Cyber incident reporting bill passes in the US House, boosts cybersecurity at critical infrastructure installations

Cyber incident reporting bill passes in the US House, boosts cybersecurity at critical infrastructure installations

The Cyber Incident Reporting bill has passed in the U.S. House of Representatives, with the need for critical infrastructure owners and operators to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA). The legislation was clubbed together with the bipartisan funding bill which is poised to provide critical investments across various bipartisan priorities. 

The legislation was cleared last week by the U.S. Senate, and now heads to U.S. President Joe Biden for his signature, before becoming law.

Identifying the legislation as a game-changer, CISA Director Jen Easterly said in a media statement on Friday that “today marks a critical step forward in the collective cybersecurity of our nation.”

As the nation’s cyber defense agency, “CISA applauds the passage of cyber incident reporting legislation. Thanks to the support of our many partners in Congress, CISA will have the data and visibility we need to help better protect critical infrastructure and businesses across the country from the devastating effects of cyber-attacks,” she added.

“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” Easterly said. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims,” she added.

“Thank you to Congress for passing the bill that mandates cyber incident reporting to the federal government. This is a huge step forward for our nation’s cybersecurity,” Secretary of Homeland Security Alejandro N. Mayorkas wrote in a Twitter message on Friday.

“Last night, the House took bold action to secure U.S. critical infrastructure against 21st century threats by requiring critical infrastructure owners and operators to report cyber incidents to the DHS Cybersecurity and Infrastructure Security Agency (CISA),” Bennie G. Thompson, a Democrat from Mississippi and chairman of the Committee on Homeland Security, John Katko, a Republican from New York and Ranking Member of the Committee on Homeland Security, Yvette Clarke, a Democrat from New York and chairwoman of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, and Andrew Garbarino, a Republican from New York and Ranking Member of the Cybersecurity, Infrastructure Protection, & Innovation Subcommittee, wrote in a joint statement released Thursday. 

“The Cyber Incident Reporting for Critical Infrastructure Act, included within the Consolidated Appropriations Act, 2022, is one of the most significant pieces of cybersecurity legislation in the past decade,” they added.  

Developed after the SolarWinds supply chain attack and gaining additional momentum from the Russia-Ukraine conflict, the bipartisan, bicameral Cyber Incident Reporting legislation requires asset owners and operators to deliver “greater visibility for the Federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector so they can defend against future attacks,” the statement said. 

“The authorities and resources provided in this bill can’t come soon enough, as CISA works to combat rapidly evolving cyber threats in this shifting geopolitical landscape. Passage of this legislation further solidifies Congress’ intent that CISA is the lead Federal agency for cybersecurity,” it added.

The legislation requires critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack, and within 24 hours if they make a ransomware payment. It also addressed the need to modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.

The legislative package also “would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyber-attacks to CISA, and update the threshold for agencies to report cyber incidents to Congress.”

To deal with rising ransomware attacks, the Cyber Incident Reporting Act said that within 180 days after enactment of the Act, the director of the CISA in consultation with the National Cyber Director, the Attorney General, and the director of the Federal Bureau of Investigation, shall establish and chair the Joint Ransomware Task Force to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.

Rapid7 views the Cyber Incident Reporting for Critical Infrastructure Act as a positive step, Harley Geiger, senior director of public policy at Rapid7, wrote in a company blog post. “Cybersecurity is essential to ensure critical infrastructure is safe, and this law would give federal agencies more insight into attack trends, and would potentially help provide early warnings of major vulnerabilities or attacks in progress before they spread,” he added. 

Still, the Cyber Incident Reporting for Critical Infrastructure Act does little to ensure critical infrastructure has safeguards that prevent cyber incidents from occurring in the first place, according to Geiger. “This law is unlikely to change the fact that many critical infrastructure entities are under-resourced and, in some cases, have security maturity that is not commensurate with the risks they face. The law’s enforcement mechanism (a potential contempt of court penalty) is not especially strong, and the final reporting rules may not be implemented for another 3.5 years,” he added.

A complimentary guide to the who`s who in industrial cybersecurity tech & solutions

Free Download

Related