The $1.5 trillion government funding package that President Joe Biden signed Tuesday includes sweeping cybersecurity legislation that will require critical infrastructure operators to quickly report data breaches and ransomware payments.
The new law mandates that companies report hacks to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. FBI officials last year estimated that the bureau has visibility into a quarter of cyber incidents, resulting in a government-wide lack of information about the nature of many data breaches, the tactics of cybercriminals and the U.S. industries that are most vulnerable.
The law’s mandatory requirement is expected to give U.S. officials deeper insight into the nature of global hacking.
The legislation positions DHS’s Cybersecurity and Infrastructure Security Agency as a central hub for receiving private sector incident response reports, sharing threat data and tracking the evolution of ransomware, a pernicious issue for American business that has been difficult to quantify. Victims reported $29 million in ransomware-related losses to the FBI in 2020, the most recent figures available, compared to $406 million in extortion payments observed by the cryptocurrency-tracking firm Chainalysis Inc. during the same year.
CISA Director Jen Easterly praised the Senate’s passage of the bill, saying it gives her agency “the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks.”
“Put plainly, this legislation is a game-changer,” Easterly said.
The agency lists 16 broad sectors spanning health, energy, food and transportation as critical to the U.S., although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents.
CISA has not said how it will use data gleaned from breach reports, but has been seeking to build its capabilities and work more closely with the private sector on a voluntary basis. In recent months, it has established emergency real-time Slack channels to swap information on hacks with affected companies.
CISA also is funding the Cyber Safety Review Board, an advisory body created this year to study major cyber incidents with the hope of minimizing the fallout from future attacks.
Brock Dahl, cybersecurity counsel at Freshfields Bruckhaus Deringer, said the legislation was well-intentioned, though cautioned that it would take time for specific regulations to come into focus.