“A lot of the real details will have to be worked out in the rule-making process,” said Christopher D. Roberti, senior vice president for cyber, intelligence and supply chain security policy at the US Chamber of Commerce.
The law requires the cybersecurity firm to work with companies in setting the rules so that business leaders have a say in how the law should be applied.
Cyber attacks disrupted operations at major US companies last year, including JDS Foods, a meat supplier, and Colonial Pipeline, which supplies fuel to the East Coast. Both attacks hampered Americans’ ability to obtain essential supplies and created urgency for lawmakers to act.
Senators Gary Peters, a Democrat from Michigan, and Rob Portman, a Republican from Ohio, the authors of the incident reporting legislation, said the law would help companies like JDS Foods and Colonial recover more quickly from these types of attacks. The cybersecurity agency could guide and assist them during the recovery process.
Delayed disclosures have been costly to businesses. In 2018, Yahoo paid a $35 million fine for failing to disclose a 2014 hack in a timely manner. And executives face criminal charges, such as in the case of a former Uber executive charged with obstruction and fraud in his handling of an data breach in 2016 at the ride-hailing company.
What you need to know about ransomware attacks
Map 1 of 5
Why are they becoming more common? Experts say ransomware is attractive to criminals because the attacks are largely anonymous online, minimizing the chance of being caught. The Treasury Department estimates that Americans have paid $1.6 billion in ransom since 2011.
Is there a connection with the rise of cryptocurrencies? The growth of the criminal industry has been fueled by cryptocurrencies, such as Bitcoin, which allow hackers to anonymously transact with victims, although experts see virtual currency exchanges as a weak point for ransomware gangs.
“We’ve heard from companies in the past year or more about how inconsistent and unstreamlined the incident reporting landscape is,” said Courtney Lang, senior policy director at the Information Technology Industry Council. “Given the way the cybersecurity landscape has evolved, there are threats that need to be addressed. To some extent, we think incident reporting can provide useful information that can help shape specific responses.”
While similar rules are being considered in Europe and other federal agencies in the United States, business leaders hope the new federal law will become a model for other lawmakers and government officials, helping companies avoid a tangle of overlapping incident reporting requirements.
This post In view of Russia, Biden administration asks companies to report cyber-attacks
was original published at “https://www.nytimes.com/2022/03/23/us/politics/biden-russia-cyberattacks.html”
