Last week, a $1.5 trillion funding bill for the government was signed into law. It should be noted that this funding bill passed the Senate with a unanimous vote. That by itself is remarkable these days. I am telling you this because part of that new law mandates that owners and operators of critical U.S. infrastructure must report when they are hacked, and they must report if they paid a ransomware demand. The reporting window is 72 hours to report a breach, but that window is only 24 hours if a ransom is paid. These reports go to the Homeland Security Department’s CISA. The acronym means Cybersecurity and Infrastructure Security Agency. CISA has two years to work out the details of when this law goes into effect.
Why Is Having To Report Cybercrime A Big Deal?
According to the Department of Justice, only 1 in 7 cybercrimes is reported. Viewed another way then, over 85% of all cybercrime remains hidden within the compromised organization. While the obvious public relations reasons jump to front of mind at once, I also believe that limited understanding of the whole subject is perhaps a larger factor. Not grasping the universal vulnerability of all commerce, all enterprises, all well-intended charities, sports, municipalities, health services—any entity that uses computers has a high probability of being hacked. What I have learned as an IT consultant is that most people have an only rudimentary knowledge of computers, networks, and servers. This is why it always pays to have experts in the field overseeing security issues. Your breach will happen. Prevention strategies are a must.
What Is “Critical U.S. Infrastructure?”
A government directive identifies 16 critical infrastructures and associated Federal Sector-Specific Agencies (know as SSAs.) These are Chemical, Commercial Facilities, Communications, Critical Manufacturing, Dams, Defense Industrial Bases, Emergency Services, Energy, Financial Services, Food and Agriculture, Government Facilities, Healthcare and Public Health, Information Technology (IT,) Nuclear Reactors, Materials, Waste, Transportation Systems, and Water and Wastewater Systems. This list is subject to change, which is a good thing. The bottom line: the timely reporting of cybercrime acts is no longer a choice. It’s the law. Remember—critical infrastructure often relies on connected technologies. A good example of this is the WannaCry “worm.” This virus scrambled data on more than 300,000 computers in 150 countries. In the UK, WannaCry infected the National Health Service and forced the cancellation of large numbers of medical appointments. Every type of data breach has wide-ranging effects.
Central And Timely Reporting Will Help Protect All Of Us
The damage done by any data breach is penalty enough. This new law requiring timely reporting to a central agency will help the U.S. work quickly to recognize and repel every new cyber assault and to track and repair its effects on ancillary entities. The large corporations and institutions targeted will still have to account for the attack with their customers and affiliates, but they can no longer try to quash the event itself. Cyber attacks are the newest and probably can be the most cumulative form of warfare. We already pool information for potential acts of war via land, sea, air, and space. It’s time to use our collective knowledge to defend against cyberattacks as well.
Look again at the categories listed above as critical infrastructure. Does your small or mid-sized business provide tangential goods and/or services to any of those? Should you report to CISA if you get hacked? Aptica can help you answer these questions. We also offer a FREE assessment of your current IT systems. It always starts with a conversation to be sure our company is the right fit for yours. Give us a call. 260.243.5100
Jason Newburg, 260.243.5100, ext 2101, is the founder and owner of Aptica LLC. This IT management and support company has been serving small to medium-sized businesses for 20 years in the region that includes Angola, South Bend, and Fort Wayne, IN, Battle Creek, MI, and Toledo OH.