United States: Congressional Response to Ransomware and its Impact on the Transportation Sector and Other Industries
Ransomware is a national security issue that affects all sixteen critical infrastructure sectors, including the transportation and healthcare sectors.
Over the past year, ransomware attacks have made major headlines. In May 2021, Colonial Pipeline — which transports 100 million gallons per day of gasoline, diesel, and jet fuel — was shut down due to a ransomware attack. The company paid a ransom of $4.4 million. In June 2021, JBS — the largest meat production company in the world — was shut down due to a ransomware attack, and it paid a ransom of $11 million.
These are not isolated incidents. According to one source, the U.S. suffered 65,000 ransomware attacks in 2020 alone. The Department of Health and Human Services reports that in 2020, there were 80 ransomware incidents affecting 560 healthcare organizations, which caused ambulances to be rerouted, radiation treatments to be delayed, and loss of access to medical records. Similarly, an IBM report reveals that in 2020, the transportation industry was among the top 10 most cyberattacked industries.
In 2020, ransomware payments reached over $400 million. A leading cybersecurity company reports that in 2020, the average ransomware payment was over $300,000, and the highest ransomware payment was $30 million.
Recently, President Biden issued an Executive Order on Improving the Nation’s Cybersecurity and observed that “Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.” President Biden also issued a memorandum about the need to improve cybersecurity for critical infrastructure control systems.
To address the ever-growing problem of ransomware and other forms of cyberattacks, Congress has introduced a spate of bills this year. Among them:
- The Cyber Incident Notification Act of 2021 amends the Homeland Security Act of 2002 and requires companies in critical industry sectors, including the transportation sector, to notify the Department of Homeland Security within 24 hours of a cybersecurity intrusion event. Companies that violate this Act may be assessed a civil penalty as high as 0.5 percent of the entity’s gross revenue for the prior year for each day the violation continued or continues.
- The Cyber Response and Recovery Act of 2021 amends the Homeland Security Act of 2002 and establishes a $20 million cyber response fund for private and public entities to respond and recover from cyberattacks. The funds may also be used for technical assistance, threat detection, and network protection.
- The Infrastructure Investment and Jobs Act is a five-year surface transportation reauthorization bill that includes a cybersecurity enhancement and resiliency grant program for Amtrak.
Other related bills also include the Cybersecurity Vulnerability Remediation Act, the CISA Cyber Exercise Act, the International Cybercrime Prevention Act of 2021, and the Pipeline Security Act.
Whether a variation of any of these bills ultimately passes into law remains to be seen. We will continue to monitor these bills. In the interim, we recommend that our clients be proactive with their cybersecurity efforts and encourage the following:
- Review the Cybersecurity and Infrastructure Security Agency’s Ransomware Guide (September 2020);
- Evaluate contracts with vendors that provide cybersecurity services and determine the vendor’s liability when there is a ransomware attack or data breach;
- Evaluate contracts with vendors that provide third party services and manage confidential customer or patient information (e.g., birthdates, social security numbers, credit card numbers, and medical records) and determine the vendor’s liability when there is a ransomware attack or data breach;
- Evaluate contracts with customers to determine whether cyberattacks may be characterized as force majeure events;
- Weigh the costs of purchasing cyber liability insurance policies to mitigate financial losses from business interruptions, data theft, and ransom payments;
- Scrutinize the scope of any existing cyber liability insurance policies and understand what is (and may not be) covered under the policies;
- Cultivate relationships with IT consultants and forensic data experts who have experience dealing with cyber-attacks;
- Develop an incident response program;
- Regularly run awareness and training exercises throughout the organization;
- Frequently create and store backup data offline; and
- Continuously invest, install, and audit multiple systems that may prevent or reduce cyber attack incidences (e.g., multi-factor authentication, regular software patches, installation of anti-malware software, and utilizing a firewall).