“There is already a vehicle for sharing information with DHS, but there’s never been any significant motivation for voluntarily sharing that threat information,” said Dahl, formerly deputy general counsel at the National Security Agency.
“The current impact of the legislation also remains unclear due to lack of definition over exactly which companies will fall under the reporting requirements, which will be clarified in regulation,” he said, adding it was unclear what obligations this placed on the federal government to help combat the ransomware scourge and whether companies would get valuable information back.
Top Justice Department officials, meanwhile, have expressed concern that the bill gives investigators less insight into potential cybercrime because companies don’t have to directly report intrusions to federal law enforcement.
“In its current form, it would make the public less safe from cyber threats -- slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats,” FBI Director Chris Wray said of the bill in a statement to Politico.
In a series of tweets, CISA Director Jen Easterly pledged to share relevant details with law enforcement “immediately.”
The law also comes into effect as U.S. firms, particularly in the financial sector, are bracing for potential blowback in cyberspace stemming from Russia’s invasion of Ukraine, and the sanctions levied on Moscow as punishment.
“While there are no specific or credible cyber threats to the U.S. at this time, Russia’s invasion of Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, could impact organizations both within and beyond the region, to include the U.S. homeland,” CISA warned. “Every organization -- large and small -- must be prepared to respond to disruptive cyber activity.”
This article was provided by Bloomberg News.