A new “Cyber Incident Reporting” bipartisan legislation bill introduced in the U.S. Senate requires critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment.
The bill seeks to improve federal agencies’ understanding of how to best combat cyber-attacks, hold hackers accountable for targeting U.S. networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans.
Introduced by U.S. Senators Gary Peters, a Democrat from Michigan, and Rob Portman, a Republican from Ohio, chairman and ranking member of the Homeland Security and Governmental Affairs Committee, the new bill, titled, the Cyber Incident Reporting Act, also creates a requirement for other organizations, including nonprofits, businesses with more than 50 employees, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment.
The legislation directs federal agencies that are notified of attacks to provide that information to CISA and create a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. It also provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice (DOJ) and barred from contracting with the federal government.
The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. It also mandates the CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with the industry.
The new Cyber Incident Reporting bill builds upon the “Cyber Incident Reporting for Critical Infrastructure Act of 2021” legislation that called upon critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a cyber-attack. The initial legislation also proposed establishing a CIR Office (Cyber Incident Review Office) within the U.S. Department of Homeland Security’s CISA that would receive, aggregate, and analyze reports related to covered cybersecurity incidents submitted by critical infrastructure firms.
“This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack,” Senator Peters said in a media statement. “This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks.”
“As cyber and ransomware attacks continue to increase, the federal government must be able to quickly coordinate a response and hold these bad actors accountable,” according to Senator Portman. “This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” he added.
The recent scourge of cyber-attacks has disrupted the lives of countless Americans, as attackers have both, directly and indirectly, targeted critical infrastructure owners and operators. Incidents have included a ransomware attack on the networks at fuel pipeline company Colonial Pipeline, which led the company to take certain systems offline to contain the threat leading to increased prices and gas shortage for communities across the East Coast. After that, JBS USA, a large beef supplier, paid a ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply.
“Protecting critical infrastructure will have enormous security challenges as we adapt to the technological and cultural changes taking place in 2021,” Chuck Brooks, President of Brooks Consulting International, wrote in a post for the International Association of Critical Infrastructure Protection Professionals (IACIPP), an international association of practitioners and professionals involved in the security, resilience, and safety of critical infrastructure, both physical and information infrastructure.
“Every country, governmental jurisdiction, industry, company and individual has their own unique CI threat landscape to address,” according to Brooks. “A security strategy based on the pillars of vigilance, readiness and resilience needs to be actualized against those threats. This is not only critical for risk management and incident response, but it is imperative for mitigating harm in an increasingly connected and precarious world,” he added.
The U.S. administration has been ramping up requirements for protecting the critical assets and infrastructure of its critical infrastructure sector. President Joe Biden said in a recent statement that he was “committed to strengthening our cybersecurity by hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, working to establish and promote clear rules of the road for all nations in cyberspace, and making clear we will hold accountable those that threaten our security.”
The White House is to convene a 30-country meeting this month to try to ramp up global efforts to address the threat of ransomware to economic and national security, President Biden said in a statement shared exclusively with CNN. The goal of the alliance will be “to accelerate our cooperation in combatting cybercrime, improving law enforcement collaboration, stemming the illicit use of cryptocurrency, and engaging on these issues diplomatically.”
President Biden is set to make the announcement Friday, according to the statement.