The United States Congress recently passed legislation that includes new cybersecurity provisions requiring critical infrastructure providers to report cyber security incidents, including the payment of ransom, to the federal government. The bill, also known as the “Strengthening American Cybersecurity Act of 2022,” passed the Senate by unanimous vote on March 1. It then passed the House of Representatives and was signed into law by President Biden on March 15, 2022.
A bipartisan group of 14 United States senators recently introduced proposed legislation that would require federal contractors and operators of critical infrastructure to disclose any cyber intrusion within 24 hours. A copy of the proposed legislation can be found here.
Currently, there is no federally mandated reporting requirement for cyberattacks on American infrastructure targets. The newly proposed legislation is designed to prevent these attacks from going unreported and uninvestigated.
The year 2021 continues to reveal an alarming rise in ransomware attacks. Two of the most notable of such attacks include the ransomware attack on CNA Financial Corp., with resulting payment of $40 million in ransom, and the attack on Colonial Pipeline Co., with a ransom payment of $4.4 million.
With these two recent ransomware attacks—and subsequent payments—receiving massive publicity, congressional law makers have begun to question whether ransom payments should be permitted or remain legal, or if federal law makers should step in to prohibit such ransom payments as a means to curtail these forms of attacks. Although no bill taking that approach has been introduced yet, recent discussions of such a law have given rise to debate on the issue.