The Senate Homeland Security and Governmental Affairs Committee released a 51-page report on ransomware attacks and payments, along with a recommendation for the Cybersecurity and Infrastructure Security Agency (CISA) to employ regulatory powers granted to the agency in order to require reporting of ransomware attacks and payments. CISA has issued estimates indicating that only 25% of ransomware attacks and payments in the U.S. are reported to regulatory agencies.
Currently, only critical infrastructure attacks in the United States are required to be reported by CISA. Incidents must be reported within 72 hours, and ransomware payments within 24 hours. However, CISA has been granted considerable authority in the recently passed Cyber Incident Reporting for Critical Infrastructure Act of 2022, signed into law as part of the Consolidated Appropriations Act of 2022, which mandates incident reporting of substantial cyber-attacks and ransomware payments against critical infrastructure. The law has given CISA two years to give notice of additional rule proposals on reporting and another 18 months to issue the final regulations.
By Akshay Rohatgi and Randy Pargman About this Student Research Project Binary Defense’s mission is