The threat of potential cyber attacks against critical infrastructure within the US is on the rise.
There are warnings of Russia engaging in malicious cyber activity as a result of the economic sanctions imposed by America on their country.
It’s more important than ever that organizations take action in alignment with these new legislations to strengthen their defences and promote awareness around ransomware amongst peers.
As of March 1st, the United States Senate passed the Strengthening American Cybersecurity Act of 2022 – a new legal requirement for critical infrastructure companies to report cyber incidents and ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Cyber incidents must be disclosed within 72 hours of occurrence, and ransom payments reported within 24 hours of payment. Any suspicion of non-compliance may follow with the threat of referral to the US Department of Justice.
The Act has laid out a definition of “covered entities” as based on the following:
(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety.
(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country.
(C) the extent to which damage, disruption, or unauthorized access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.
This includes sectors ranging from chemical, emergency services and energy, to food and agriculture, information technology and transportation systems.
The Act allows for ransomware reporting beyond the traditional attacks; it includes the use, or threatened use, of unauthorized malicious code, denial of service attacks, and any other mechanism designed to disrupt the operations of an entity’s information system. Any payment that is made to avoid loss of confidentiality, availability or integrity of data (whether actual or threatened) is feasible.
When reporting a ransom payment, it must include the following:
For more information regarding general cyber incidents, alongside ransomware, see here.
CISA are warning organizations, both large and small, to prepare themselves to respond to disruptive cyber incidents, thus protecting both the critical infrastructure of the US whilst avoiding the necessity to report to the government.
With the launch of their Shields Up Campaign, CISA have shared free cybersecurity services and tools to assist organizations who may find it challenging to identify what they need for urgent security improvements.
You can access these free resources here.
In light of the new US cybersecurity laws, it seems the UK are following suit; America’s stand to fight against cybercrime and ransomware attacks is encouraging more countries to take action too.
The UK Government currently have an open consultation on its proposal to reform the existing UK cybersecurity legislation, with a National Cyber Strategy 2022 Policy Paper available for viewing.
The proposal consists of 3 pillars:
The reform is still in its early days, but it is promising to see that the US are not alone in their drive to improve the process of reporting and recovering from cyber-incidents.
Whilst reporting cyber incidents and ransom payments is now becoming a legal requirement in the US, there is a greater incentive for organizations to share their experiences and encourage others to do the same. By doing so, we can remind others to report disruptive attacks where necessary and support the government in setting out future measures to reduce the impact.
Our #RansomAware LinkedIn group is an opportunity to get involved if you’re interested – share relevant articles, express your opinion, and get updates on what’s topical in the ransomware space.
We hope to see you there.
Call us directly and we’ll put you in touch with the most relevant cyber expert.
Not currently free to call? Give us a brief description of what you’re looking for by filling out our form and we’ll email you as soon as we can.
Thought-provoking cyber security discussion at Michelin-star restaurants across the UK.
