Attacks on critical infrastructure operators, government agencies and private companies spurred President Joe Biden’s government to take significant cybersecurity measures in 2021. This year security leaders face further cyber reforms, labor shortages and persistent threats from ransomware groups.

ONE May Presidential Ordinance drastically changed what was a relatively practical way of dealing with cyber in the past, with voluntary guidelines and little supervision. The government is increasingly telling companies critical to the country’s cyber infrastructure exactly what is expected of them, former officials say.

Companies in some sectors are now required to report cyberattacks, appoint dedicated employees to liaise with officials, and design their networks to adhere to zero trust principles.

“I think what the Biden administration has been doing over the last year is disruptive,” said Sujit Raman, partner at Sidley Austin LLP and former assistant attorney general at the Department of Justice. “They moved away from voluntary standards quite aggressively and were ready to impose mandatory standards. It’s disruptive in a novel way. “

Authorities like the Transportation Security Administration new standards published which require pipeline operators to strengthen cybersecurity and conduct audits to prove it.

Federal agencies have also been tasked with finding and fixing bugs in the software they are using and creating guidelines for each critical infrastructure area they are monitoring.

The consequences of hacks from

SolarWinds Corp.

and

Microsoft Corp.

software dominated the first months of 2021, with thousands of companies and multiple federal agencies affected by the attacks. The US government later attributed the campaigns to state-sponsored hackers in Russia and China. Both governments have denied participation.

Homeland Security Minister Alejandro Mayorkas had been calling ransomware a threat to national security since March. but the attack on Colonial Pipeline Co. in May brought the issue up clearly. That incident forced Colonial to shut down the east coast’s largest fuel vein for six days, which drove prices up and fuel shortages following panic buying in some southeastern states.

“Understanding the impact a ransomware attack on a commercial critical infrastructure sector can have on our country has, in my opinion, accelerated the need for a more coordinated and targeted government response,” said Brad Medairy, executive vice president, Consulting Feste

Booz Allen Hamilton Inc.

Serious cyberattacks Food giant

JBS SA

and Technology provider Kaseya Ltd. struck as the Justice, State, Homeland Security and Finance departments launched broader efforts to contain cyber threats. The US imposed sanctions or charges on suspected ransomware operators in Russia and Ukraine for attacking Kaseya, a Russia-based cryptocurrency exchange, and cybersecurity companies accused of holding spy recruitment conferences.

Weeks after telling Vladimir Putin that if the Russians don’t stop cyberattacks on American assets, he will have to take revenge, media reports said that Russia’s foreign intelligence service has struck again. Images: AFP via Getty Images Composite: Mark Kelly

In July, the Senate confirmed Chris Inglis as the first national cyber director, a role Mr. Inglis has identified as quarterback for the government’s cybersecurity efforts. During his confirmation hearing in June, Mr Inglis previewed more assertive government action in the same direction as it is enforcing standards for the aviation sector.

“When [companies] When we conduct critical activities on which the nation’s interests depend, we may well need to intervene and regulate, ”he said.

U.S. officials are expected to put more cyber demands on critical infrastructure businesses, including water, in 2022, Sidley Austin’s Raman said.

An ongoing shortage of cybersecurity talent will also be an issue, said Mr. Medairy of Booz Allen. The (ISC) 2, a cyber professional association, puts the gap at around 2.7 million worldwide.

“We are facing a significant cyber staff and talent shortage and the government cannot solve the problem on its own,” Medairy said.

But while the government’s desire for stricter cybersecurity rules continues, it is unclear how effective these changes have been.

A mandate to report violations is supported by both parties in both the House and Senate, although it was removed from the National Defense Authorization Act as part of a compromise to pass the bill. Senior officials, including Cybersecurity and Infrastructure Security Agency director Jen Easterly, have urged lawmakers to pass these laws with tight incident reporting deadlines.

Justice Department officials also said that without more rules from Congress in 2022, such as mandatory reporting of violations, whether attacks are increasing or decreasing is difficult to answer.

“If we knew the big picture, the Federal Bureau of Investigation or someone else could come back with a response saying we had 100% coverage and saw an increase or decrease. We’re not there right now, ”said Principal Associate Deputy Attorney General John Carlin at a WSJ Pro cybersecurity conference in December.

Write to James Rundle at james.rundle@wsj.com

Copyright © 2021 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

.

Source link
#Companies #face #stricter #cyber #rules

Leave a Reply