What the Newly Signed US Cyber-Incident Law Means for Security
When President Biden signed the omnibus spending bill Tuesday, he also put the bipartisan Cyber Incident Reporting Act into effect, which requires critical infrastructure companies in the 16 industry sectors identified by the federal government to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a cyberattack and within 24 hours of making a ransomware payment.
While this wasn't the all-encompassing data breach law that has been stalled in Congress for many years, it was notable in that the Senate passed the legislation unanimously. The bill was championed by Sen. Gary Peters (D-Mich.) and Sen. Rob Portman (D-Ohio); it covers a broad swath of the economy, including the defense industrial base sector, which has more than 100,000 companies alone.
"It's a game changer," says Tom Kellerman, head of cybersecurity strategy at VMware. "It's a fundamentally important strategic decision made by the federal government to finally eliminate the plausible deniability that had existed for far too long. ... Corporations have [for some time] underinvested in cybersecurity because they could always maintain plausible deniability."