Ransomware incidents continue to be on the rise, wreaking havoc for organizations globally. Ransomware attacks target an organization’s data or infrastructure, and, in exchange for releasing the captured data or infrastructure, the attacker demands a ransom. This creates a dilemma for organizations — the decision to pay the ransom, relying on the attacker to release the data as they say, or to reject the ransom demand and try to restore the data or operations on their own.
A bipartisan group of 14 United States senators recently introduced proposed legislation that would require federal contractors and operators of critical infrastructure to disclose any cyber intrusion within 24 hours. A copy of the proposed legislation can be found here.
Currently, there is no federally mandated reporting requirement for cyberattacks on American infrastructure targets. The newly proposed legislation is designed to prevent these attacks from going unreported and uninvestigated.
On July 2, 2021, Kaseya Ltd., a Florida-based firm that provides software tools to thousands of primarily small and mid-sized businesses, became the latest victim of a high-profile ransomware attack. The attack is believed to have affected as many as 1,500 of Kaseya’s customers throughout the world, including at least 200 businesses in the United States. The attackers, who have claimed association with the Russia-linked REvil ransomware gang, have demanded an astronomical $70 million ransom to restore services for affected businesses.
The Kaseya attack was particularly devastating and effective because it was a supply chain attack, meaning it targeted a type of software that many other companies use to manage and distribute software updates. Thus, the attack not only affected Kaseya, but also potentially all of its customers.
The year 2021 continues to reveal an alarming rise in ransomware attacks. Two of the most notable of such attacks include the ransomware attack on CNA Financial Corp., with resulting payment of $40 million in ransom, and the attack on Colonial Pipeline Co., with a ransom payment of $4.4 million.
With these two recent ransomware attacks—and subsequent payments—receiving massive publicity, congressional law makers have begun to question whether ransom payments should be permitted or remain legal, or if federal law makers should step in to prohibit such ransom payments as a means to curtail these forms of attacks. Although no bill taking that approach has been introduced yet, recent discussions of such a law have given rise to debate on the issue.
The National Institute of Standards and Technology, commonly referred to as NIST, recently published a new computer framework for users to consider as a cyber-framework security model — the Zero Trust Architecture Model (ZTA). This new model was officially published in NIST SP 800-207 in late 2020.
The Homeland and Cyber Threat Act (HACT) was introduced in the U.S. House on March 12, 2021. This bill would allow U.S. citizens to sue foreign governments, agents and officials and to collect monetary damages for personal injury, damage or loss of property resulting from a cyberattack with foreign origins.
This bipartisan bill was introduced because cybersecurity activity and cyber incidents continue to rise, leading to increasing concerns of data security. Rep. Bergman, R-MI, a key sponsor of both this bill and a similar bill introduced in 2019, describes HACT as a tool of accountability for foreign states. The other bill sponsors (Reps. Allred, D-TX; Fitzpatrick, R-PA; Herrera Beutler, R-WA; Neguse, D-CO; and Kim, D-NJ) echo this theme of accountability and point to HACT as a way for Americans to “fight back against foreign cyberattacks.”