This week, U.S. Sens. Rob Portman (R-OH) and Gary Peters (D-MI) introduced a legislative package known as the Strengthening American Cybersecurity Act that proposes new requirements for private owners and federal agencies alike to address cybersecurity.
“It is clear that, as our nation continues to counter cyber threats and support Ukraine, we need to pass this legislation to provide additional tools to address possible cyber-attacks from adversaries, including the Russian government,” Peters said. “This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches. Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j. This combined bill will also ensure that agencies can procure cloud-based technology quickly while ensuring these systems, and the information they store, are secure.”
Such measures gained added incentive over the last few years, with the prominent hacking of the Colonial Pipeline, which caused the company to shut down more than 5,500 miles of infrastructure and prompted gas shortages up and down the East Coast. Subsequent attacks have hit food suppliers, local governments, and more, and the rate of attacks only seems to be increasing year after year.
Taking that into consideration, Portman and Peters have sought to ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems can recover swiftly and continue providing services after breaches. To guarantee that, they want to mandate such owners and operators to report substantial cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. In just 24 hours, if they cave to a ransomware payment.
“As cyber and ransomware attacks continue to increase, the federal government must quickly coordinate its response and hold bad actors accountable,” Portman said. “This bipartisan legislation will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”
Among other requirements would be improved coordination between federal agencies, new government requirements demanding risk-based approaches to cybersecurity, updated thresholds for reports on cyberattacks to Congress, added authorities to CISA, and authorization of FedRAMP for five years, in pursuit of quick and secured adoption of cloud-based technologies to improve efficiency at a lower cost to taxpayers. The legislation would also provide greater clarity on roles and responsibilities within the federal government and its response to attacks.
Mirror legislation is being crafted for the House by U.S. Reps. John Katko (R-NY), Yvette Clarke (D-NY), James Comer (R-KY), Carolyn Maloney (D-NY), Jody Hice (R-GA), and Gerald Connelly (D-VA).