WASHINGTON — The Biden administration is warning American businesses in increasingly stark terms about Russian cyberattacks, providing thousands of companies with briefings on the threats to critical infrastructure and urging companies to comply with a new law that will require them to report any hacks. But some details of the law remain unclear, leaving executives with questions about what the legislation means for them.
In a statement this week, President Biden encouraged private companies to strengthen their defenses. Administration officials are particularly concerned about attacks targeting critical sectors like utility companies and hospital systems.
“It’s part of Russia’s playbook,” Mr. Biden said of potential cyberattacks by Russia in response to sanctions imposed by the United States over the war in Ukraine.
The new law was included in the spending package that Mr. Biden signed last week. Under the law, companies will be required to notify the Cybersecurity and Infrastructure Security Agency within 72 hours of discovering a hack. They must also alert the agency within 24 hours of paying ransom to attackers who hold their data hostage.
The agency plans to operate as a clearinghouse and distribute information about the attacks throughout the government, a process that could improve the investigation and prevention of similar attacks.
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Jen Easterly, the agency’s director, said in a statement.
But the law leaves many details open to interpretation by the cybersecurity agency, and the rule-making process in which those details will be hammered out could take months. The agency will decide which kinds of companies must report incidents, which sorts of incidents are severe enough to be reported and when the clock starts for the 72-hour reporting deadline. The law focuses on companies that provide critical infrastructure, but the agency could interpret it broadly or tailor it to a smaller subset of companies.
In a teleconference with businesses on Tuesday, the agency stressed that even seemingly small threats should be reported because of the looming risk of Russian cyberattacks, in the hopes that any incident could provide important bread crumbs leading to a sophisticated attacker.
There are concerns, however, that a flood of information about minor incidents could cloud the agency’s view of serious attacks. The agency said on Tuesday that it would not usually request such a granular level of detail but that it wanted to err on the side of caution.
“A lot of the real details are going to have to be worked out in the rule-making process,” said Christopher D. Roberti, the senior vice president for cyber, intelligence and supply chain security policy at the U.S. Chamber of Commerce.
The law requires the cybersecurity agency to work with companies as it determines the rules, so business leaders will get a say in how the law should be applied.
Cyberattacks disrupted operations at major American businesses last year, including JDS Foods, a meat supplier, and Colonial Pipeline, which supplies fuel on the East Coast. Both attacks interfered with Americans’ ability to obtain essential supplies and created urgency for lawmakers to act.
Senators Gary Peters, Democrat of Michigan, and Rob Portman, Republican of Ohio, the authors of the incident reporting legislation, said the law would help companies like JDS Foods and Colonial recover more quickly after these kinds of attacks. The cybersecurity agency would be able to provide them with guidance and assistance during the recovery process.
Delayed disclosures have been costly for companies. In 2018, Yahoo paid a $35 million fine for failing to promptly disclose a 2014 hack. And executives can find themselves facing criminal charges, as in the case of a former Uber executive who has been charged with obstruction and fraud over his handling of a 2016 data breach at the ride-hailing company.
What to Know About Ransomware Attacks
What are ransomware attacks? This form of cybercrime involves hackers breaking into computer networks and locking digital information until the victim pays for its release. Recent high-profile attacks have cast a spotlight on this rapidly expanding criminal industry, which is based primarily in Russia.
Why are they becoming more common? Experts say ransomware is attractive to criminals because the attacks take place mostly anonymously online, minimizing the chances of getting caught. The Treasury Department has estimated that Americans have paid $1.6 billion in ransoms since 2011.
Is there any connection to the rise of cryptocurrencies? The criminal industry’s growth has been abetted by cryptocurrencies, like Bitcoin, which allow hackers to transact with victims anonymously, though experts see virtual currency exchanges as a weak point for ransomware gangs.
What is being done about these attacks? The U.S. military has taken offensive measures against ransomware groups, and the Biden administration has taken legal and economic action. Recent attacks have propelled ransomware to the top of President Biden’s national security agenda.
Why is the government getting involved? The attacks, which were mostly directed at individuals a few years ago, have dramatically escalated as hackers have begun targeting critical infrastructure in the U.S., including a major gasoline pipeline and meat processing plants.
“We’ve heard from companies in the last year or more about how inconsistent and unstreamlined the incident reporting landscape is,” said Courtney Lang, senior director of policy at the Information Technology Industry Council. “Given the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think that incident reporting can provide useful information that can help to shape specific responses.”
While similar rules are under consideration in Europe and in other federal agencies in the United States, corporate leaders are hopeful that the new federal law will become a model for other legislators and government officials, allowing companies to avoid a muddle of overlapping incident reporting requirements.
While the rule making is underway, companies will not be required to report breaches, but the cybersecurity agency has urged them to voluntarily offer information to the government.
“It’ll be several months before the requirements officially kick in, so we encourage entities to share cyberthreat information and report incidents to CISA as much as possible, especially considering the ongoing geopolitical tensions in Ukraine and the threat of cyberattacks to the homeland,” said Stacy O’Mara, the director of government affairs at the cybersecurity firm Mandiant.
On Tuesday, representatives from critical infrastructure companies like banks, utilities and hospitals peppered Ms. Easterly with questions about what threats they might face from Russia and how they could prepare. They also asked for more government funding to buy cybersecurity software and raised concerns that some of their employees could not receive classified materials that might help them prepare for a cyberattack.
The cybersecurity agency recommended that businesses take basic cybersecurity precautions like requiring employees to use multifactor authentication, updating software and encrypting data.
“When cyberincidents are reported quickly,” Ms. Easterly said in her statement, “it can contribute to stopping further attacks.”