Russia’s invasion kicks Senate into cybersecurity law mode

Critical infrastructure, federal agencies must report intrusions, ransomware payments within hours, draft rules state


Russia's invasion of Ukraine, and the possibility that the Kremlin may escalate its cyberespionage against the West after being heavily sanctioned, has convinced the US Senate to unanimously pass a bipartisan cybersecurity bill.

This draft law would, among other steps, force critical infrastructure companies to report attacks and ransomware payments.

The Strengthening American Cybersecurity Act of 2022, which now goes to the House, would put into law some of the regulations the Biden Administration and some members of Congress have been advocating for since the onslaught of high-profile ransomware attacks last year, including those on such companies as Colonial Pipeline and meat processor JBS Foods.

Both attacks were made by cybercriminal groups – DarkSide and REvil – with links to Russia.

The bill passed by the Senate this week would require civilian federal agencies and the owners of US critical infrastructure organizations – such as power plants, hospitals and shipping ports – to report cyberattacks to Homeland Security within 72 hours. In addition, they would have to report a ransomware payment within 24 hours.

While the White House has given its support to the bill – though an official there has said administration staff will work with the House to ensure all the necessary provisions are in it – the Department of Justice (DOJ) reportedly pushed back on it, saying the FBI should also be on the list of agencies contacted by companies that have been attacked. The bill currently requires companies to notify the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security.

Deputy Attorney General Lisa Monaco told Politico the "bill as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats." FBI Director Christopher Wray agreed, adding that it would hurt the agency's response to attacks.

In addition, some in the cybersecurity field have questions about the proposed law, including the requirement to alert Homeland Security of a ransomware payment.

"Reporting ransomware payments can be immensely useful if there is immunity for making the payments," John Bambenek, principal threat hunter at cybersecurity firm Netenrich, told The Register.

"There is no, nor ever has been, any evidence that banning ransomware payments will work or be successful. Creating a reporting mechanism to report one's own 'wrongdoing' hasn't worked in the past. If – and only if – the government stops its saber rattling towards victims who make payments, then this policy has a chance at success."

Horse, meet stable door

The Biden Administration has made cybersecurity a priority. The President has signed executive orders and a memorandum pushing to improve the cybersecurity posture of the government and US businesses.

The National Security Council in June 2021 sent a memo urging them to take the ransomware threat seriously and in October ran out several initiatives that included going after the criminals orchestrating these attacks and requiring the reporting of incidents and ransomware payments.

In January, the FBI, NSA, and CISA warned US businesses about the threat of Russian state-sponsored gangs as tensions rose between Russia, the United States, and European nations over President Putin's intentions for Ukraine.

Government agencies and cybersecurity companies have urged ransomware victims not to pay the demanded ransom to get their scrambled or deleted data restored, arguing that doing so pays for future attacks, makes companies more likely to be attacked and attacked again, and doesn't guarantee they will get back control of all their data.

A study in October 2021 by cybersecurity firm ThycoticCentrify – now known as Delinea – claimed 83 per cent of ransomware victims in its survey paid their extortionists.

Spokespeople for Senators Gary Peters (D-MI) and Rob Portman (R-OH) said the cybersecurity bill included many changes both the DOJ and FBI pushed for and disagreed it would make the country less safe.

The escalating war in Ukraine and the ongoing threat of Russian cyberattacks seems to have helped accelerate the Senate's passage of the legislation, which was taken out of the defense budget appropriation in December.

The requirements included, which go beyond just reporting incidents, are largely common-sense measures to protect organizations

"It's no surprise with recent incidents and an increased threat of cyberattacks that this bill has gained bipartisan support," Tim Erlin, vice president of strategy at cybersecurity company Tripwire, told The Register. "The requirements included, which go beyond just reporting incidents, are largely common-sense measures to protect organizations. Making progress on cybersecurity has been a clear objective for the administration and the passage of this legislation in the Senate is evidence of that progress."

That said, some cybersecurity experts said more needs to be done. Erlin noted that the "scope of this legislation is limited to civilian federal agencies and critical infrastructure. The vast majority of commercial organizations won't be directly impacted."

Netenrich's Bambenek said that those that will be most affected are federal government vendors that are required to use FedRAMP, a government program designed to address security assessment and monitoring of cloud products and services.

"The new legislation, and whatever implementing regulations are passed to support it, will start to tackle, among other things, software supply-chain issues," he said.

"How organizations begin to tackle that will also impact the B2B ecosystem as well. It will, by no means, solve the problem of supply-chain compromises, but it is definitely a step down the road to visibility and risk management."

Alex Ondrick, director of security operations at incident response specialist BreachQuest, told The Register that the legislation is well intentioned but doesn't define specifics.

"This seems to be a good first step towards formalizing cybersecurity policy at the national level, but this is only the beginning of the journey," Ondrick said. "In an ideal world, further policy developments would 'nest' considerations at the director [and] C-level, with further-developed and fully-defined technical next steps at the analyst level." ®


Other stories you might like

  • Monero-mining botnet targets Windows, Linux web servers
    Sysrv-K malware infects unpatched tin, Microsoft warns

    The latest variant of the Sysrv botnet malware is menacing Windows and Linux systems with an expanded list of vulnerabilities to exploit, according to Microsoft.

    The strain, which Microsoft's Security Intelligence team calls Sysrv-K, scans the internet for web servers that have security holes, such as path traversal, remote file disclosure, and arbitrary file download bugs, that can be exploited to infect the machines.

    The vulnerabilities, all of which have patches available, include flaws in WordPress plugins such as the recently uncovered remote code execution hole in the Spring Cloud Gateway software tracked as CVE-2022-22947 that Uncle Sam's CISA warned of this week.

    Continue reading
  • Red Hat Kubernetes security report finds people are the problem
    Puny human brains baffled by K8s complexity, leading to blunder fears

    Kubernetes, despite being widely regarded as an important technology by IT leaders, continues to pose problems for those deploying it. And the problem, apparently, is us.

    The open source container orchestration software, being used or evaluated by 96 per cent of organizations surveyed [PDF] last year by the Cloud Native Computing Foundation, has a reputation for complexity.

    Witness the sarcasm: "Kubernetes is so easy to use that a company devoted solely to troubleshooting issues with it has raised $67 million," quipped Corey Quinn, chief cloud economist at IT consultancy The Duckbill Group, in a Twitter post on Monday referencing investment in a startup called Komodor. And the consequences of the software's complication can be seen in the difficulties reported by those using it.

    Continue reading
  • Infosys skips government meeting – and collecting government taxes
    Tax portal wobbles, again

    Services giant Infosys has had a difficult week, with one of its flagship projects wobbling and India's government continuing to pressure it over labor practices.

    The wobbly projext is India's portal for filing Goods and Services Tax returns. According to India's Central Board of Indirect Taxes and Customs (CBIC), the IT services giant reported a "technical glitch" that meant auto-populated forms weren't ready for taxpayers. The company was directed to fix it and CBIC was faced with extending due dates for tax payments.

    Continue reading
  • Google keeps legacy G Suite alive and free for personal use
    Phew!

    Google has quietly dropped its demand that users of its free G Suite legacy edition cough up to continue enjoying custom email domains and cloudy productivity tools.

    This story starts in 2006 with the launch of “Google Apps for Your Domain”, a bundle of services that included email, a calendar, Google Talk, and a website building tool. Beta users were offered the service at no cost, complete with the ability to use a custom domain if users let Google handle their MX record.

    The service evolved over the years and added more services, and in 2020 Google rebranded its online productivity offering as “Workspace”. Beta users got most of the updated offerings at no cost.

    Continue reading
  • GNU Compiler Collection adds support for China's LoongArch CPU family
    MIPS...ish is on the march in the Middle Kingdom

    Version 12.1 of the GNU Compiler Collection (GCC) was released this month, and among its many changes is support for China's LoongArch processor architecture.

    The announcement of the release is here; the LoongArch port was accepted as recently as March.

    China's Academy of Sciences developed a family of MIPS-compatible microprocessors in the early 2000s. In 2010 the tech was spun out into a company callled Loongson Technology which today markets silicon under the brand "Godson". The company bills itself as working to develop technology that secures China and underpins its ability to innovate, a reflection of Beijing's believe that home-grown CPU architectures are critical to the nation's future.

    Continue reading

Biting the hand that feeds IT © 1998–2022