Oh joy, Bleeping Computer’s The Week in Ransomware is back after two weeks and it is chock-a-block full of useful information. Check it out.
From the entrepreneurial hacking front, Bleeping Computer also reports that “Hackers are actively scanning for and exploiting a recently disclosed Atlassian Confluence remote code execution vulnerability to install cryptominers after a PoC exploit was publicly released. Atlassian Confluence is a very popular web-based corporate team workspace that allows employees to collaborate on projects.”
Cyberscoop tells us about on going discussions on Capitol Hill about reaching a consensus on wide ranging cybersecurity incident reporting laws.
Battle lines are drawn in Congress over legislation that would require companies to report some cyber incidents to the federal government, with industry groups lining up to support a House of Representatives bill poised to create fewer challenges for business leaders than a similar proposal in the Senate.
The debate involves questions about how quickly companies would have to report attacks, what kinds of specific intrusions would trigger notification and whether failure to comply with the rules would lead to financial penalties. The idea of breach notification legislation gained momentum following last year’s discovery of the SolarWinds hack that compromised nine federal agencies and some 100 companies, as well as the Colonial Pipeline ransomware attack in May.
At issue are such questions as whether companies have 24 or 72 hours to report an incident, along with who would be on the hook outside of critical infrastructure owners and operators, if anyone.
The bill under discussion in the House would provide companies that share breach data protections against lawsuits, and specifies no punishments for not complying. The Senate bill authorizes financial penalties tied to a company’s gross revenue. Naturally, the private sector prefers not to face penalties, according to the Senate aide.
And while the Senate legislation leaves it to CISA to define what kinds of “cybersecurity incidents” trigger notification requirements, the House legislation defines them as those “likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.” Further, the Senate version requires reporting of confirmed and potential intrusions, while the House bill only applies to confirmed intrusions.
Because there is no Congressional election this year, Congress will have plenty of time this fall to resolve these differences and enact a law.
A friend of the FEHBlog called his attention this very useful list of cybersecurity resources created by the College of Healthcare Information Management Executives (“CHIME”).