US Senate passes legislative package that steps up cybersecurity at critical infrastructure entities, federal networks

The U.S. Senate has unanimously passed ‘a landmark legislative package’ that would require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack. The bill also allows for combating ongoing cybersecurity threats against critical infrastructure and federal government networks, and comes ‘in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.’ 

Introduced less than a month ago, the legislative package titled, ‘Strengthening American Cybersecurity Act’ was introduced in the Senate by Gary Peters, a Democrat from Michigan and chairman of the Homeland Security and Governmental Affairs Committee, and Rob Portman, a Republican from Ohio and Ranking Member of the Senate Homeland Security and Governmental Affairs Committee. 

The bipartisan bill brought together language from three bills that the legislators have previously authored and advanced out of their committee, namely the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government,” Senator Peters said in a media statement on Wednesday. “As we have seen repeatedly, these online attacks can significantly disrupt our economy – including by driving up the price of gasoline and threatening our most essential supply chains – as well as the safety and security of our communities. This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cybercriminals and foreign adversaries who launch these persistent attacks,” he added.

“I am concerned that, as our nation rightly continues to support Ukraine during Russia’s illegal, unjustifiable assault, the United States will face increased cyber and ransomware attacks from Russia in retaliation,” Senator Portman said. “The federal government must quickly coordinate its response to potential attacks and hold these bad actors accountable.” 

“That’s why I’m proud that the Senate moved quickly to pass our bipartisan Strengthening American Cybersecurity Act to give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation daily to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” Portman added.

The legislation now moves to the U.S. House of Representatives, where Peters and Portman are working closely with U.S. Representatives Yvette Clarke, a Democrat from New York, John Katko, a Republican from New York, Carolyn Maloney, a Democrat from New York, James Comer, a Republican from Kentucky, Gerald Connelly, a Democrat from Virginia, and Jody Hice, a Republican from Georgia to pass the bill out of that chamber.

The Peters-Portman legislative package requires critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack, and within 24 hours if they make a ransomware payment. It is also essential to modernize the government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency.

The legislative package also “would update current federal government cybersecurity laws to improve coordination between federal agencies, require the government to take a risk-based approach to cybersecurity, as well as require all civilian agencies to report all cyber-attacks to CISA, and update the threshold for agencies to report cyber incidents to Congress.” 

It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. The legislative package would also authorize FedRAMP for five years to ensure federal agencies are able to quickly and securely adopt cloud-based technologies that improve government efficiency.

“While we are encouraged by this development, it is important to note that this legislation and others under consideration are all defensive in nature, geared at either preventing or responding to an attack,” Mark Carrigan, cyber vice president for process safety and OT cybersecurity at Hexagon PPM, wrote in an emailed statement. “We cannot remediate cyber risk by defensive measures alone – our world is too connected to prevent a focused, nation-state sponsored actor from gaining access to at least one critical system,” he added.

The U.S. government must also provide clear, unequivocable deterrence that attacks on our critical infrastructure will be met with severe consequences for the perpetrators, Carrigan added. 

The U.S. security agencies issued on Saturday a joint cybersecurity advisory (CSA) that warned of hackers deploying ‘destructive malware’ against Ukrainian organizations. It has been found that cybercriminals have tried to destroy computer systems and render them inoperable in the wake of the Russian attack against Ukraine.

The agency has also warned the critical infrastructure installations of malicious hackers, using influence operations to shape public opinion, undermine trust, amplify division, and sow discord. It also issued a ‘Shields Up’ alert that notifies every organization in the country of potential risk from cyber threats.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.