U.S. Cyber Regulations Post Colonial Hack: Will They Be Enough?
Around half a dozen cybersecurity bills have been introduced in the U.S. after the Colonial Pipeline hack. Let’s look at some of these bills and how effective will they be in
Over the past few years, the U.S. corporate sector has faced a barrage of menacing cyberattacks in various forms. Ransomware attacks have exacted a serious toll, but large-scale supply chain attacks aimed at disrupting operations have also crippled many organizations. Can the federal and state governments plug these threats through cybersecurity regulations and directives? Let’s look at some upcoming federal cybersecurity legislation and see whether these are sufficient to help organizations thrive in the current threat environment.
What Does the Current Threat Environment Look Like
The takedown of the REvil ransomware gang, the DarkSide group, and the NetWalker ransomware infrastructure are counted as major successes enjoyed by law enforcement agencies against the cybercrime industry. Nevertheless, the threat potential of hackers remains unchanged, partly due to state support and partly due to the huge profitability of ransomware operations.
Ransomware-as-a-Service programs now ensure that cybercriminals with little or no technical chops can also mount powerful attacks against enterprises. The willingness of organizations to readily pay a ransom to restore operations, the difficulty in catching cybercriminals operating within the comforts of national borders, and challenges in accurately attributing cyber attacks are major reasons why cybercrime as an industry continues to thrive.
The ransomware attacks targeting Colonial Pipeline and JBS Foods this year served as a chilling reminder of the scale of disruption modern attacks can bring about. The federal government, along with agencies such as the FBI, the CISA, the DHS, and the NSA, are now rolling out directives, advisories, helplines, and new legislation to enhance the readiness of all organizations to deter future attacks. Let’s look at the recent cybersecurity directives issued in the aftermath of the ransomware attack on the Colonial Pipeline and upcoming federal legislation to boost U.S. cybersecurity.
Learn More: Global Supply Chains: Have We Experienced the Cyber World’s Pearl Harbor Already?
Federal Response to Rising Cyberattacks
Biden’s Executive Order
On May 12, President Biden issued his first Executive Order on Improving the Nation’s Cybersecurity to boost the preparedness of federal government organizations and agencies in the face of increasingly disruptive cyber attacks. Biden said, “the prevention, detection, assessment, and remediation of cyber incidents is a top priority and essential to national and economic security” and that all federal information systems should meet or exceed the standards and requirements for cybersecurity outlined in the Directive.”
DHS Directives on Pipeline Security
In the same month, the Department of Homeland Security’s Transportation Security Administration (TSA) issued a cybersecurity directive for pipeline operators. The Directive asked operators to report cybersecurity incidents to CISA, designate a Cybersecurity Coordinator, review current practices, identify gaps and related remediation measures to address cyber-related risks and report the results to TSA and CISA within 30 days.
On July 20, the TSA issued its second cybersecurity directive that requires pipeline owners and operators “to implement a number of urgently needed protections against cyber intrusions.” The Directive says that pipeline operators must “implement specific mitigation measures to protect against ransomware attacks and other known threats to information technology and operational technology systems, develop and implement a cybersecurity contingency and recovery plan, and conduct a cybersecurity architecture design review.”
CISA’s Cyber Resilience Toolkit
The Cybersecurity and Infrastructure Security Agency (CISA) also released, and later updated the Public Safety Communications and Cyber Resiliency Toolkit “to assist public safety agencies and others responsible for communications networks by providing the tools necessary to evaluate current resiliency capabilities, identify ways to improve resiliency, and develop plans for mitigating the effects of potential resiliency threats.”
CISA says the toolkit can help identify and address emergent trends and issues, educate stakeholders at all levels of government, and propose mitigations to enable resilient public safety communications. Public safety agencies can use the toolkit to carefully plan, implement, and review communications capabilities for resiliency to maintain daily communications abilities and prepare in advance for emergency events.
Learn More: Executive Order Inches Supply Chain Closer to Crypto-Agility and Strengthened Cybersecurity
New Cyber Bills in the Aftermath of the Colonial Pipeline Hack
Aside from federal directives and advisories, the U.S. Congress also acted quickly to introduce a number of cybersecurity-focused bills. Let’s look at what these bills are and how they serve to protect U.S. businesses from ransomware attacks and other cybersecurity threats, such as nation-state attacks.
Federal Rotational Cyber Workforce Program Act of 2021
Introduced in the Senate in April, the bill seeks to address a shortage in the number of cybersecurity personnel in federal organizations and agencies. It calls for establishing a rotational cyber workforce program under which “certain federal employees may be detailed among rotational cyber workforce positions at other agencies.” It was approved by the House Oversight and Reform Committee by voice vote in late June.
If enacted, the bill will enable federal cybersecurity personnel to work across federal agencies and organizations. This will help agencies rationalize their cybersecurity workforce and enable cybersecurity personnel to enhance their skills and gain experience working across diverse networks and IT infrastructures.
The State And Local Cybersecurity Improvement Act
This bill seeks to amend the Homeland Security Act of 2002 to authorize a $500 million Department of Homeland Security (DHS) grant program to address cybersecurity vulnerabilities in state and local government networks. States and local governments will be empowered to utilize federal grants to address vulnerabilities in information systems. The bill was passed by the U.S. House of Representatives on July 21, but the grant amount has been reduced to $400 million.
According to Congressman Dutch Ruppersberger, who introduced it, the bill was inspired by the 2019 ransomware attack on the City of Baltimore in Maryland that cost more than $18 million to address. Highlighting the fact that 2,400 local governments and healthcare facilities fell victim to ransomware attacks in 2020, he said that at present, half of all states do not have a dedicated cybersecurity line item in their budget. “Already, [ransomware actors] have been able to disrupt medical treatment, remote learning and public transportation in the middle of a pandemic and things will get a lot worse if we don’t take action now,” he said.
Learn More: Why Transnational Cooperation Is Key in the Battle Against Cross-Border Cybercrime
Enhancing State Energy Security Planning and Emergency Preparedness Act of 2021
In late June, the U.S. House of Representatives passed the Enhancing State Energy Security Planning and Emergency Preparedness Act of 2021 by a near-unanimous vote, but a similar bill is yet to be introduced in the Senate. The bill authorizes total funding of $450 million ($90 million per year between 2021 and 2026) to the U.S. Department of Energy’s State Energy Program.
States will use the funds to address critical vulnerabilities in energy infrastructure organizations, such as power transmission and fuel transportation companies. The bill will also enable addressing cybersecurity vulnerabilities in critical infrastructure on a national scale rather than on a state-to-state basis.
Cyber Sense Act
This bill was introduced in the U.S. Senate and was referred to the Committee on Energy and Natural Resources on July 21. According to Congress, it requires the Secretary of Energy to “establish a voluntary Cyber Sense program to test the cybersecurity of products and technologies intended for use in the bulk-power system, and for other purposes.” The U.S. House of Representatives has already passed it.
Congressman Bob Latta says the Act will enable the Department of Energy to establish a testing process for products used in the bulk-power system. “It creates a database at the DOE to track products and help provide more information on cyber weaknesses for electric utilities and their potential to cause harm to the electric grid. This would aid electric utilities that are evaluating products and their potential to cause harm to the electric grid,” Latta said.
Enhancing Grid Security through Public-Private Partnerships Act
Passed by the House of Representatives on July 20, this bill facilitates greater public-private partnership to improve cybersecurity of electric utilities. “The legislation would improve sharing of best practices and data collection, along with providing training and technical assistance to electric utilities to address and mitigate cybersecurity risks,” said Congressman Latta.
Cyber Diplomacy Act of 2021
Introduced in the Senate in April, the bill enables the U.S. government to establish diplomatic engagement with foreign countries on matters of U.S. cyberspace policy. It will also allow the establishment of the Bureau of International Cyberspace Policy within the State Department. The bureau will advise the department “on cyberspace issues and lead diplomatic efforts on issues related to international cybersecurity, internet access and freedom, and international cyber threats.”
The bill will also call upon the President to devise a strategy for U.S. engagement with foreign governments on international norms related to responsible state behavior in cyberspace and enter into executive arrangements with foreign governments that support U.S. cyberspace policy.
Learn More: New Ransomware Task Force (RTF) Report Urges More Aggressive Measures To Track Cryptocurrency
How Effective Will These Bills Be?
The U.S. Congress has also introduced several other cybersecurity-related bills, such as The Cybersecurity Vulnerability Remediation Act, The Cyber Exercise Act, The Cyber Incident Notification Act, the Endless Frontiers Act, and The DHS Industrial Control Systems Capabilities Enhancement Act. These bills seek to address vulnerabilities in federal and state information systems and to secure sensitive data from unauthorized access, cyber espionage, and ransomware attacks.
Fitch Ratings has welcomed the introduction of new cybersecurity bills, but warns that too many parallel legislation could further spoil the broth. “While increased cybersecurity regulations should be favorable, the proliferation of uncoordinated or piecemeal cybersecurity regulations and laws can make managing cyber risk both more difficult in terms of compliance, cost and transparency.
“Cyber risk is unique in that attackers operate globally, and therefore global coordination on cybersecurity standards and enforcement are critical for long-term success to combat this growing risk.
“Fitch views legislation that mandates layered controls and cyber basics, such as network segmentation, multi factor authentication, encryption, identity and access management, and cyber incident reporting, as positive for bolstering cyber hygiene,” Fitch Ratings said.
Commenting on the effect of new cybersecurity legislations on various industries, Fitch observed that these legislations will have an asymmetric impact depending on the sector. “Less regulated sectors, including non-financial corporations, will be more affected by increased regulatory oversight than sectors such as banks and insurance, which are already highly regulated.
“Over the longer term, we see more regulation related to cybersecurity as broadly beneficial, as this will require sectors that have lagged on cybersecurity to increase investments against this risk,” it added.
Do you think recent cybersecurity bills tabled in the U.S. will enhance organizations’ focus towards cybersecurity? Comment below or tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!
