The U.S. Congress has taken up separate pieces of legislation to address cyberattacks against federal agencies and departments, privately owned and operated critical infrastructure, and other businesses in the United States. The legislation covers everything from mandatory reporting to establishing a fund to help the victims. The bills are meant to deter cybercriminals and strengthen the federal response to ransomware and other cyberattacks.
These legislative efforts should not come as a surprise to anyone. Cyberattacks have been ramping up against companies for years. Once ransomware gangs started going after critical infrastructure and other ‘big game,’ it was inevitable that the U.S. government would aggressively respond.
New reporting requirements and stronger defenses
The United States identifies 16 critical infrastructure sectors, defined as follows:
… sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.
One of the bills currently under consideration is the Cyber Incident Reporting for Critical Infrastructure Act of 2021. This bill would require disclosure of cybersecurity incidents within 72 hours of discovery. A new Cyber Incident Review Office would be created to receive and manage the disclosures. This new office would have several responsibilities related to analysis and reporting, and it would operate within the Cybersecurity and Infrastructure Security Agency (CISA). You can view the committee hearing on this bill here.
Another pair of bills address industrial control system (ICS) security. These bills would require CISA to maintain ICS defense capabilities by:
- leading efforts to identify and mitigate cybersecurity threats to industrial control systems
- maintaining threat hunting and incident response capabilities to respond to cybersecurity risks and incidents
- providing cybersecurity technical assistance to stakeholders
- collecting, coordinating, and providing vulnerability information to the industrial control systems community
The Sanction and Stop Ransomware Act of 2021 would go even further by directing the Department of State to designate state sponsors of ransomware and require the President to impose sanctions and penalties against these states. The sanctions and penalties would be consistent with those levied on state sponsors of terrorism.
Impact on future attacks
There’s no way to predict the effects of these cybersecurity bills if they become law, but we can make some guesses:
- The higher risk may scare away the smaller ransomware affiliates, leaving only the larger and more sophisticated threat actors. This could lead to a reduction of Ransomware-as-a-Service as a business model.
- Threat actors will ‘retire’ after making a satisfactory amount of money. The GandCrab operators did this in 2019, though there is evidence that some of their members (and code) have moved on to other hacking gangs.
- Sophisticated ransomware gangs could start using a ‘pop-up’ model, in which they launch and shutdown their operations with a predetermined attack or timeframe. The Federal Bureau of Investigation (FBI) is currently investigating more than 100 ransomware groups, and historically there have been over 1,000 groups identified. Those numbers are sure to increase as law enforcement intensifies.
Criminals love ransomware, but increased penalties, coordinated investigations, and stronger defenses will stop some of these attacks. Regardless of federal or state policies, companies and individuals must do everything possible to protect their data and other resources. Not even the best legislation can un-steal your data or keep your critical systems are online during an attack.
Christine Barry is Senior Chief Blogger and Social Media Manager at Barracuda. Prior to joining Barracuda, Christine was a field engineer and project manager for K12 and SMB clients for over 15 years. She holds several technology and project management credentials, a Bachelor of Arts, and a Master of Business Administration. She is a graduate of the University of Michigan.
Connect with Christine on LinkedIn here.