Lawmakers on Capitol Hill are scrambling to introduce legislation addressing overwhelming spikes in ransomware and other cyberattacks on critical organizations like Colonial Pipeline and JBS. Until recently, the US federal government has failed to pass nationwide legislation to combat and report cybersecurity events. The current bipartisan bill presented by Senators Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME), reflects a revitalized effort by Congress to pass much-needed federal rules surrounding cybersecurity breach notifications.
[Editor’s note: Why not pass legislation aimed at prevention measures?]
What’s In The Bill?
The proposed bill requires federal agencies, contractors, and operators of critical infrastructure to send breach notifications to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Agency (CISA) within 24 hours. CISA would work with the Director of National Intelligence, Office of Management and Budget, Defense Department, and Federal Chief Information Officer to write rules about who specifically would have to report what sorts of intrusions. In addition to notification of intrusions, businesses would have to report what networks were affected, tactics hackers used, and contact information for victims.
[Editor’s Note: Why limit to federal agencies when SMBs are attacked 15x more often?]
Federal contractors that don’t comply with the law would face penalties up to and including no longer being eligible for future contracts. For every day they don’t comply beyond 24 hours, critical infrastructure owners or cyber incident response firms could face fines of up to 0.5% of their gross revenue from the year before.
Why Pass The Bill?
While some government agencies are already under some form of cybersecurity requirements, like the TSA, a law that touches all government entities should be in place. Currently, there is bipartisan support for this legislation as everyone agrees cyberattacks are a huge problem as evidenced by a year of attacks on hospitals, schools, government agencies. Both sides of the aisle want to take action to slow these attacks. CISA officials argue that transparent reporting of these attacks will help build better understanding and countermeasures for protecting the nation’s critical infrastructure.
[Editor’s note: CyberHoot believes that US 3-letter agencies know exactly the groups involved, the tactics, techniques, and procedures they’re using. Furthermore, CyberHoot believes they know what countermeasures would help the most. Why then isn’t prevention the focus? We don’t need more data, we need more action to secure ourselves.]
What Should We Do To Secure Ourselves?
Your company cannot wait for prescriptions from lawmakers on Capitol Hill to require protections from ransomware or other cyberattacks. Your company needs to take proactive measures today to reduce its chances of being a victim. CyberHoot recommends the following best practices to prepare for, limit damages, and sometimes avoid these cyber attacks:
- Adopt two-factor authentication on all critical Internet-accessible services
- Adopt a password manager for better personal/work password hygiene
- Require 14+ character Passwords in your Governance Policies
- Follow a 3-2-1 backup method for all critical and sensitive data
- Train employees to spot and avoid email-based phishing attacks
- Check that employees can spot and avoid phishing emails by testing them
- Document and test Business Continuity Disaster Recovery (BCDR) plans
- Perform a risk assessment every two to three years
Start building your robust, defense-in-depth cybersecurity plan today with CyberHoot.