With Eye to Russia, Biden Administration Asks Companies to Report Cyberattacks

The Biden administration is warning American businesses about the risks of Russian cyberattacks and is urging them to comply with a new law that will require them to report hacks. Executives have questions about what the legislation means for them, as some details of the law remain unclear.

President Biden encouraged private companies to strengthen their defenses. Administration officials are worried about attacks on critical sectors.

It's part of Russia's playbook, Mr. Biden said of potential cyberattacks by Russia in response to sanctions imposed by the United States.

The spending package that Mr. Biden signed last week included the new law. The law requires companies to report a hack within 72 hours. They have to alert the agency within 24 hours of paying the ransom.

The agency plans to distribute information about the attacks throughout the government in order to improve the investigation and prevention of similar attacks.

Jen Easterly, the agency's director, said in a statement that the agency will use the reports from private sector partners to build a common understanding of how adversaries are targeting U.S. networks and critical infrastructure.

The law leaves many details open to interpretation, and the rule-making process in which those details will be hammered out could take months. When the clock starts for the reporting deadline, the agency will decide which kinds of companies must report incidents. The law only applies to companies that provide critical infrastructure, but the agency can tailor it to a smaller group of companies.

In a teleconference with businesses on Tuesday, the agency stressed that even seemingly small threats should be reported because of the looming risk of Russian cyberattacks, in the hopes that any incident could provide important bread crumbs leading to a sophisticated attacker.

There are concerns that a lot of information about minor incidents could cloud the agency's view of serious attacks. The agency said on Tuesday that it wouldn't usually request such a level of detail but that it wanted to be careful.

A lot of the real details are going to have to be worked out in the rule-making process, according to Christopher D. Roberti, the senior vice president for cyber, intelligence and supply chain security policy at the U.S.

Business leaders will have a say in how the law is applied because the law requires the cybersecurity agency to work with companies.

Last year, cyber attacks disrupted operations at major American businesses, including a meat supplier and a fuel distributor. The attacks interfered with Americans' ability to get essential supplies.

The authors of the incident reporting legislation said the law would help companies like JDS Foods and Colonial recover more quickly after attacks. Guidance and assistance would be provided by the cybersecurity agency.

It has been costly for companies to delay disclosures. Yahoo paid a $35 million fine for failing to report a hack. In the case of a former executive at the ride-sharing company, he has been charged with obstruction and fraud over his handling of a 2016 data breach.

The Information Technology Industry Council has heard from companies in the last year about how inconsistent and unstreamlined the incident reporting landscape is. We think that incident reporting can give useful information that can help shape specific responses.

Corporate leaders are hopeful that the new federal law will become a model for other legislators and government officials because it will allow companies to avoid a lot of incident reporting requirements.

While the rule making is going on, companies will not be required to report security incidents, but the agency has urged them to give information to the government.

It will be several months before the requirements kick in, so we encourage entities to share cyberthreat information and report incidents to the CISA as much as possible, especially considering the ongoing tensions in Ukraine and the threat of cyberattacks to the homeland.

On Tuesday, representatives from critical infrastructure companies asked Ms. Easterly about what threats they might face from Russia and how they could prepare. Some of their employees could not receive classified materials that might help them prepare for a cyberattack, so they asked for more government funding to buy cybersecurity software.

The agency recommended that businesses take basic precautions, like requiring employees to use multifactor authentication and updating software.

Ms. Easterly said that it can contribute to stopping further attacks.