(Bloomberg) -- The $1.5 trillion government funding package that President Joe Biden signed Tuesday includes sweeping cybersecurity legislation that will require critical infrastructure operators to quickly report data breaches and ransomware payments.
The new law mandates that companies report hacks to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. FBI officials last year estimated that the bureau has visibility into a quarter of cyber incidents, resulting in a government-wide lack of information about the nature of many data breaches, the tactics of cybercriminals and the U.S. industries that are most vulnerable.
The law’s mandatory requirement is expected to give U.S. officials deeper insight into the nature of global hacking.
The legislation positions DHS’s Cybersecurity and Infrastructure Security Agency as a central hub for receiving private sector incident response reports, sharing threat data and tracking the evolution of ransomware, a pernicious issue for American business that has been difficult to quantify. Victims reported $29 million in ransomware-related losses to the FBI in 2020, the most recent figures available, compared to $406 million in extortion payments observed by the cryptocurrency-tracking firm Chainalysis Inc. during the same year.
CISA Director Jen Easterly praised the Senate’s passage of the bill, saying it gives her agency “the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyberattacks.”
“Put plainly, this legislation is a game-changer,” Easterly said.
The agency lists 16 broad sectors spanning health, energy, food and transportation as critical to the U.S., although the new legislation is yet to spell out precisely which companies would be required to report cyber incidents.
CISA has not said how it will use data gleaned from breach reports, but has been seeking to build its capabilities and work more closely with the private sector on a voluntary basis. In recent months, it has established emergency real-time Slack channels to swap information on hacks with affected companies.
CISA also is funding the Cyber Safety Review Board, an advisory body created this year to study major cyber incidents with the hope of minimizing the fallout from future attacks.
Brock Dahl, cybersecurity counsel at Freshfields Bruckhaus Deringer, said the legislation was well-intentioned, though cautioned that it would take time for specific regulations to come into focus.
“There is already a vehicle for sharing information with DHS, but there’s never been any significant motivation for voluntarily sharing that threat information,” said Dahl, formerly deputy general counsel at the National Security Agency.
“The current impact of the legislation also remains unclear due to lack of definition over exactly which companies will fall under the reporting requirements, which will be clarified in regulation,” he said, adding it was unclear what obligations this placed on the federal government to help combat the ransomware scourge and whether companies would get valuable information back.
Top Justice Department officials, meanwhile, have expressed concern that the bill gives investigators less insight into potential cybercrime because companies don’t have to directly report intrusions to federal law enforcement.
“In its current form, it would make the public less safe from cyber threats -- slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats,” FBI Director Chris Wray said of the bill in a statement to Politico.
In a series of tweets, CISA Director Jen Easterly pledged to share relevant details with law enforcement “immediately.”
The law also comes into effect as U.S. firms, particularly in the financial sector, are bracing for potential blowback in cyberspace stemming from Russia’s invasion of Ukraine, and the sanctions levied on Moscow as punishment.
“While there are no specific or credible cyber threats to the U.S. at this time, Russia’s invasion of Ukraine, which has involved cyber-attacks on Ukrainian government and critical infrastructure organizations, could impact organizations both within and beyond the region, to include the U.S. homeland,” CISA warned. “Every organization -- large and small -- must be prepared to respond to disruptive cyber activity.”