Since Russia invaded Ukraine the United States has been living under the threat of a cyber attack from Russia in response to the United States helping Ukraine.

 

The United States Senate passed a bill called Cyber Incident Reporting for Critical Infrastructure Act of 2022 to make it mandatory for certain organizations to report cyber incidents.

 

If you could vote directly on this policy, would you vote for it or against it?

The first question is, how serious is the cyber threat? One of the most high-profile examples of a cyber attack was the Colonial Pipeline hack in 2021. According to this article from TechTarget:

“The Colonial Pipeline was the victim of a ransomware attack in May 2021. It infected some of the pipeline’s digital systems, shutting it down for several days. The Colonial Pipeline comprises more than 5,500 miles of pipeline.”

Okay, so what were the consequences of this ransomware attack?

“The shutdown affected consumers and airlines along the East Coast. The hack was deemed a national security threat, as the pipeline moves oil from refineries to industry markets. This caused President Joe Biden to declare a state of emergency.”

How much was the ransom and was it paid?

“The goal for attackers in a ransomware attack is to have the victim pay a ransom, which is exactly what Colonial Pipeline did. The DarkSide attackers asked for a ransom of 75 bitcoin, which was worth approximately $4.4 million on May 7.”

So let’s get clear about what this bill is proposing. According to this article from Politico:

“The bill would require a wide range of companies responsible for U.S. critical infrastructure to report cybersecurity incidents to the government to the Cybersecurity and Infrastructure Security Agency.”

Okay, so these critical organizations will have to report the incident but who will receive the report?

“The White House’s statement late Thursday came just a day after senior leaders of the Justice Department and the FBI sharply criticized the bill for not requiring hack reports to go jointly to CISA and the bureau.”

If the objective of the bill is to report cyber incidents you would think that the FBI would also receive the report.

Deputy Attorney General Lisa Monaco said the legislation “makes us less safe,” and FBI Director Christopher Wray said the bill “has some serious flaws.”

This is my personal opinion on this issue:

It’s understandable that organizations don’t want to report a cyber incident because it’s embarrassing. The customers and partners of the organization will naturally start wondering whether this is a reflection of a general lack of competence and they’ll consider whether they still want to do business with them.

But we all know that the greater good is more important than protecting the egos of one organization. 

If information about a cyber attack can help other organizations protect themselves then it seems obvious that these cyber incidents should be reported to one central agency that can use the information to warn anyone else that might be vulnerable. 

If the FBI is the organization that will ultimately investigate the crime then it seems pretty weird for the FBI to be left out of the loop.

I’ve created a listing on the One Direct Democracy platform so that we can develop ideas about how the Cyber Incident Reporting for Critical Infrastructure Act can be improved. 

You can add your own ideas or vote and comment on ideas from other people. You can also create your own listings for people to vote on. It’s a simple way to get used to using the One Direct Democracy system.