Ransomware Regulation for Critical Infrastructure and Beyond: Recent Federal Approaches and the Possibility of a More Systematic Framework for Combatting Attacks


By: Ryan Mayo

Recent ransomware cyberattacks on critical infrastructure, including the devastating attack on Colonial Pipeline, have forced the federal government to immediately consider new regulations and legislation to protect American interests. As regulators and Congress move quickly, industries and businesses beyond those involved in recent critical infrastructure attacks should keep a watchful eye on potential legal requirements stemming from broader initiatives from the federal government in the months ahead.  

On May 28, 2021, less than a month after the Colonial Pipeline attack, the Transportation Security Administration (TSA), an agency of the U.S. Department of Homeland Security, administered Security Directive Pipeline-2021-01, requiring three new critical actions from the nation’s critical pipeline systems. First, it requires TSA-specified Owner/Operators to report cybersecurity incidents to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Second, it requires Owner/Operators to designate a Cybersecurity Coordinator who is required to be available to TSA and CISA 24/7 to coordinate cybersecurity practices and address any incidents that arise. Third, it requires Owner/Operators to review their current activities against TSA’s recommendations for pipeline cybersecurity to assess cyber risks, identify any gaps, develop remediation measures, and report the results to TSA and CISA.  

Congress has also recently signaled its interest in passing legislation to address ransomware attacks on critical infrastructure. On June 10, 2021, Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee wrote a letter to Acting Office of Management and Budget Director Shalanda Young and National Security Advisor Jake Sullivan seeking input from the administration as they “consider[] introducing and marking up legislation that will address the threat of ransomware attacks before the Senate’s August recess this year.” The Senators’ letter requests from the administration: “Information on strategies that relevant federal agencies are developing and implementing to combat ransomware attacks; any new authorities, or revisions to existing authorities, that would further empower relevant federal agencies to combat ransomware attacks and respond when they do occur; and suggestions for Congress to consider as we develop legislation and oversight plans to combat ransomware attacks.”  

These federal actions follow the Institute for Security and Technology’s Ransomware Task Force’s (RTF) April release of a report containing a comprehensive strategic framework to address ransomware attacks. Authored by a broad panel of experts from the private sector, government, and international organizations, the report details 48 recommendations for reducing ransomware attacks in the U.S. and globally. These recommendations are organized around four goals: (1) deter ransomware attacks; (2) disrupt the ransomware business model; (3) help organizations prepare; and (4) respond to ransomware attacks more effectively. 

The report calls for “coordinated, international diplomatic and law enforcement efforts to proactively prioritize ransomware through a comprehensive, resourced strategy.” It also urges the U.S. to “lead by example and execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.” It specifically calls for the establishment of “(1) an Interagency Working Group led by the National Security Council in coordination with the nascent National Cyber Director; (2) an internal U.S. Government Joint Ransomware Task Force; and (3) a collaborative, private industry-led informal Ransomware Threat Focus Hub.”  

The RTF report also says that “The cryptocurrency sector that enables ransomware crime should be more closely regulated. Governments should require cryptocurrency exchanges, crypto kiosks, and over-the-counter (OTC) trading ‘desks’ to comply with existing laws, including Know Your Customer (KYC), Anti-Money Laundering (AML), and Combatting Financing of Terrorism (CFT) laws.” 

The federal government’s adoption of even some of the RTF report’s policy recommendations may require businesses outside of traditional critical infrastructure industries to examine their responses to ransomware cyberattacks, as well as future risk assessments, more closely. However, regardless of whether Congress or the White House adopts a broad framework or initially focuses solely on critical infrastructure security with oversight measures like those administered by the recent TSA regulations, all businesses should develop a program for responding swiftly and appropriately in case of a ransomware or other cybersecurity attack. A future FMG article will address best practices for creating and maintaining such a program. 

If you have any questions, please contact Ryan Mayo at