US law to compel firms to report cyber attacks
The Senate has approved a bill that, if passed, would require vital infrastructure companies to report a cyber attack no more than three days after learning of it. Similarly, such bodies would have to notify the authorities no later than a day after paying any ransom demanded by threat actors.
However, the bill is being contested by the Departments of Justice and Homeland Security, who have criticized provisions in the proposed new law that stipulate the reports must be made to government cybersecurity agency CISA and not the FBI – conventionally the first responder to reported incidents of cybercrime.
The FBI told Politico that moving key responsibility away from it in favor of CISA might “discourage companies from talking to the bureau and make it harder for the government to disrupt cybercrime gangs.”
But not all observers share the FBI’s pessimism about the bill, which is due to go before Congress for consideration.
“The outlook for enacting the [bill] into law is strong given that both chambers have approved similar cyber incident reporting requirements,” said law firm Morrison Foerster.
However, it added that the proposed law would need further clarification and interpretation from CISA to be effective.
“Even after Congress enacts the legislation, a number of key provisions of the act – including the precise scope of critical infrastructure entities to which the requirement will apply and the types of cybersecurity incidents that will require reporting – will need to be further defined through CISA regulations.”
A spokesperson for the Government Accountability Office (GAO) – which recently published a report on US civilian infrastructure companies and the role played by federal oversight in shielding them from threat actors – agreed that while the new law looks promising, its exact provisions have yet to be finalized.
“CISA has a number of responsibilities spelled out in the legislation, which appear to be centered around collecting information, as well as required reports to Congress,” said David Hinchman of the GAO.
Adding that the bill already stipulated necessary measures to use gathered data “to help better mitigate ransomware attacks,” he said: “I am not aware of any provisions that would require overt actions by CISA or FBI in a specific incident – but again, this is all still draft until the House passes the bill, so the final law might look different.”
It is not yet clear when the new bill will be passed into law.
More from Cybernews:
Subscribe to our newsletter