This story has been doing the rounds for the past few weeks, as the US Government goes about creating a law to make companies, that form part of the critical infrastructure, declare publicly when they have been hacked.
US Critical Infrastructure Companies Will Have to Report When They Are Hacked – Schneier on Security
As is the way with US Laws, to get them past their legislative houses, the Strengthening American Cybersecurity Act, “was attached to the spending deal that keeps the federal government open until September”.
Biden signs cyber incident reporting bill into law – The Record by Recorded Future
This type of law is a good thing, as exposure before they act, is the one thing that the cyber attackers do not like. Companies that keep a hack secret and deal with it and possibly pay the ransom, just leave the way open for the criminals to repeat the same attack on another organisation – or as the company paid once, if a undiscovered backdoor has been left behind just hack them again.
CISA Director Jen Easterly, emphasised in their statement that co-operation and understanding what constitutes an attack is the best defence for everyone.
Statement from CISA Director Easterly on the Passage of Cyber Incident Reporting Legislation | CISA
Now it will be up to the lawyers to decide what is the “nation’s critical infrastructure” and that is a “substantial cyber incident” and whether that applies to their clients – and please judge, keep their name secret for now, whilst others are hacked.
Clive Catton MSc (Cyber Security) – by-line and other articles
