President Joe Biden signed the Strengthening American Cybersecurity Act of 2022 into law on March 15. The new law requires organizations that maintain critical infrastructure to report substantial cyberattacks to the Cybersecurity and Infrastructure Security Agency, or CISA, no later than 72 hours after determining an incident. has occurred. Organizations must also report any ransomware payment within 24 hours.
The new law follows Executive Order no. 14028, or EO 14028, issued May 12, 2021, promoting the protection of federal government IT infrastructure. Directly linked to the SolarWinds and Colonial Pipeline attacks, EO 14028 was focused on protecting software supply chains and requirements around software bills of material. The Strengthening American Cybersecurity Act of 2022 is intended to strengthen CISA, and the urgency in its passage is tied to escalating tension between the US and Russia over the war in Ukraine.
The potential for Russian cyberattacks against the US in response to economic sanctions and military aid to Ukraine is likely to spur US-based companies that maintain critical infrastructure to invest more in cybersecurity. Security leaders at various organizations will cite the current threat landscape to convince business leadership of the wisdom of certain immediate security expenditures. The Biden administration has encouraged that conversation by acknowledging that the private industry can be thrust into the sometimes-uncomfortable role of bolstering national defense, especially when it comes to cyberattacks. A greater impetus for increased cybersecurity investment, however, may be the expansion of breach notification requirements for critical infrastructure, as outlined in the recent Strengthening American Cybersecurity Act of 2022.
Historical context of breach notification laws
California Senate Bill 1386, enacted in 2002, kicked off the passage of similar U.S. state laws requiring companies to provide customers with written disclosures of data breaches, and as such its introduction remains one of the most impactful shifts in the history of cybersecurity. Breaches of customer data are no longer a private affair for a company, and disclosure carries with it direct costs of customer communication and resolution measures such as paying for credit monitoring services. It also brought downstream costs such as customer losses, lawsuits and reputational damage.
Disclosure laws have given companies a further incentive to minimize information security risks and to maintain at least some capability to determine what went wrong after a successful cyberattack. The significant impact of notification laws – and the desire to avoid the downstream expenses they create – correlates directly to increased information security investments in the years since many of these laws were passed.
CISA’s aim, and potential issues for private business
There’s nothing new about promoting the sharing of security threat information among public and private critical infrastructure operators. Some of the earliest information sharing and analysis centers, or ISACs, were formed in 1998 and 1999 in response to Presidential Decision Directive-63, which sought to establish a program to protect critical infrastructure via a public-private partnership.
Notable in the Strengthening American Cybersecurity Act of 2022 are the stated penalties for noncompliance, including the ability for the CISA Director to issue subpoenas to compel disclosure and for the U.S. Attorney General to file a civil action for not responding to a subpoena. The value to CISA is clear; it can bring resources to bear, prompt accurate reporting of attacks on private infrastructure that put public interests in jeopardy and identify patterns across attacks on multiple enterprises.
That said, while CISA is identified as the lead in such investigations, the new law mandates sharing data with other federal entities and information-sharing organizations such as the ISACs. Consequently, there is a greater potential for information about a substantial security incident to leak to the public, and some of the data involved may also be available to journalists via public records requests. In practice, this quickly becomes a breach notification to the market that did not exist before, given that earlier laws focused on protecting customer personal information.
Because most organizations seek to avoid such notifications and public exposure, mandates such as those in the Strengthening American Cybersecurity Act of 2022 become a driver for increasing cyber defenses wherever possible as part of overall risk avoidance. Where that isn’t possible, it remains a salient requirement to have an information security program that is at least defensible in the face of public scrutiny. Companies cannot defend against all attacks, especially those from advanced persistent threats, or APTs, posed by bad actors with government-level resources. In such cases, detection and response, in addition to prevention, remain key attributes of security programs.
Meanwhile, the combination of having to report ransomware payments in a semipublic manner, the escalating amounts of ransoms and the insurance industry’s partial retreat from offering coverage for such attacks will likely result in companies paying fewer ransoms as their cost-benefit calculation changes. Government entities at all levels are attempting to discourage such payments because they effectively sustain a continued profitable enterprise for bad actors. In 2020, for example, the U.S. Treasury Department issued a warning about paying ransoms to certain entities, and at least three states, New York, North Carolina and Pennsylvania are considering banning state and local government entities from making ransomware payments. When it comes to cost-effectiveness, investing in cybersecurity system resilience, as encouraged by the new law, may be the best approach for companies wishing to prevent and deter future attacks and potential ransom payments.