Companies asked to report cyberattacks
WASHINGTON » The Biden administration is warning American businesses in increasingly stark terms about Russian cyberattacks, providing thousands of companies with briefings on the threats to critical infrastructure and urging companies to comply with a new law that will require them to report any hacks. But some details of the law remain unclear, leaving executives with questions about what the legislation means for them.
In a statement this week, President Joe Biden encouraged private companies to strengthen their defenses. Administration officials are particularly concerned about attacks targeting critical sectors such as utility companies and hospital systems.
“It’s part of Russia’s playbook,” Biden said of potential cyberattacks by Russia in response to sanctions imposed by the United States over the war in Ukraine.
The new law was included in the spending package that Biden signed last week. Under the law, companies will be required to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of discovering a hack. They must also alert the agency within 24 hours of paying ransom to attackers who hold their data hostage.
The agency plans to operate as a clearinghouse and distribute information about the attacks throughout the government, a process that could improve the investigation and prevention of similar attacks.
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Jen Easterly, the agency’s director, said in a statement.
But the law leaves many details open to interpretation by the cybersecurity agency, and the rulemaking process in which those details will be hammered out could take months. The agency will decide which kinds of companies must report incidents, which sorts of incidents are severe enough to be reported and when the clock starts for the 72-hour reporting deadline. The law focuses on companies that provide critical infrastructure, but the agency could interpret it broadly or tailor it to a smaller subset of companies.
In a teleconference with businesses Tuesday, the agency stressed that even seemingly small threats should be reported because of the looming risk of Russian cyberattacks, in the hopes that any incident could provide important breadcrumbs leading to a sophisticated attacker.
There are concerns, however, that a flood of information about minor incidents could cloud the agency’s view of serious attacks. The agency said Tuesday that it would not usually request such a granular level of detail but that it wanted to err on the side of caution.
“A lot of the real details are going to have to be worked out in the
rule-making process,” said Christopher D. Roberti, the senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce.
The law requires the cybersecurity agency to work with companies as it determines the rules, so business leaders will get a say in how the law should be applied.
Cyberattacks disrupted operations at major American businesses last year, including JDS Foods, a meat supplier, and Colonial Pipeline, which supplies fuel on the East Coast.
Both attacks interfered with Americans’ ability to obtain essential supplies and created urgency for lawmakers to act.
Sens. Gary Peters, D-mich., and Rob Portman, R-ohio, the authors of the incident reporting legislation, said the law would help companies like JDS Foods and Colonial recover more quickly after these kinds of attacks. The cybersecurity agency would be able to provide them with guidance and assistance during the recovery process.
Delayed disclosures have been costly for companies. In 2018, Yahoo paid a $35 million fine for failing to promptly disclose a 2014 hack.
And executives can find themselves facing criminal charges, as in the case of a former Uber executive who has been charged with obstruction and fraud over his handling of a 2016 data breach at the ride-hailing company.
“We’ve heard from companies in the last year or more about how inconsistent and unstreamlined the incident reporting landscape is,” said Courtney Lang, senior director of policy at the Information Technology Industry Council. “Given the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think that incident reporting can provide useful information that can help to shape specific responses.”
On Tuesday, representatives from critical infrastructure companies like banks, utilities and hospitals asked Easterly about what threats they might face from Russia and how they could prepare. They also asked for more government funding to buy cybersecurity software and raised concerns that some of their employees could not receive classified materials that might help them prepare for a cyberattack.
The cybersecurity agency recommended that businesses take basic cybersecurity precautions like requiring employees to use multifactor authentication, updating software and encrypting data.