(Updated throughout with vote outcome on legislation.)
A key Senate panel advanced legislation Wednesday to require critical infrastructure operators like hospitals and pipeline companies to report cyberattacks and ransom payments.
Bipartisan legislation from the Senate Homeland Security and Governmental Affairs Committee would revamp federal cybersecurity practices and the U.S. response to cyber and ransomware attacks, such as those that recently targeted private companies JBS SA, Colonial Pipeline Co., SolarWinds Corp., and Microsoft Corp.
One measure from the committee’s top Democrat, Gary Peters (Mich.), and Republican, Rob Portman (Ohio), would require for the first time that critical infrastructure operators notify the Cybersecurity and Infrastructure Security Agency within at least 72 hours of experiencing a cyberattack. The legislation (S. 2875), advanced by voice vote, would also require certain businesses and state and local governments to notify the U.S. government within 24 hours of making a ransom payment after an attack.
An amendment from Portman adopted by the committee would exempt businesses that meet the definition of a small business in the Small Business Act from having to comply with the ransomware reporting requirement.
“It’s a balancing act, I don’t want to be over-burdensome on small businesses,” Peters said during the markup.
Peters said he intends to add the cyber incident reporting legislation to the Senate version of the fiscal 2022 National Defense Authorization Act (S. 2792).
Backing from Critical Infrastructure Sectors
The bill from Peters and Portman received extensive stakeholder feedback from companies in the critical infrastructure sectors. The Bank Policy Institute, which lobbies for the banking sector, and the American Gas Association, which represents natural gas companies, both support mandatory cyber incident reporting as well as reporting of ransom payments to the federal government
The cyber incident reporting bill “gets a few critical pieces right,” said Heather Hogsett, the senior vice president for technology and risk strategy at the Bank Policy Institute. BPI particularly supports the bill’s 72-hour timeline for reporting and the thresholds for the kinds of incidents that should be reported to ensure useful and accurate information is being shared with CISA, Hogsett said in an interview.
AGA stressed the need for coordinating with existing regulatory requirements, as certain gas pipeline operators currently must report cyber incidents to the Transportation Security Administration following the Colonial Pipeline hack. BPI’s Hogsett said the financial industry has been reporting cyber incidents for more than 20 years, so it also wants coordination with its current requirements.
The bill also has backing from government officials. President Joe Biden’s top cybersecurity officials, CISA Director Jen Easterly and National Cyber Director Chris Inglis, have backed a draft version of the measure.
Anne Neuberger, the deputy national security adviser for cyber and emerging technology, also voiced her support for requiring companies to report cyber incidents in an interview at the White House last week.
“I think we’ve seen that voluntarily is inadequate, and as such a mandate is appropriate,” she said. “We need to think about the right balance of when an incident is reported, the kind of incidents that are reported, and we need to ensure that we then act on that information that’s reported.”
Neuberger said the government would use the incident reporting information to determine whether to pursue disruptions or investigations to degrade further cyberattacks.
Legislation in the House from Homeland Security Chair Bennie Thompson (D-Miss.) and Reps. Yvette Clarke (D-N.Y.) and John Katko (R-N.Y.) would also mandate cyber incident reporting. That measure was included as an amendment to the defense authorization bill (H.R. 4350) the House passed on Sept. 23. The House version doesn’t mandate reporting of ransom payments.
Lawmakers and industry groups have said the intent behind mandating a streamlined cyber reporting process is to ensure information is shared throughout the government to prevent other sectors from being impacted.
“The goal of course is to ensure that CISA can mature their capabilities to turn that into timely and actionable recommendations that can help prevent either other sectors, or other firms within a sector, from being harmed,” Hogsett said.
The Senate panel also advanced in a voice vote a bill from Peters and Portman to update a nearly 20-year-old law that dictates federal cybersecurity practices and policies.
The Federal Information Security Modernization Act (S. 2902) would overhaul a version from 2014. It seeks to improve cybersecurity practices throughout the federal government and improve work between the Office of Management and Budget, CISA, the Office of National Cyber Director, and other federal agencies.
“Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created,” Peters said in a statement.
The legislation would require all civilian federal agencies to report cyberattacks to CISA and major incidents to Congress. It specifies also that CISA is the lead operational agency to respond to federal civilian cyber breaches.
The measure would codify Biden’s cybersecurity executive order from May to require higher security protections for federal information systems and the sensitive data. It would also require OMB to issue guidance for federal agencies to assist them in efficiently allocating cyber resources.
To contact the reporter on this story: Rebecca Kern in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Zachary Sherwood at email@example.com