New US Cybersecurity Laws – Will UK Follow Suit?

3 mins / Alice Davies

The threat of potential cyber attacks against critical infrastructure within the US is on the rise.

There are warnings of Russia engaging in malicious cyber activity as a result of the economic sanctions imposed by America on their country.

It’s more important than ever that governments take action, such as imposing new legislations to strengthen protections and promoting awareness around ransomware amongst peers.

What is the new cybersecurity legislation in the US?

As of March 1^st, the United States Senate passed the Strengthening American Cybersecurity Act of 2022 – a new legal requirement for critical infrastructure companies to report cyber-incidents and ransom payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).

Cyber incidents must be disclosed within 72 hours of occurrence, and ransom payments reported within 24 hours of payment. Any suspicion of non-compliance may follow with the threat of referral to the US Department of Justice.

What companies will be covered?

The Act has laid out a definition of “covered entities” as based on the following:

(A) the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety.

(B) the likelihood that such an entity may be targeted by a malicious cyber actor, including a foreign country.

(C) the extent to which damage, disruption, or unauthorised access to such an entity, including the accessing of sensitive cybersecurity vulnerability information or penetration testing tools or techniques, will likely enable the disruption of the reliable operation of critical infrastructure.

This includes sectors ranging from chemical, emergency services and energy, to food and agriculture, information technology and transportation systems.

What types of ransom payments are covered?

The Act allows for ransomware reporting beyond the traditional attacks; it includes the use, or threatened use, of unauthorised malicious code, denial of service attacks, and any other mechanism designed to disrupt the operations of an entity’s information system. Any payment that is made to avoid loss of confidentiality, availability or integrity of data (whether actual or threatened) is feasible.

What should the ransom report include?

When reporting a ransom payment, it must include the following:

A description of the attack, including estimated date range of the attack
A description of the vulnerabilities, tactics, techniques, and procedures used to perpetrate the ransomware attack
Any identifying or contact information related to each actor reasonably believed to be responsible for the ransomware attack
The name and other information that clearly identifies the covered entity that made the ransom payment or on whose behalf the payment was made
Contact information for the covered entity or an authorised agent of the entity
The date of the ransom payment
The ransom payment demand, including the type of virtual currency or other commodity requested
The ransom payment instructions
The amount of the ransom payment

For more information regarding general cyber incidents, alongside ransomware, see here.

CISA’s Shields Up Campaign

CISA are warning organisations, both large and small, to prepare themselves to respond to disruptive cyber incidents, thus protecting both the critical infrastructure of the US whilst avoiding the necessity to report to the government.

With the launch of their Shields Up Campaign, CISA have shared free cybersecurity services and tools to assist organisations who may find it challenging to identify what they need for urgent security improvements.

You can access these free resources here.

Will the UK follow suit?

The UK Government currently have an open consultation on its proposal to reform the existing UK cybersecurity legislation, with a National Cyber Strategy 2022 Policy Paper available for viewing.

The proposal consists of 3 pillars:

broadening the scope of existing UK Cyber security framework
modernising the NIS Regulations
introducing standards for cyber security professionals

The reform is still in its early days, so amongst the enhanced cyber security legislation in the EU and US, there is the question of whether this will impact any change in the UK.

#RansomAware

Whilst reporting cyber-incidents and ransom payments is now becoming a legal requirement in many regions, there is a greater incentive for organisations to share their experiences and encourage others to do the same. By doing so, we can remind others to report disruptive attacks where necessary and support the government in setting out future measures to reduce the impact.

Our #RansomAware LinkedIn group is an opportunity to get involved if you’re interested – share relevant articles, express your opinion, and get updates on what’s topical in the ransomware space.

We hope to see you there.