Can new US cybersecurity bills slow the rise of ransomware?

Cybersecurity is now front of mind not just for organizations and IT leaders, but for the US government too. The House Energy and Commerce Committee recently advanced a set of eight cybersecurity bills aiming to address key vulnerabilities in networks and supply chains, and educate the American public on cybersecurity best practice.

The new bills specifically aim to strengthen critical infrastructure security against physical and cybersecurity threats. They also aim to mitigate the risk of energy supply disruptions (like those seen in the Colonial Pipeline ransomware attack) in the event of future incidents.

The new laws have been widely welcomed on both sides of the political spectrum. So why have lawmakers come together in such a unanimous bipartisan way about the issue of cybersecurity? And what impact could the bills have on the ever-increasing threat of ransomware?

A growing cybersecurity threat

For some people, it’s taken a spate of high-profile ransomware attacks across the US to bring a fact into sharp focus: cyberattacks are a major national security issue. The Colonial Pipeline attack saw not just disruption to the organization itself, but a disruption to the entire East Coast gas supply. This offered the public a concerning insight into how critical infrastructure can be crippled by a cyberattack.

Others have been worried about US cybersecurity for some time, and have long believed future attacks on the US could take the form of cyberattacks on critical infrastructure, such as water. Sen. Angus King (I-Maine), the co-chairman of the Cyberspace Solarium Commission (CSC), testified to the Senate Environment and Public Works Committee: “I believe that the next Pearl Harbor, the next 9/11, will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable.”

This is already a real and present danger.

In 2020, the Boston Water and Sewer Commission was hit by a ransomware attack. While it was able to recover without any operations being compromised, the warning signs are there for the nation’s 50,000 drinking water systems and 16,000 wastewater systems – and all other forms of critical US infrastructure too. It’s never been clearer that they require the resources and knowledge to effectively respond to a cyberattack.

What laws have been advanced?

In June of this year, the House of Representatives passed the Enhancing State Energy Security Planning and Emergency Preparedness Act (H.R. 1374) to provide federal funds to state governments for developing energy security plans. This would reauthorize and fund the Department of Energy's State Energy Program from 2022 to 2026 at $90m annually, for a total of $450m.

At the end of July (also this year), the House Energy and Commerce Committee passed eight bills aimed at bolstering the nation's cybersecurity, and in particular the protection of critical infrastructure. It was widely supported, with the House of Representatives voting 398-21 in favor of the bills. A similar measure has not yet been introduced in the Senate, though the level of bipartisan support means it’s expected to be signed into law.

What do the new bills say?

Eight new bills were passed, but we’ve picked out four of particular interest here to take a closer look at:

  • Secure Equipment Act of 2021: directs the Federal Communications Commission to "prevent further integration and sales of devices" from a list of Chinese firms in the US. The bill would not apply to equipment retroactively, according to a statement from the committee.
  • Information and Communication Technology Strategy Act: directs the Secretary of Commerce to report within one year on the state of economic competitiveness of trusted vendors in the information and communication technology supply chain.
  • Understanding Cybersecurity of Mobile Networks Act: calls for a congressional report on cybersecurity of mobile service networks, examining the susceptibility of those networks and mobile devices to surveillance or attacks in consultation with the Department of Homeland Security.
  • American Cybersecurity Literacy Act: interestingly, this bill was passed which would require the NTIA (National Telecommunications and Information Administration) to develop and conduct a cybersecurity literacy campaign to educate US individuals about common cybersecurity risks and best practices.

A significant step for US cybersecurity

For several years, there have been ominous warnings about the possibility of ransomware and other cyberattacks on critical infrastructure with the potential to cause severe economic and civil disruption, and even loss of life. It’s encouraging to see that politicians are coming together to shore up American defences against this serious threat.

After years of divisive politics, this united bipartisan front will be incredibly important in combatting the rising tide of cyberattacks. Unlocking funding at a state level will be key to ensuring critical organizations stay safe, in particular smaller (often non-profit) organizations running electrical generation and water treatment facilities.

In addition, the private sector will receive financial incentives for helping improve states' energy cybersecurity, which experts say will be key in the fight to secure systems against external hackers.

Organizations still need intelligent security

It’s positive to see the united front being made to secure supply chains and critical infrastructure against cyberattacks. However, organizations need to ensure they’re keeping their own security systems up to scratch. While critical infrastructure and national security is front of mind for the US government, it would be a mistake to think cybercrime is not a problem for average American businesses.

Organizations of all sizes will still need to take responsibility for securing their own defenses, specifically their human layer. Over 90% of ransomware is delivered by email phishing, meaning these are attacks that rely on the unwitting actions of an insider to come to fruition. Without intelligent anti-phishing solutions in place, you’re wide open to ransomware attacks.

The government is preparing itself for the rise in ransomware attacks – and the business world should be doing the same. Egress Defend uses machine learning and natural language processing capabilities to detect even the most sophisticated phishing attacks in real time. Learn more about Egress Defend here or book a no-strings-attached demo and see the results for yourself.