New bill would task CISA with infrastructure risk assessments

A new Senate bill would mandate the Department of Homeland Security continually reassess risks to critical infrastructure and that the White House provide a report to lawmakers outlining what legislative steps should be taken to mitigate potential problems.

The National Risk Management Act, introduced by Sens. Maggie Hassan (D-N.H.) and Ben Sasse (R-Neb.), would direct the Cybersecurity and Infrastructure Security Agency to outline key risks every five year across multiple sectors including chemical, commercial facilities, communications, defense, energy and others.

"When a criminal shuts down a hospital system to get a ransomware payment or a foreign adversary hacks government agencies, we face grave threats to our national security and well-being," Hassan said.

Ransomware in particular has been a growing threat since the pandemic started. Multiple cybersecurity firms have reported in their annual threat assessments ransomware attacks have been increasing in volume and complexity.

That uptick has been noted by DHS as well where Secretary Alejandro Mayorkas has initiated a series "60-day sprints" with ransomware being first on the list. The Justice Department has also established a new task force dedicated to cracking down on ransomware, according to multiple press reports.

"The rules of war are being re-written. China and Russia are increasingly brazen in their use of cyber tools to get inside American critical infrastructure networks," Sasse said. "These critical systems must be more resilient. It's time to get serious about the future of war and how we protect the systems that allow our daily life to run smoothly."

Within one year of DHS delivering its assessment to the White House, the president would have to produce a "national critical infrastructure resilience strategy designed" to address those risks.

Risks to infrastructure have been increasingly on legislators' minds as they continue to confront the consequences of the intrusion involving SolarWinds as well as varying attacks on industrial control systems. The White House and the intelligence community have stated multiple times the attack on SolarWinds was an espionage campaign, but that has not stopped lawmakers from questioning officials about the consequences if hackers had decided to do more than gather information.

DHS and the FBI on Monday issued a new advisory describing ways to counter tactics and techniques used by Russia's foreign intelligence service, SVR, which the White House on April 15 formally attributed as the attackers behind the intrusion involving SolarWinds.

The advisory says the agencies noticed the SVR shift its tactics starting in 2018 to move away from using malware to targeting the cloud and e-mail servers as a way to gather information, which was done in the case of SolarWinds and exploiting zero-day flaws in Microsoft Office 365.

"Targeting cloud resources probably reduces the likelihood of detection by using compromised accounts or system misconfigurations to blend in with normal or unmonitored traffic in an environment not well defended, monitored, or understood by victim organizations," according to the advisory.

The advisory also describes the SVR's use of password spraying exploits and the "WELLMESS" malware.

"These intrusions, which mostly relied on targeting on-premises network resources, were a departure from historic tradecraft, and likely indicate new ways the actors are evolving in the virtual environment," the advisory says of a 2020 WELLMESS attack on the governments of the U.S., Canada and United Kingdom.