Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Government Security IT

Critical US Companies Will Soon Be Required to Report All Breaches and Ransomware to the DHS (apnews.com) 16

"Companies critical to U.S. national interests will now have to report when they're hacked or they pay ransomware, according to new rules approved by Congress," reports the Associated Press: The rules are part of a broader effort by the Biden administration and Congress to shore up the nation's cyberdefenses after a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will give the federal government much greater visibility into hacking efforts that target private companies, which often have skipped going to the FBI or other agencies for help. "It's clear we must take bold action to improve our online defenses," Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee and wrote the legislation, said in a statement on Friday.

The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that's considered part of the nation's critical infrastructure, which includes the finance, transportation and energy sectors, to report any "substantial cyber incident" to the government within three days and any ransomware payment made within 24 hours....

The legislation designates the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency as the lead agency to receive notices of hacks and ransomware payments.... The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.

This discussion has been archived. No new comments can be posted.

Critical US Companies Will Soon Be Required to Report All Breaches and Ransomware to the DHS

Comments Filter:
  • Is Equifax critical? Is a New York dam [time.com]? What's the criteria?

    Who has access to the data?

    • Well Slashdot would have to report any breaches since they're necessary to proper geek functioning.

    • Companies critical to U.S. national interests

      The federal government decides what is of national interest, so the federal government.

  • which includes the finance, transportation and energy sectors, to report any "substantial cyber incident"...

    Gotta love it when Greed gets razor exacting on YOUR ass in contracts, but leaves bullshit like "substational" in theirs.

    Go ahead. Ask a financial institution to define "substational". Your average ransomware attack is a fucking rounding error compared to their daily take. Government would never hear of it, and if they did, the fuck are they gonna say or do to Too Big To Fail.

    Nothing but hollow crap.

    • by Anonymous Coward
      How do you quote the word and still manage to mispell it (twice!) in your post?
      • How do you quote the word and still manage to mispell it (twice!) in your post?

        I can appreciate a correction when it actually affects interpretation.

        But when you still understand the meaning, you're just that fucking bored.

        Thank you for your substantial contribution.

  • A whole lot of companies would fall under this that could pose a lot of challenges. My small ~50-person company would end up being impacted since we do work for hospitals and some large tech companies, not because of the law but because of contract requirements basically binding us to the same reporting requirements.

    The ransom portion is good policy, but the hack part can get complicated quickly. At our scale, knowing we have definitively been hacked is not something that is black and white. (We have log

  • Where ALL companies need to report breaches to the ICO within 72 hours that "“pose a risk to the rights and freedoms of natural living persons”.

    • by kaur ( 1948056 )

      This seems to be a GDPR reference. GDPR is a vague thing, and this clause in it is an especially vague one.

      However, there are more laws in Europe.
      NIS (network information security directive) is a more appropriate reference for incident reporting.
      https://www.enisa.europa.eu/to... [europa.eu]
      https://ec.europa.eu/commissio... [europa.eu]

      Of course, many EU countries have had laws similar to GDPR and NIS for a long time. EU-level initiatives usually do not create anything new. They mostly harmonize the principles already applied in dif

  • on both sides of domestic breaches.
  • You can keep printing reams of paper of all the data that’s being gathered and you can add more monkeys to the house at the zoo you deliver it to . . . but is “more data points” the missing part of the puzzle?

    It’s the dog and the sports car all over again. Okay, you’ve got everyone’s data - do you know how to get anything meaningful out of it?
    If the answer was ‘yes’ they could easily streamline what’s getting reported and pare it down.
    If the answer

Genius is ten percent inspiration and fifty percent capital gains.

Working...