Phishing

Can new US cybersecurity bills slow the rise of ransomware?

Cybersecurity is now front of mind not just for organizations and IT leaders, but for the US government too. The House Energy and Commerce Committee recently advanced a set of eight cybersecurity bills aiming to address key vulnerabilities in networks and supply chains, and educate the American public on cybersecurity best practice.

The new bills specifically aim to strengthen critical infrastructure security against physical and cybersecurity threats. They also aim to mitigate the risk of energy supply disruptions (like those seen in the Colonial Pipeline ransomware attack) in the event of future incidents.

The new laws have been widely welcomed on both sides of the political spectrum. So why have lawmakers come together in such a unanimous bipartisan way about the issue of cybersecurity? And what impact could the bills have on the ever-increasing threat of ransomware?

A growing cybersecurity threat

For some people, it’s taken a spate of high-profile ransomware attacks across the US to bring a fact into sharp focus: cyberattacks are a major national security issue. The Colonial Pipeline attack saw not just disruption to the organization itself, but a disruption to the entire East Coast gas supply. This offered the public a concerning insight into how critical infrastructure can be crippled by a cyberattack.

Others have been worried about US cybersecurity for some time, and have long believed future attacks on the US could take the form of cyberattacks on critical infrastructure, such as water. Sen. Angus King (I-Maine), the co-chairman of the Cyberspace Solarium Commission (CSC), testified to the Senate Environment and Public Works Committee: “I believe that the next Pearl Harbor, the next 9/11, will be cyber, and we are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable.”

This is already a real and present danger.

In 2020, the Boston Water and Sewer Commission was hit by a ransomware attack. While it was able to recover without any operations being compromised, the warning signs are there for the nation’s 50,000 drinking water systems and 16,000 wastewater systems – and all other forms of critical US infrastructure too. It’s never been clearer that they require the resources and knowledge to effectively respond to a cyberattack.

What laws have been advanced?

In June of this year, the House of Representatives passed the Enhancing State Energy Security Planning and Emergency Preparedness Act (H.R. 1374) to provide federal funds to state governments for developing energy security plans. This would reauthorize and fund the Department of Energy's State Energy Program from 2022 to 2026 at $90m annually, for a total of $450m.

At the end of July (also this year), the House Energy and Commerce Committee passed eight bills aimed at bolstering the nation's cybersecurity, and in particular the protection of critical infrastructure. It was widely supported, with the House of Representatives voting 398-21 in favor of the bills. A similar measure has not yet been introduced in the Senate, though the level of bipartisan support means it’s expected to be signed into law.

What do the new bills say?

Eight new bills were passed, but we’ve picked out four of particular interest here to take a closer look at:

  • Secure Equipment Act of 2021: directs the Federal Communications Commission to "prevent further integration and sales of devices" from a list of Chinese firms in the US. The bill would not apply to equipment retroactively, according to a statement from the committee.
  • Information and Communication Technology Strategy Act: directs the Secretary of Commerce to report within one year on the state of economic competitiveness of trusted vendors in the information and communication technology supply chain.
  • Understanding Cybersecurity of Mobile Networks Act: calls for a congressional report on cybersecurity of mobile service networks, examining the susceptibility of those networks and mobile devices to surveillance or attacks in consultation with the Department of Homeland Security.
  • American Cybersecurity Literacy Act: interestingly, this bill was passed which would require the NTIA (National Telecommunications and Information Administration) to develop and conduct a cybersecurity literacy campaign to educate US individuals about common cybersecurity risks and best practices.

A significant step for US cybersecurity

For several years, there have been ominous warnings about the possibility of ransomware and other cyberattacks on critical infrastructure with the potential to cause severe economic and civil disruption, and even loss of life. It’s encouraging to see that politicians are coming together to shore up American defences against this serious threat.

After years of divisive politics, this united bipartisan front will be incredibly important in combatting the rising tide of cyberattacks. Unlocking funding at a state level will be key to ensuring critical organizations stay safe, in particular smaller (often non-profit) organizations running electrical generation and water treatment facilities.

In addition, the private sector will receive financial incentives for helping improve states' energy cybersecurity, which experts say will be key in the fight to secure systems against external hackers.

Organizations still need intelligent security

It’s positive to see the united front being made to secure supply chains and critical infrastructure against cyberattacks. However, organizations need to ensure they’re keeping their own security systems up to scratch. While critical infrastructure and national security is front of mind for the US government, it would be a mistake to think cybercrime is not a problem for average American businesses.

Organizations of all sizes will still need to take responsibility for securing their own defenses, specifically their human layer. Over 90% of ransomware is delivered by email phishing, meaning these are attacks that rely on the unwitting actions of an insider to come to fruition. Without intelligent anti-phishing solutions in place, you’re wide open to ransomware attacks.

The government is preparing itself for the rise in ransomware attacks – and the business world should be doing the same. Egress Defend uses machine learning and natural language processing capabilities to detect even the most sophisticated phishing attacks in real time. Learn more about Egress Defend here or book a no-strings-attached demo and see the results for yourself.

Related articles

Ceofraud555x300

What is phishing?: The Ultimate Guide

Everything you need to know about phishing in one place
Invoice Fraud Dollars555x300

Invoice fraud: Everything you need to know

Invoice fraud is an effective cyberattack to which nearly half of all businesses fall victim. We've outlined what to keep in mind and the intelligent email security tools you can deploy to protect yourself. 
Phishingpreventiondevices555x300

How to stop phishing: The power to bulk remove emails from inboxes

Prefer to bulk remove emails from inboxes or use them for real-time education? Learn how to do both with Egress Defend. 
Anti Phishing Training 555X300

Why anti-phishing training needs augmenting with intelligent tech

Learn how to make your organization's training efforts more successful by creating real-time teachable moments with intelligent tech.