Critical infrastructure owners to report to CISA about facing cyberattacks, making ransomware payment

infrastructure owners

A group of bipartisan senators has introduced an amendment to the annual defense authorization bill that will require critical infrastructure owners and operators, and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment.

The Senators consisted of Gary Peters, a Democrat from Michigan, Rob Portman, a Republican from Ohio, Mark Warner, a Democrat from Virginia, and Susan Collins, a Republican from Maine. The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021 authored by Peters and Portman and advanced by the Homeland Security and Governmental Affairs Committee, where they serve as Chairman and Ranking Member, respectively.

The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. Many other organizations, including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment following an attack.

Additionally, the new amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.

The amendment falls in line with a similar requirement laid down in the ‘Cyber Incident Reporting for Critical Infrastructure Act of 2021’ which is set to establish a mandatory cyber incident reporting framework for critical infrastructure owners and operators. The proposed bill will also give the industry a 72-hour reporting window, which tech trade groups have been pressing for, as shorter timelines greatly “increase the likelihood that the entity will report inaccurate or inadequately contextualized information that will not be helpful, potentially even undermining cybersecurity response and remediation efforts.”

“Cyber-attacks and ransomware attacks are a serious national security threat that have affected everything from our energy sector to the federal government and Americans’ own sensitive personal information,” Senator Peters, Chairman of the Homeland Security and Governmental Affairs Committee, said in a media statement.

“That’s why I’m proud to introduce this bipartisan amendment to the FY 2022 NDAA to update the Federal Information Security Modernization Act (FISMA) and give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” said Senator Portman, Ranking Member of the Homeland Security and Governmental Affairs Committee.

“This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Portman added.

“We can’t rely on voluntary reporting to protect our critical infrastructure – we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact,” Senator Warner, Chairman of the Senate Select Committee on Intelligence said. “I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents.”

Last week, the U.S. House of Representatives passed a US$1.2 trillion bipartisan infrastructure bill that will bring about much-needed improvements to the nation’s critical infrastructure sector. The bill calls for the development of a cybersecurity tool and setting up of the office of cyber coordinator, in a bid to boost infrastructure resiliency in the country, already plagued by several cyber incidents and threats.

The bill, called the ‘Infrastructure Investment and Jobs Act (IIJA),’ was sponsored by Peter DeFazio, a Democrat from Oregon and chair of the House Committee on Transportation and Infrastructure.

These legislative measures come as federal agencies, government contractors, and critical infrastructure owners and operators have been targeted by cybersecurity and ransomware incidents that threaten the security fabric of the nation. There have been reports of a drone that crashed near a Pennsylvania power substation last year that was likely meant to damage or disrupt the electric equipment, according to a federal law enforcement bulletin obtained by CNN.

The July 2020 incident is the first known case of a “modified unmanned aircraft system likely being used in the United States to specifically target energy infrastructure,” states the October 28 memo from the FBI, Department of Homeland Security, and the National Counterterrorism Center, the news channel reported.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related