Critical infrastructure owners and operators would be required to report a cyber attack within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA) if a newly-introduced Senate bill becomes law.
The Cyber Incident Reporting Act also requires federal contractors–including MSSPs, MSPs and managed detection and response (MDR) service providers–along with government agencies, companies of more than 50 employees and other organizations to report to CISA within 24 hours of making a ransom payment.
A separate measure is forthcoming to update the Federal Information Security Modernization Act that requires federal agencies and contractors to report cyber attacks.
The bipartisan legislation, proposed by Gary Peters (D-MI), who chairs the Homeland Security and Governmental Affairs Committee and ranking member Rob Portman (R-OH), means to set cyber incident reporting standards at the federal level where previously none have existed. The bill, segments of which have been brewing in Congress for months, comes on the heels of multiple ransomware attacks aimed at the nation’s vital infrastructure, including the Colonial Pipeline energy hijack, the JBS food processor lock down and the recent New Cooperative agricultural freeze out. Both CISA director Jen Easterly and National Cyber Director Chris Inglis have repeatedly voiced support for federal reporting requirements as well as enforcement mechanisms.
Here’s what in the bill:
Requires critical infrastructure owners and operators to notify CISA within 72 hours of a cyber incident.
Requires federal contractors, including service providers and other organizations, to report to CISA within 24 hours after making a ransom payment. Entities would be required to explore alternatives before meeting ransom demands.
Establishes a Cyber Incident Review Office to access reports related to cyber incidents, including tracking ransom payments and ransomware attacks, facilitating cyber attack information sharing among federal agencies and publishing quarterly unclassified reports.
Requires the CISA director to submit to the National Cyber Director and Congressional leaders a monthly status update report on cybersecurity incidents and other related information.
Requires CISA to conduct an outreach and education campaign to help organizations affected by a ransomware attack.
Grants CISA subpoena power to demand an incident report from an entity hit by a cyber attack or making a ransom payment.
Allows the federal government to share incident information with other federal agencies.
Protects submitted information with established data security policies.
Establishes a pilot program to identify security vulnerabilities that hackers could exploit and to notify owners of those system weaknesses.
Establishes a joint ransomware task force to coordinate an ongoing, nationwide campaign against ransomware attacks and solicit international cooperation.
Peters minced no words in describing the threat the nation faces from ransomware hackers and the necessity for timely incident reporting. “The scourge of cyber-attacks that have disrupted the lives of countless Americans shows we are facing a crisis we are not fully prepared to address,” he said. “When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks.”
Cyber Incident Disclosure Legislation: Designed to Boost Visibility, Coordinated Response
Portman said the bill not only enabled the federal government to get information quickly “without imposing burdensome requirements” but also providing much needed visibility into cyber incidents. “This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyber attacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” he said.
Such is the importance of the proposed bill that a number of cybersecurity providers weighed in on its impact. “The proposed Senate bill to mandate cyber attack and ransomware reporting is what we expect to see from the federal government, said TokenEx chief executive Alex Pezold. “It is a positive step, to ensure that cyber crimes are reduced, and that critical infrastructure is protected, as well as the private sector.”
Other cyber executives expressed similar views. “This latest policy move, plus the administration’s earlier executive orders on the subject, show that federal cyber leaders are pushing for a more secure future for the U.S., said Glasswall chief executive Danny Lopez.
Cybersecurity Legislation: This Sounds Familiar
The proposed legislation is similar to a House-passed measure in the 2022 National Defense Authorization Act that would also require critical infrastructure owners and operators to report cyber breaches within three days but does not include ransomware payment reporting. While there has been talk about making ransomware payments illegal there’s little enthusiasm for such a move at this point.
Industry had pushed for at least a three-day window for reporting after Sen. Mark Warner (D-VA) and Sen. Marco Rubio (R-FL) introduced legislation earlier this summer requiring incident notification within 24 hours.
Under existing law, no federal requirement for individual companies to disclose to CISA a breach is currently on the books, let alone mandated within a certain time frame. To address the issue, legislators have brought forward the bipartisan Cyber Incident Notification Act of 2021 that would require critical public and private organizations to notify CISA within 24 hours of discovering the system compromise. But a new draft bill submitted ahead of Peters’ and Portman’s extended the reporting time to three days to allow companies suffering a security breach the often-needed time to assess the incident before reporting it to CISA.
While a number of prominent businesses have claimed that incident reporting, no matter an acceptable time frame, would disproportionately concern their shareholders and weaken their competitive positions, there now appears to be some consensus circling the 72-hour finish line in industry and Congress.