Ransomware and the Strengthening American Cybersecurity Act

As cyber threats grow more serious and frequent, the United States Congress has been considering a variety of legislative solutions aimed at protecting critical infrastructure from malicious actors. The war in Ukraine intensified concerns on this front, resulting in the Senate passing the Strengthening American Cybersecurity Act (SACA). The bill included the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which the president signed into law on March 15, 2022. While the law is general in its descriptions of cyberattacks, it seems to have been written to address risks posed by ransomware. This article looks at how ransomware mitigation can affect how companies comply with SACA.

SACA’s notification requirement for cybersecurity incidents

The law mandates that so-called “covered entities,” which operate 16 types of critical infrastructure, including energy grids, dams, wastewater plants, and so forth, notify the Cybersecurity and Infrastructure Security Agency (CISA) of cyber incidents within 72 hours of their occurrence. The rationale for this law should be easy to understand. CISA cannot respond to an incident it does not know about. And, peer entities in the same industry need to understand the threats they are facing. Fast disclosure is key to an effective response.

The Act allows for a rules discussion period that will probably not see the final, hardened set of policies emerge for another two years. For now, the 72-hour notification requirement is the rule and will likely remain the rule in the future. However, 72 hours is too long–vulnerabilities are leveraged by hackers and their botnets within hours of disclosure, so it is my sincere hope that they shorten the notification time before final policies are set.

What will trigger a notification under SACA?

The rules specify two main triggers for notification. Subject to more details from the rule-making process, covered entities must report:

‘‘(i) a cyber incident that leads to substantial loss of confidentiality, integrity, or availability of such information system or network, or a serious impact on the safety and resiliency of operational systems and processes.”

Or ‘‘(ii) a disruption of business or industrial operations, including due to a denial of service attack, ransomware attack, or exploitation of a zero-day vulnerability against an information system or network, or an operational technology system or process.”

According to a report from the law firm BakerHostetler, the law also requires covered entities to report “unauthorized access or disruption of business or industrial operations due to loss of service facilitated through, or caused by, a compromise of a cloud service provider, a managed service provider, another third-party data hosting provider, or by a supply chain compromise.”

This is really about ransomware

The Act covers any threat that can lead to loss of confidentiality, integrity, or availability of systems. In reality, this is almost entirely about ransomware, today’s most serious and pervasive cyberthreat. A ransomware attack can also disrupt business operations. In recognition of these facts, the drafters of the Act mention ransomware by name and specify that covered entities have to disclose whether they have paid ransom or intend to, along with other details of their incident responses.

A further issue with ransomware relates to the potential depths of an attack. The malware encrypts data and holds it for ransom, but most ransomware attacks are far more destructive and insidious than that. They often involve the exfiltration of data. And, they almost always involve deep penetration of infrastructure and the implantation of stealth malware that can be activated at a later date. These are all serious elements of risk exposure for a covered entity. Thus, it makes a great deal of sense that the new law mandates notification of an attack.

Here is my problem with that Act as it stands now, or at least how it may be interpreted by companies that have been targeted by a ransomware attack. SACA will require a mandatory report if the incident “substantially impacts” the company’s information systems or network, or operational systems and processes. Who’s to say what constitutes a substantial impact? If a company mitigated the potential damage from an otherwise successful ransomware attack–say by using an immutable backup of their data that the hackers couldn’t touch–are they still required to notify CISA of the attack? Without any damage or disruption of service, the letter of the law is unclear. However, the intent of the law is clearly focused on transparency. Reporting incidents of ransomware, or any cyberattack, regardless of the outcome, helps everyone.

How to mitigate the impact of a ransomware attack

I’ve written substantially on the steps to take to be able to successfully recover from a ransomware attack. By implementing a robust 3-2-1 backup strategy and making sure that at least one of those backup copies is in immutable storage, you can wipe your systems, reinstall pristine system software, and upload your protected data with limited disruption of operations and without having to pay a ransom.

It’s not quite that simple, of course. You’ll need to determine the right backup strategy for your organization. This includes how often you should perform full or incremental backups, and a plan for testing and validating your backups on a regular basis. Standard practice used to be at least once annually, but given the substantial risk of being hit with a cybersecurity attack, many organizations now test their backups once per quarter or once per month.

Finally, be aware that not all cloud storage services are created equal. Despite the comparatively low cost per terabyte for most cloud storage tiers, backed-up data can grow quickly. This data growth, plus hidden costs such as fees for API requests (like when you are testing your backups) or egress (like when you want to get your data back in the event of a cyberattack), may quickly and unpredictably eat up your storage budget. Whoever you choose to store your data, make sure they don’t charge for egress or API transactions.

Get serious about ransomware mitigation

The final, permanent rules that will define the Cyber Incident Reporting for Critical Infrastructure Act of 2022 will not be ready for some time. However, the direction of the law is quite clear. The government expects prompt notification for incidents that affect critical infrastructure. This expectation may also be extended to all businesses. The law should be seen as a signal that it’s time to get serious about ransomware mitigation.