New US Cybersecurity Laws – Everything You Should Know

The threat of potential cyber attacks against critical infrastructure within the US is on the rise.

There are warnings of Russia engaging in malicious cyber activity as a result of the economic sanctions imposed by America on their country.

It’s more important than ever that organizations take action in alignment with these new legislations to strengthen their protections and promote awareness around ransomware amongst peers.

What is the new cybersecurity legislation in the US?

As of March 1^st, the United States Senate passed the Strengthening American Cybersecurity Act of 2022 – a new legal requirement for critical infrastructure companies to report cyber incidents and ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Cyber incidents must be disclosed within 72 hours of occurrence, and ransom payments reported within 24 hours of payment. Any suspicion of non-compliance may follow with the threat of referral to the US Department of Justice.

What companies will be covered?

The Act has laid out a definition of “covered entities” as based on the following:

(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety.

(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country.

(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.

This includes sectors ranging from chemical, emergency services and energy, to food and agriculture, information technology and transportation systems.

What types of ransom payments are covered?

The Act allows for ransomware reporting beyond the traditional attacks; it includes the use, or threatened use, of unauthorized malicious code, denial of service attacks, and any other mechanism designed to disrupt the operations of an entity’s information system. Any payment that is made to avoid loss of confidentiality, availability or integrity of data (whether actual or threatened) is feasible.

What should the ransom report include?

When reporting a ransom payment, it must include the following:

• A description of the attack, including estimated date range of the attack
• A description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack
• Any identifying or contact information related to each actor reasonably believed to be responsible for the ransomware attack
• The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made
• Contact information for the covered entity or an authorized agent of the entity
• The date of the ransom payment
• The ransom payment demand, including the type of virtual currency or other commodity requested
• The ransom payment instructions
• The amount of the ransom payment

For more information regarding general cyber incidents, alongside ransomware, see here.

CISA’s Shields Up Campaign

CISA are warning organizations, both large and small, to prepare themselves to respond to disruptive cyber incidents, thus protecting both the critical infrastructure of the US whilst avoiding the necessity to report to the government.

With the launch of their Shields Up Campaign, CISA have shared free cybersecurity services and tools to assist organizations who may find it challenging to identify what they need for urgent security improvements.

You can access these free resources here.

The American influence on the UK

In light of the new US cybersecurity laws, it seems the UK are following suit; America’s stand to fight against cybercrime and ransomware attacks is encouraging more countries to take action too.

The UK Government currently have an open consultation on its proposal to reform the existing UK cybersecurity legislation, with a National Cyber Strategy 2022 Policy Paper available for viewing.

The proposal consists of 3 pillars:

• broadening the scope of existing UK Cyber security framework
• modernizing the NIS Regulations
• introducing standards for cyber security professionals

The reform is still in its early days, but it is promising to see that the US are not alone in their drive to improve the process of reporting and recovering from cyber-incidents.

#RansomAware

Whilst reporting cyber incidents and ransom payments is now becoming a legal requirement in the US, there is a greater incentive for organizations to share their experiences and encourage others to do the same. By doing so, we can remind others to report disruptive attacks where necessary and support the government in setting out future measures to reduce the impact.

Our #RansomAware LinkedIn group is an opportunity to get involved if you’re interested – share relevant articles, express your opinion, and get updates on what’s topical in the ransomware space.

We hope to see you there.