{"id":4561,"date":"2022-03-25T09:00:04","date_gmt":"2022-03-25T14:00:04","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=4561"},"modified":"2022-03-25T09:00:04","modified_gmt":"2022-03-25T14:00:04","slug":"critical-infrastructure-and-cybersecurity-legislation-americas-cybersecurity-problem","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=4561","title":{"rendered":"Critical Infrastructure and Cybersecurity Legislation: America\u2019s Cybersecurity Problem"},"content":{"rendered":"

Marisa Polowitz<\/em><\/p>\n

Associate Editor<\/em><\/p>\n

Loyola University Chicago School of Law, JD 2023<\/em><\/p>\n

Long gone are the days when cybersecurity concerns existed solely in the domain of technology teams. Various organizations, from schools<\/a> to government entities<\/a> (at every level), to private companies<\/a> alike have fallen prey to cyberattacks. May 2021\u2019s Colonial Pipeline attack<\/a> caused chaos and a temporary gas frenzy that brought awareness of the vulnerabilities of the technology we rely on to even the least technically minded American. Cybersecurity, and more specifically, the security of critical infrastructure immediately became an issue that the U.S. Government<\/a> is taking very seriously. <\/p>\n

The worsening threat landscape<\/strong><\/p>\n

The Cybersecurity & Infrastructure Security Agency (\u201cCISA\u201d) stated in February that cybersecurity authorities in the U.S., Australian, and the United Kingdom agreed that sophistication of ransomware threat actors<\/a> was increasing. CISA<\/a> is the organization charged with leading national efforts to coordinate cybersecurity between government and private industry. CISA is also responsible for the coordination of national critical infrastructure security. In February 2022, CISA issued an alert warning that within the U.S., fourteen of the sixteen U.S. critical infrastructure sectors were targets of \u201cincidents involving ransomware<\/a>\u201d in 2021. Information Technology, Emergency Services, Food and Agriculture, Government Facilities, and the Defense Industrial Base (\u201cDIB\u201d) were amongst those critical infrastructure sectors listed.\u00a0 The U.K. specifically identified ransomware as the \u201cbiggest cyber threat<\/a>\u201d it faces.<\/p>\n

As Russia\u2019s invasion of Ukraine continues, there is a growing concern of increased cyberattack<\/a> attempts against the U.S. by Russian actors<\/a>, possibly in response to increased U.S. sanctions against Russia. The Biden Administration began calling attention to the possibility of Russian cyber-based aggression prior to Russia\u2019s physical invasion of Ukraine<\/a>. Russian hackers successfully took down Ukraine\u2019s power grid<\/a> in 2015, the first confirmed hack to do so. The notable Solar Winds attack, which targeted multiple American federal agencies<\/a> and private companies, is widely believed to have been perpetrated by Russian actors, as well. Even more recently, Russian actors were responsible for the early February disruption<\/a> of Ukrainian government agencies and bank websites. Cyberattacks on major energy providers<\/a> launched in the weeks immediately preceding the invasion were determined to have gained access to current and former employees\u2019 devices across twenty-one companies.<\/p>\n

In reaction to Russia\u2019s attacks on Ukraine and the cyberactivity already occurring in 2021, CISA posted a \u201cShields Up<\/a>\u201d advisory, warning that Russia\u2019s invasion could impact American organizations as well. CISA\u2019s advisory encourages all U.S. organizations to be on alert and provides security guidance<\/a> for all U.S. federal agencies and critical infrastructure companies. This heightened vigilance comes on the heels of the Department of Defense (\u201cDOD\u201d) Inspector General\u2019s released findings<\/a> that some contractors to the DIB failed to comply with DOD and federal cybersecurity requirements<\/a> for protecting sensitive information. Some of the requirements identified which organizations failed to satisfy<\/a> are considered basic cybersecurity practices<\/a> for ensuring network and system security, such as multi-factor authentication, requiring strong passwords, monitoring network traffic, and disabling inactive users.<\/p>\n

Government action to protect critical infrastructure<\/strong><\/p>\n

Just last week, Congress passed the Cyber Incident Reporting Act<\/a>. (\u201cThe Act\u201d), which was signed into law by President Biden<\/a> on March 15, 2022. The new legislation requires all companies considered critical to U.S. national interests to report \u201cany substantial cyber incident<\/a>\u201d to the federal government within three days and to report payment of ransomware within twenty-four hours. This includes<\/a> companies that deal with water, wastewater, nuclear waste, hospitals and healthcare organizations, the DIB, and more.<\/p>\n

The Act primarily focuses on reporting requirements<\/a> for critical infrastructure entities<\/a> \u2013 it appoints CISA as the central information point for incident reporting, and formalizes communications pathways for better, and faster, national threat awareness and threat information exchange. This advancement is a major step in the right direction \u2013 clear, formal, and coordinated channels for communicating threats, as well as requiring critical organizations to report incidents, are both essential in mitigating the effects of cyberattacks<\/a>. The longer a threat goes unnoticed, the more damage it can produce. This new legislation is partially in response to the Biden Administration\u2019s inclusion of cybersecurity in its list of \u201ctop priorities<\/a>.\u201d Enhanced cybersecurity for American critical infrastructure has support across the political spectrum, and is increasingly understood to be a national security concern<\/a>. President Biden\u2019s National Security Council is the first to include a Deputy National Security Advisor for Cyber and Emerging Technology<\/a>. In January 2022, the Administration\u2019s focus on cybersecurity was again made evident with the signing of a National Security Memorandum<\/a>, which aims to enhance cybersecurity measures in National Security, DOD, and Intelligence Community Systems. Bipartisan support for enhancing U.S. cybersecurity protections is clearly evident in Congress, which allocated $2.59 billion to CISA<\/a> in its government funding bill \u2013 millions of dollars beyond the Biden Administration\u2019s proposed budget.<\/p>\n

While international cybersecurity cooperation<\/a>, K-12 educational institutions<\/a>, the water sector<\/a>, and even cybersecurity awareness<\/a> are other areas where the Biden Administration has focused its attention, a concerted government focus on cybersecurity, specifically in critical infrastructure, has been desperately needed for years<\/a>. Unfortunately, the benefits of The Act won\u2019t be felt immediately, as it will not go into effect<\/a> until the final rules are promulgated \u2013 and allows for a 24-month time frame in which to publish a proposed rulemaking. In conjunction with the many other initiatives to enhance security, the U.S. is making headway<\/a> in augmenting its security posture and creating cohesive cybersecurity protections. However, it remains to be seen if the forthcoming enhancements<\/a> will come soon enough.<\/p>\n

<\/div>\n
<\/div>\n
<\/div>\n","protected":false},"excerpt":{"rendered":"

Long gone are the days when cybersecurity concerns existed solely in the domain of technology teams. Various organizations, from schools to government entities (at every level), to private companies alike have fallen prey to cyberattacks. May 2021\u2019s Colonial Pipeline attack caused chaos and a temporary gas frenzy that brought awareness of the vulnerabilities of the technology we rely on to even the least technically minded American. Cybersecurity, and more specifically, the security of critical infrastructure immediately became an issue that the U.S. Government is taking very seriously.<\/p>\n","protected":false},"author":90,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[553,1135,1150,1152,1205,1623],"class_list":["post-4561","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-cyber-attacks","tag-infrastructure","tag-international","tag-international-affairs","tag-journal-of-regulatory-compliance","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/90"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4561"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/4561\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}