The U.S. legislators brought in two more bills this week intending to authorize the director of the Cybersecurity and Infrastructure Security Agency (CISA) to designate certain elements of critical infrastructure as ‘systemically important,’ and for other purposes. Another bill seeks to provide the Department of Homeland Security (DHS) with critical data on ransomware payments to bolster understanding of how cybercriminal enterprises operate and develop a fuller picture of the ransomware threats.
These legislative measures come as federal agencies, government contractors, and critical infrastructure owners and operators are targeted by cybersecurity incidents that affect the security fabric of the nation.
U.S. Rep. John Katko, a Republican from New York and Ranking Member of the House Committee on Homeland Security, and U.S. Rep. Abigail Spanberger, a Democrat from Virginia, introduced on Tuesday legislation to protect systemically important critical infrastructure from cyber-attacks. The bill, called, the ‘Securing Systemically Important Critical Infrastructure Act,’ helps establish a transparent process for designating systemically important critical infrastructure and directs the CISA to prioritize meaningful benefits to systemically important critical infrastructure owners and operators without any additional burden.
The legislation will authorize the CISA Director to establish a transparent, stakeholder-driven process to designate systemically important critical infrastructure. It also requires the CISA to consult with Sector Risk Management Agencies (SRMAs) and stakeholders in establishing a methodology and criteria for determining what critical infrastructure qualifies as systemically important, and provide CISA with clear guidance and parameters for establishing the criteria for such critical infrastructure.
The bill would also require CISA to provide systemically important critical infrastructure owners and operators with the option to take part in prioritized cybersecurity services. These services would include front of the line access for CISA’s key cybersecurity programs, including technical assistance, and voluntary programs to continuously monitor and detect cybersecurity risks, prioritized representation in CISA’s newly established Joint Cyber Defense Collaborative (JCDC), and prioritized applications of systemically important critical infrastructure owners and operators for security clearances, as appropriate.
“In recent months, we have collaborated extensively with industry to codify a transparent, well-understood, stakeholder-involved process for identifying SICI,” Katko said in a media statement. “Our goal is to understand the single points of failure and layers of systemic risk in our economy, because if everything is critical, nothing is. This effort is complementary to bipartisan incident reporting legislation that recently passed the House.”
The bipartisan Cyber Incident Notification Act of 2021 introduced in July requires federal government agencies, federal contractors, and critical infrastructure operators to notify the CISA when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country.
Codifying the concept of systemically important critical infrastructure overcomes these obstacles by bridging the gap in trust between the federal government and the private-sector entities that are responsible for securing the nation’s critical infrastructure, Tasha Jhangiani, a research analyst with the U.S. Cyberspace Solarium Commission, wrote in a Lawfare blog post. “The status quo is unacceptable—the United States cannot continue to act lackadaisical in the face of a serious national security risk,” she added.
U.S. Senator Elizabeth Warren, a Democrat from Massachusetts, and Representative Deborah Ross, a Democrat from North Carolina, also introduced Tuesday the bicameral Ransom Disclosure Act, which will require ransomware victims, excluding individuals, to disclose information about ransom payments no later than 48 hours after the date of payment, including the ransom amount demanded and paid, the type of currency used for payment of the ransom, and any known information about the entity demanding the ransom.
The Ransom Disclosure Act also requires the DHS to make public the information disclosed during the previous year, excluding identifying information about the entities that paid ransoms and to establish a website through which individuals can voluntarily report payment of ransoms. In addition, the bill directs the Secretary of Homeland Security to conduct a study on commonalities among ransomware attacks and the extent to which cryptocurrency facilitated these attacks and provide recommendations for protecting information systems and strengthening cybersecurity.
“Ransomware attacks are skyrocketing, yet we lack critical data to go after cybercriminals,” Senator Warren said in a media statement. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cybercriminals are siphoning from American entities to finance criminal enterprises — and help us go after them.”
“Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure,” said Congresswoman Ross. “Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions.”
Commenting on the bill, Tim Erlin, VP of Strategy at cybersecurity firm Tripwire, wrote in an emailed statement that, “if the objective is to gather as much accurate information as possible about ransomware payments, then this legislation needs to ensure that victims aren’t worried about legal repercussions when reporting payments. As it stands, this bill would put victims in a tough spot, afraid to report a payment and afraid not to.”
Information sharing is a key factor in fighting ransomware, but a government custodian of that information isn’t the right solution, according to Erlin. “An independent entity should collect ransomware incident information, including payments, and provide anonymized, aggregate information back to the government. Victims need to be confident that their complete reporting won’t result in additional consequences,” he added.
The latest bills add to other legislative proposals made. Last week, a ‘Cyber Incident Reporting’ bipartisan legislation bill was introduced in the U.S. Senate that calls upon critical infrastructure owners and operators to report to the CISA if they experience a cyber-attack, and most entities to report if they make a ransomware payment. Introduced by U.S. Senators Gary Peters and Rob Portman, the bill seeks to improve federal agencies’ understanding of how to best combat cyber-attacks, hold hackers accountable for targeting U.S. networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans.