Tag: Cybersecurity

Bipartisan legislation that would require private sector companies to report ransomware attacks to federal authorities was advanced this week by the Senate Homeland Security and Governmental Affairs Committee. A broad, 37-member coalition that includes The Real Estate Roundtable on Oct. 4 provided detailed suggestions to Senate and House congressional committees about provisions that should be included in any bill that would impose a compulsory cyber incident notification program on the business community. (Cybersecurity coalition letter and Committee mark-up)

Why It Matters

• The Cyber Incident Reporting Act (S. 2875) – sponsored by Committee Chairman Gary Peters (D-MI) and Ranking Member Rob Portman (R-OH) – would require certain owners and operators of critical infrastructure operators to report hacks within 72 hours and ransom payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).  Organizations failing to do so would potentially banned from doing business with the federal government. (The Hill, Set. 28 and PoliticoPro, Oct. 5)
• The committee also approved the Federal Information Security Modernization Act of 2021 (S. 2902), which would require agencies and contractors to report on cyberattacks.
• The congressional bills aim to update the Federal Information Security Modernization Act, signed into law in 2014. Sen. Portman noted two reports on issued by the Homeland Security Committee since 2019 that found massive cybersecurity shortcomings at several federal agencies.
• The Senate Homeland Security Committee’s leadership may seek to merge their legislation may with a bill (S. 2010) from the Senate Intelligence Committee. Sen. Peters said he may also seek to include S. 2875 in House-passed defense policy legislation (H.R. 4350), which also includes language requiring cyber incidents. (BGov and PoliticoPro, Oct. 5)

Private Sector Concerns

• The business coalition’s Oct. 4 letter to the Senate Committees on Intelligence, Homeland Security and Government Affairs and the House Committee on Home  recommended several provisions that should be central to a mandatory reporting regime, including:
  • Establish a prompt reporting timeline of not less than 72 hours. Legislation should reflect an appropriate, flexible standard for notifying government about significant cyber incidents.
  • Attach reporting to confirmed cyber incidents. Businesses need clarity in reporting requirements, which should be targeted to well-defined and confirmed cyber incidents.

  • Confine reports to significant and relevant incidents .A list should be limited in reach—particularly excluding small businesses using existing federal rules—and risk based.

  • The business industry comments recommended that federal cybersecurity reporting legislation should also include robust liability protections; consistent federal reporting requirements; restrictive government use of reported data; and guarantee substantial input from industry to protect the rulemaking process. 

Identifying Critical Infrastructure

• In the House, a separate bill that would identify systemically important infrastructure was introduced Oct. 5 by Homeland Security Committee Ranking Member John Katko (R-NY), Rep. Abigail Spanberger (D-VA) and Rep. Andrew Garbarino (R-NY). (Katko one-pager on the bill)
• The bill would authorize CISA to prioritize infrastructure operators considered so crucial to the U.S. economy, public health and national security that a disruption to their operations due to a cyberattack would be considered debilitating. (Katko news release, Oct. 5) 

The Roundtable’s Homeland Security Task Force continues to work with key law enforcement and intelligence agencies and the Real Estate Information Sharing and Analysis Center (RE-ISAC) on protective measures that businesses can take to create infrastructure resistant to physical damage and cyber breaches.  

#  #  # 

The increasing frequency and size of ransomware cyberattacks on U.S. companies prompted the White House on June 2 to issue a stark warning urging businesses to take “immediate steps” to increase their ransomware defense based on the federal government’s best practices. (White House  Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger, above)

A National Threat

• Ransomware is a type of malicious computer network attack where criminals encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to the public.
• The document from the White House’s Neuberger notes, “All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location. Much as our homes have locks and alarm systems and our office buildings have guards and security to meet the threat of theft, we urge you to take ransomware crime seriously and ensure your corporate cyber defenses match the threat.” (White House, What We Urge You To Do To Protect Against The Threat of Ransomware and Readout of Neuberger Meeting)
• In the past month, $15 million in cyber-ransom was paid to hackers in bitcoin by Colonial Pipeline and JBS USA, the world’s largest meat-processing company. The U.S. Justice Department reported on June 7 that it had retrieved $2.3 million paid by Colonial. (Axios, June 9 and CNBC, June 8)
• In an interview with the Wall Street Journal this week, FBI Director Christopher Wray compared the challenge of countering the threat of ransomware to the 9/11 terrorist attacks and that the agency was currently investigating about 100 different types of ransomware.
• Wray also testified on June 10 before the House Judiciary Committee that companies should not make ransomware payments to hackers but instead contact the FBI for help to restore stolen data. Wray said, “There are a whole bunch of things we can do to prevent this activity from occurring, whether they pay the ransom or not, if they communicate and coordinate with law enforcement right out of the gate. That’s the most important part,” he added. (AP, June 10)
• Additional hearings this week on ransomware and other cyber threats to infrastructure where held by the Senate Homeland Security and Governmental Affairs Committee on June 8 and the House Homeland Security Committee on June 9.

CRE and Cybersecurity

• Commercial real estate companies are taking steps to meet cybersecurity threats. See interview with James Whalen, SVP, Chief Information & Technology Officer, Boston Properties. (Gate 15, March 23, 2021)   

• The CRE industry has also responded to emerging cyber threats through the Real Estate Information Sharing and Analysis Center (RE-ISAC) – a public-private information sharing partnership organized and managed by The Real Estate Roundtable since 2003. (Information on joining the RE-ISAC)  

• The RE-ISAC has worked with InfraGard National Capital Region (InfraGardNCR) to establish the Commercial Facilities Cyber Working Group (CCWG), a virtual effort to share cyber threat intelligence. The group shares threat reports, ransomware victim examples, and other information on a regular basis. 

• The RE-ISAC sends a Daily Report to members to raise awareness on cyber threats and other domestic concern affecting the U.S. commercial facilities sector, while sharing guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and other agencies.

Resources and Reference

• ISA this week published “Rising Ransomware Threat to Operational Technology Assets,” a fact sheet for critical infrastructure owners and operators detailing the rising threat of ransomware, along with recommended actions and resources.

• Ransomware insurance is another important aspect of the threat. Ransom and extortion claims increased 150 percent between 2018 and 2020, according to AIG, one of the world’s largest insurers. Additionally, AIG reports that one in five cyber insurance claims relate to ransom demands. (CNN Business, June 7: “Hit by a ransomware attack? Here’s what to do”)
  • Ransomware Threats in Commercial Real Estate – A Common Cyber Threat (ReShield, Feb. 21, 2020) 
  • Real Estate Ransomware Attacks: Hackers Have a New Target (James Moore) 
  • Atlanta Real Estate Firm Gets Ransomware (BoostIT)

• The Roundtable’s Homeland Security Task Force (HSTF) works closely with federal agency partners and the RE-ISAC on protective options that CRE businesses may consider as they implement infrastructure resistant to cyber breaches.
• HSTF – co-chaired by Roundtable members Dan Kennedy (URW) and Charlie McGonigal (Brookfield) – will discuss ransomware and CRE during their next (remote) committee meeting on June 16, which will be held in conjunction with the Roundtable’s June 15 Annual Meeting.

For more information, contact Gate 15 Managing Director and RE-ISAC staff Andy Jabbour or The Roundtable’s RE-ISAC Executive Director and HSTF Liaison Chip Rodgers.

#  #  #