enforced by regulators? What investment is going into developing the next generation of cyber security professionals?”
Federal agencies are often able to claw back at least some of the ransomware payment amount with prompt reporting and involvement, but companies are still often reticent about getting them involved as they see the public relations damage as a much greater cost. This was famously demonstrated by ride sharing giant Uber in 2016, when the company had data about drivers and customers stolen by hackers and tried to negotiate a secret $100,000 Bitcoin payment to recover it. The company ultimately paid millions of dollars in fines for the cover-up.
Tyler Farrar, CISO of Exabeam, shares some parting advice for companies that are most at risk and subject to the most stringent of the cyber incident reporting regulations: “The need to understand and baseline normal critical asset/system posture is absolutely key in protecting critical infrastructure to prevent a breach from even occurring in the first place. Regardless of whether systems in operational technology (OT) environments are air-gapped or not, if there’s a digital route to the system, then it’s at risk. We’ve got to ensure we’re monitoring OT systems far more diligently by capturing all viable log data in terms of access control, system settings and maintenance. Any abnormality — regardless of how small — should be investigated, triaged and managed accordingly. Relying on users alone for the protection of our CNI systems does not (and will not) scale. Working smarter with automation technologies in managing large volumes of data streams, analyzing them for anomalies and reporting risk and attacks in real time, is the only way forward for CNI protection. This, in partnership with continued user education in being diligent and applying critical thinking analysis to system activity reports, is critical.”