WASHINGTON (AP) — Businesses essential to the national interests of the United States will now have to report when they are hacked or pay ransomware, under new rules approved by Congress.
The rules are part of a broader effort by the Biden administration and Congress to bolster the nation’s cyber defenses after a series of high-profile digital espionage campaigns and disruptive ransomware attacks. Reporting will give the federal government much greater visibility into hacking efforts targeting private companies, which have often failed to seek help from the FBI or other agencies.
“It’s clear that we need to take bold steps to improve our online defenses,” said Sen. Gary Peters, a Michigan Democrat who heads the Senate Homeland Security and Governmental Affairs Committee.
The reporting requirements legislation was approved by the House and Senate on Thursday and is expected to be signed into law soon by President Joe Biden. It requires any entity deemed to be part of the country’s critical infrastructure, which includes the finance, transport and energy sectors, to report any “substantial cyber incident” to the government within three days and any payment of ransomware done within 24 hours.
Ransomware attacks, in which criminals hack into targets and hold their data hostage by encryption until ransoms have been paid, have flourished in recent years. Last year’s attacks on the world’s largest meatpacking company and America’s largest fuel pipeline – which led to days of gas station shortages on the East Coast – underscored how gangs Extortion pirates can disrupt the economy and put lives and livelihoods at risk.
State hackers from Russia and China have had continued success hacking and spying on US targets, including critical infrastructure targets. Most notable is the Russian SolarWinds cyber-espionage campaign, which was uncovered in late 2020.
Experts and government officials worry that Russia’s war in Ukraine has increased the threat of cyberattacks against US targets, by state or proxy actors. Many ransomware operators live and work in Russia.
“As our nation rightly supports Ukraine during Russia’s unlawful and unjustifiable aggression, I fear the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase,” he said. Senator Rob Portman, a Republican from Ohio.
The legislation designates the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency as the primary agency responsible for receiving notifications of hacks and ransomware payments. That worried the FBI, which had openly campaigned for changes to the bill in an unusually public disagreement over legislation approved broadly by the White House.
“We want a call to be a call to all of us,” FBI Director Christopher Wray said last week during a cyber event at the University of Kansas. “What is needed is not a bunch of different reports, but real-time access by everyone who needs it to the same report. So that’s what we’re talking about – not multiple reporting chains, but multiple access, multiple simultaneous actions, to information.
The FBI also expressed concern that the liability protections that would cover companies that report a violation to CISA would not extend to reporting a violation to the FBI, an issue the bureau said. , could unnecessarily complicate law enforcement efforts to respond to hacks and assist victims.
Lawmakers who helped draft the bill pushed back against the FBI, saying the bureau’s concerns about hack notification and liability issues were properly addressed in the final version of it.
Suderman reported from Richmond, Virginia.