In the Shadow of a War, the US Senate Passes Legislation to Drive Data Breach Transparency


Summary Bullets:

Amy Larsen DeCarlo – Principal Analyst, Security and Data Center Services

• As Russia continues to press into Ukraine, both countries are targets of cyberattacks raising concerns about emboldened hackers escalating their efforts to critical infrastructure in other regions

• With the SolarWinds hack of 2020 still a prominent memory, the US Senate passed legislation it promises to both improve transparency around security events and strengthen support for breached entities

With the Russian invasion of Ukraine looming large over the geopolitical climate, cyberattacks hitting both countries are evidence that threat actors are already playing a major role in the early days of the war. Cyberthreats have long been a top concern, but the current turmoil is lending an increasing urgency around threats to critical infrastructure beyond the current conflict. Russian-based threat actors proved their effectiveness with the SolarWinds attack in which multiple US government agencies including the Department of Defense, the State Department, and the Department of Homeland Security were breached.

One of the major challenges both public and private sector organizations face is a lack of information. This is in part because of actual security incidents getting buried in an impossibly high volume of false positives. But it is also the result of a lack of information sharing between and among peers. This week the US Senate passed legislation that promises to both help drive greater transparency around data breaches and ransomware payments and improve support for impacted organizations.

The Strengthening of American Cybersecurity Act promises to bolster critical infrastructure security via a number of methods including improving the security postures of US government agencies and pressing public and private sector organizations to report breaches and ransomware payments. The bipartisan legislation would require organizations in 16 sectors of critical infrastructure including transportation, energy, and financial services to report a breach within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).

If the legislation passes the House of Representatives, CISA will provide guidance as to the types of companies will be categorized as critical infrastructure. The legislation identifies 16 sectors. There is also a promise of CISA providing more support for the breached organizations.

The bipartisan legislation, which passed unanimously, is not without its critics. Senior leaders at the Department of Justice called out the legislation for not requiring breached organizations to report incidents to the Federal Bureau of Investigation (FBI).

In a statement, Deputy Attorney General Lisa Monaco noted that the legislation “as drafted, leaves one of our best tools, the FBI, on the sidelines.” The FBI is the agency that takes the lead on breach investigations.

What do you think?

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.