President Joe Biden has faced a number of crises since taking office in January 2021, but his Administration has nonetheless managed to be at the forefront of the U.S. response to cyber attacks by crime groups and hackers aligned with nation-states.
Even before Biden took office, the U.S. faced threats like the SolarWinds attack and malicious actors with ties to Russia and China. After the Colonial Pipeline hack nearly shut down the Eastern U.S., Biden and federal security agencies swung into action with guidance, warnings, and in the case of federal agencies, orders to improve cybersecurity defenses.
The latest action came yesterday, when Biden warned of “evolving intelligence that the Russian Government is exploring options for potential cyberattacks.”
Justin Fier, VP of Tactical Risk and Response at Darktrace, called the warning “unprecedented.”
Fier said Biden’s statement “represents a move to combat disinformation by purposefully releasing intelligence that the Administration would previously have deemed classified. These warnings are unprecedented – past Administrations have not publicly substantiated to this extent that cyber attacks are incoming.
“Cyber war is not military versus military; all organizations, across public and private sectors, will have to defend themselves from attack,” he said. “Organizations must take advantage of this unprecedented access to government threat intelligence and heed these warnings. Businesses should diligently read the Cybersecurity and Infrastructure Security Agency (CISA) alerts, paying close attention to alerts from the last 12 weeks. Companies should also regularly test their defenses and hold tabletop exercises with their various IT business units.”
Mandatory Incident Reporting Will Take a While
Last week, Biden signed a $1.5 trillion government funding bill that also contained a provision for mandatory cyber incident reporting.
The Consolidated Appropriations Act (CAA) includes mandatory cyber incident reporting as part of the Strengthening American Cybersecurity Act, requiring owners of critical national infrastructure (CNI) to swiftly report cyber incidents and ransomware payments to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
The law requires critical infrastructure operators to share breach information with federal agencies within 72 hours, ransomware payment information within 24 hours, modernize to better cybersecurity standards, and establish security standards for software.
If a covered entity fails to comply with requirements, a subpoena, order, or inspection alert, DHS may take civil action in a district court to enforce compliance. If the department fails to receive a response within 72 hours, the secretary may issue a subpoena to compel disclosure of information.
However, it could take a few years for the law to be fully implemented. CISA is to publish a Notice of Proposed Rulemaking (NPRM) within 24 months and issue a final rule within 18 months after that.
As part of the new law, CISA will create a ransomware vulnerability warning program to identify systems that contain security vulnerabilities. Regular reporting will also be part of the new law.
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” CISA Director Jen Easterly said in a statement. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure.
“Put plainly, this legislation is a game-changer. Today marks a critical step forward in the collective cybersecurity of our nation.”