Critical US Companies Will Soon Be Required to Report All Breaches and Ransomware to the DHS (apnews.com) 16
"Companies critical to U.S. national interests will now have to report when they're hacked or they pay ransomware, according to new rules approved by Congress," reports the Associated Press:
The rules are part of a broader effort by the Biden administration and Congress to shore up the nation's cyberdefenses after a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will give the federal government much greater visibility into hacking efforts that target private companies, which often have skipped going to the FBI or other agencies for help. "It's clear we must take bold action to improve our online defenses," Sen. Gary Peters, a Michigan Democrat who leads the Senate Homeland Security and Government Affairs Committee and wrote the legislation, said in a statement on Friday.
The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that's considered part of the nation's critical infrastructure, which includes the finance, transportation and energy sectors, to report any "substantial cyber incident" to the government within three days and any ransomware payment made within 24 hours....
The legislation designates the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency as the lead agency to receive notices of hacks and ransomware payments.... The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.
The reporting requirement legislation was approved by the House and the Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity that's considered part of the nation's critical infrastructure, which includes the finance, transportation and energy sectors, to report any "substantial cyber incident" to the government within three days and any ransomware payment made within 24 hours....
The legislation designates the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency as the lead agency to receive notices of hacks and ransomware payments.... The new rules also empower CISA to subpoena companies that fail to report hacks or ransomware payments, and those that fail to comply with a subpoena could be referred to the Justice Department for investigation.
Who decides if a business is 'critical'? (Score:2)
Is Equifax critical? Is a New York dam [time.com]? What's the criteria?
Who has access to the data?
Re: (Score:1)
Re: (Score:2)
Well Slashdot would have to report any breaches since they're necessary to proper geek functioning.
Re: (Score:2)
Companies critical to U.S. national interests
The federal government decides what is of national interest, so the federal government.
Bullshit WeakSpeak. (Score:2)
which includes the finance, transportation and energy sectors, to report any "substantial cyber incident"...
Gotta love it when Greed gets razor exacting on YOUR ass in contracts, but leaves bullshit like "substational" in theirs.
Go ahead. Ask a financial institution to define "substational". Your average ransomware attack is a fucking rounding error compared to their daily take. Government would never hear of it, and if they did, the fuck are they gonna say or do to Too Big To Fail.
Nothing but hollow crap.
Re: (Score:1)
Re: (Score:2)
How do you quote the word and still manage to mispell it (twice!) in your post?
I can appreciate a correction when it actually affects interpretation.
But when you still understand the meaning, you're just that fucking bored.
Thank you for your substantial contribution.
Contractually complicated! (Score:2)
A whole lot of companies would fall under this that could pose a lot of challenges. My small ~50-person company would end up being impacted since we do work for hospitals and some large tech companies, not because of the law but because of contract requirements basically binding us to the same reporting requirements.
The ransom portion is good policy, but the hack part can get complicated quickly. At our scale, knowing we have definitively been hacked is not something that is black and white. (We have log
Congratulations. You're only 5 years behind Europe (Score:2)
Where ALL companies need to report breaches to the ICO within 72 hours that "“pose a risk to the rights and freedoms of natural living persons”.
Re: (Score:2)
This seems to be a GDPR reference. GDPR is a vague thing, and this clause in it is an especially vague one.
However, there are more laws in Europe.
NIS (network information security directive) is a more appropriate reference for incident reporting.
https://www.enisa.europa.eu/to... [europa.eu]
https://ec.europa.eu/commissio... [europa.eu]
Of course, many EU countries have had laws similar to GDPR and NIS for a long time. EU-level initiatives usually do not create anything new. They mostly harmonize the principles already applied in dif
Now the NSA will be (Score:2)
Monkey House (Score:2)
It’s the dog and the sports car all over again. Okay, you’ve got everyone’s data - do you know how to get anything meaningful out of it?
If the answer was ‘yes’ they could easily streamline what’s getting reported and pare it down.
If the answer