In today’s times, we are more aware of cyberattacks as these have become front-page news. We most recently witnessed this as Russia invaded Ukraine. Cyberattacks were used as the first salvo before any bullet or missile was fired.
Related: The role of post-quantum encryption
We live in an increasingly digitized world where digital footprints are left behind, leaving evidence of nearly everything we do. This enables our adversaries to gain extremely valuable information and to steal, disrupt or even harm with simple keystrokes on a distant computer.
Quantum computers pose yet another looming threat since it has been mathematically proven that quantum computers with enough power will crack all the world’s public encryption. When these computers come online, any company or federal agency that is not upgraded to post-quantum cybersecurity will leave its data vulnerable to attackers. Even worse, data that is being stolen today is sitting on servers in other countries waiting to be decrypted by quantum computers.
It is now more important than ever for companies to share cyberattack and ransomware data with the government to ensure that we can defend and prepare much better than before.
On March 15, 2022, a new bipartisan legislation cyber incident reporting law called the “Cyber Incident Reporting for Critical Infrastructure Act” was passed by Congress and signed by President Joe Biden which requires critical infrastructure leaders in commercial enterprises and government to report cyber incidents to the Department of Homeland Security (DHS) cyber and infrastructure security agency (CISA).
Ransomware payments must be reported within 24 hours, and all cyber incidents must be declared within 72 hours. The reporting requirements, however, will not become effective until CISA provides rules and guidelines for entities that incur cyber incidents. CISA still needs to define which entities are required to report, and when cyber incidents qualify for reporting.
According to Michigan Senator Gary Peters, chair of the Senate Homeland Security Committee, “This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people.”
At this point, companies and agencies that could be required to report fall under the Presidential Policy Directive 21 which includes these critical infrastructure areas: financial services, food and agriculture, government facilities, dams, critical manufacturing, communications, chemical, commercial facilities, defense industrial base, emergency services, energy, government facilities, healthcare, information technology, nuclear reactors, materials and waste, public health, transportation systems, and water systems.
The bill defines a cyber incident as “an occurrence that actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information on an information system, or actually or imminently jeopardizes, without lawful authority, an information system.”
Privacy is a concern
Any agency required to report cyber incidents can face shareholder and consumer backlash, and thus they have been hesitant to report breaches. We have seen in the past how many cyber incidents have gone unreported as large brands and agencies try to prevent a degradation of trust. However, in the case of this bill, there are sanctions designed to mitigate problems arising from reporting cyber and ransomware incidents. A partial list of the protections includes:
•CISA will anonymize the reporting entity
•All of the reported information will remain proprietary to the reporting entity if so desired
•Reports cannot be used in enforcement or regulatory actions against reporting entities
Some experts worry that inflexible and inaccurate requirements or expertise/staff shortages could cause confusion and do more harm than good. As with any great plan, success lies in the efficacious execution of tasks to ensure an optimal outcome. However, the tradeoff is that we will have a chance at understanding how our adversaries are targeting government agencies and commercial entities, as well as other critical infrastructure groups, with cyberattacks. If the information flow is timely and accurate, it will allow other entities to protect themselves prior to experiencing an already known but not widely distributed cyberattack type.
Sharing attack intel
This bill was considered urgent by government leaders because our commercial enterprises, federal agencies and suppliers of critical infrastructure have seen increased cyberattacks and ransomware breaches that dramatically affected our nation’s energy and food supplies, while disabling some schools. For example, in 2021 the Colonial Pipeline was hacked, and the company decided to pay $5 million in ransom since most of the East Coast’s fuel supply was shut down.
Panicked East Coast Americans began hoarding gas due to a major disruption in fuel supply. The company did not notify the federal government about the ransomware attack until well after it happened.
Many cyber and ransomware breaches currently go unreported because they create reputational problems for companies and government agencies. After all, who wants to report that they had a breach which has caused critical data or operational losses? For commercial enterprises, this can lead to lawsuits, decreased shareholder value, and a lack of confidence in the brand. For government agencies, leaders must admit cybersecurity failures.
However, if commercial, government and critical infrastructure entities can share information it will help all of us to quickly learn and prepare for such attacks. And, if information about cyber breaches and ransomware attacks is shared quickly enough, we can provide warning to our nation’s largest and most important companies and federal agencies which could mitigate further damage. This is even more urgent as quantum computers will increase our risk of critical infrastructure disruption or failure.
About the essayist: Skip Sanzeri is COO of QuSecure, supplier of QuProtect™, a state-of-the-art, software-based quantum security solution.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-why-organizations-need-to-prepare-for-cyber-attacks-fueled-by-quantum-computers/