The Senate advanced as part of the government funding legislation a provision from U.S. Sens. Gary Peters (D-MI) and Rob Portman (R-OH) that would require cyber attacks on critical infrastructure to be reported and further federal oversight.
Peters and Portman, chairman and ranking member of the Homeland Security and Governmental Affairs Committee, respectively, initially submitted the provision as standalone legislation. This was meant to improve U.S. cybersecurity and as a proactive move against possible Russian retaliation for U.S. support to Ukraine. Little has changed in the transition from one bill to the next.
If the funding bill passes, critical infrastructure owners and operators would be required under law to report substantial cyber-attacks or ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
“It’s clear we must take bold action to improve our online defenses,” Peters said. “This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people. Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations.”
Critical infrastructure, so designated, would include things like energy companies, banks, or the Colonial Pipeline – a major oil line that saw more than 5,500 miles shut down due to an attack on the network of its company. That breach alone led to gas shortages on the East Coast and major price jumps.
“This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” Portman said. “The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
CISA will be able to subpoena any entities that fail to report cybersecurity breaches or ransomware payments within 72 hours of a substantial attack or 24 hours of payment. The agency would also be required to launch a warning program for organizations potentially affected by vulnerabilities that ransomware criminals exploit and to work within a joint ransomware task force to coordinate federal and industry efforts to prevent and disrupt such attacks.