Ransomware Attack Births Reporting Mandate

A recent spate of ransomware attacks on U.S. companies has sparked new regulations.

A new regulatory regime is emerging in the aftermath of the May 6 Colonial Pipeline ransomware attack, which paralyzed fuel deliveries along the East Coast of the United States and caused gas prices to surge. And while the emerging rules immediately target at the pipeline industry, they have implications for the entire infrastructure sector.

A new directive, issued by the US Department of Homeland Security (DHS), requires pipeline companies to report cyberattacks to the government for the first time; previously, reporting ransomware attacks had been optional. More rules, including mandatory self-assessments for cybersecurity readiness, will soon follow, according to the Washington Post.

When Colonial, one of the largest pipeline companies in the US, lost control of its computer system to a hacking group called DarkSide, on May 7, it preemptively shut down all its operations. This lasted nearly a week, until Colonial made a ransomware payment of 75 Bitcoin, worth about $4.4 million.

Regulators often struggle to keep up with new technologies, and ransomware, a form of extortion unique to the computer age, clearly has companies worried. A survey of 1200 IT leaders by the Information Systems Audit and Control Association after the Colonial attack found that 84% believe ransomware attacks will be more prevalent in the second half of 2021. Only 32% of respondents said their organizations were “highly prepared” to deal with such attacks.

“It is time to establish mandatory pipeline cybersecurity standards similar to those applicable to the electricity sector,” said Richard Glick, chairman of the Federal Energy Regulatory Commission, in a public statement. “Encouraging pipelines to adopt best practices voluntarily is an inadequate response to the ever-increasing number and sophistication of malevolent cyber actors.” Most US infrastructure sectors, such as healthcare and dams, do not have mandatory cybersecurity standards.

The new rules carry a stick. If companies fail to fix any problems uncovered during self-assessments, they will be subject to financial penalties. The hope is that making cybersecurity a requirement, not just an option, will remove any excuse for companies not to invest in robust cyber-infrastructure.