Recent large-scale ransomware attacks are increasing calls for greater federal cybersecurity regulation. Freshfield Bruckhaus Deringer attorneys Brock Dahl and Boris Feldman say that prohibiting ransomware payments, making information-sharing about attacks mandatory, and mandating security measures are ideas that seem to be gaining traction among policy makers and companies should prepare.
The recent spate of publicly disclosed ransomware attacks has caused a groundswell of debate among policy makers in Washington, D.C., regarding the most effective way to deal with the threat. The perceived need for federal action on a number of fronts is growing so strong that it is worth pondering several ideas that may continue to gain traction.
Corporations would do well now to begin preparing for certain key themes in future federal cybersecurity regulation. In so doing, they will not need to achieve clairvoyance on the exact details of such legislation, but can adapt to its nuances more easily by working now to establish some key foundations of corporate readiness.
Bound to be the most controversial of ideas floating around D.C. is the possibility of outright prohibitions on ransomware payments. Though the administration has been sympathetic to the quandary faced by companies seeking to ensure business continuity, the headwinds appear to blowing in the direction of increasing the prohibitions on payments to ransomware actors.
While recognizing the difficulty in seeming to punish corporate victims, the gravity of the argument seems to be shifting, and starving such actors of funds appears to be increasingly perceived as an urgent requirement that outweighs other factors.
Enforcing Information Sharing
In the wake of the Colonial Pipeline hearings, Sen. Gary Peters (D-Mich.), alluded to draft legislationthat will mandate information sharing in the event a company experiences an incident. Like payment prohibitions, this issue seems to be building sufficient support, and some form of more robust sharing requirements seem likely.
Such requirements may look to the voluntary mechanisms created through the Cybersecurity Information Sharing Act of 2015 (CISA 2015) on the road to structuring mandatory requirements. Interested parties can also look to the categories of information required in the Transportation Security Administration’s recent pipeline “Security Directive” for a taste of what may have to be offered.
Long the subject of failed congressional initiatives (recall the draft Cybersecurity Act of 2012 and its progeny that eventually bore the more diminished fruit of CISA 2015), current events may also tip the political stars into alignment on setting up more prescriptive statutory requirements relating to specific security measures.
Companies should ensure their information technology staff are building out robust backup systems and continuity plans. Companies should also invest now in streamlined compliance functions that can specifically bridge the space between IT and legal, that interstitial zone where technical details have to be translated into comprehensible and actionable measures that corporate leaders, let alone the federal government, will increasingly be seeking.
Though the list of potential remedies is too long and target-specific to exhaustively legislate, some key widely applicable themes are already lurking in the administration’s recent executive order on improving the nation’s cybersecurity. Likely requirements include: multi-factor authentication; software patching; robust segregation of information and operational technology environments for critical infrastructure; mandatory air-gapped system backups; and more stringent identity management around administrative accounts.