The top senators on the Homeland Security Committee introduced legislation on Tuesday to require critical infrastructure companies to report cyberattacks to the federal government and to mandate that most organizations tell the federal government if they make ransomware payments.
If enacted, the bill will create the first national requirement for critical infrastructure entities to report when their systems have been breached.
Homeland Security and Governmental Affairs Chairman Gary Peters, Democrat of Michigan, and ranking member Sen. Rob Portman, Republican of Ohio, introduced the bill less than a week after several members of the Biden administration expressed public support during congressional testimony for such requirements.
The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they are experiencing cyberattacks. Nonprofits, businesses with more than 50 employees, and state and local governments would be required to notify the federal government within 24 hours if they make ransom payments.
The bill comes after several high-profile cybersecurity and ransomware incidents earlier this year put pressure on lawmakers to better protect critical infrastructure and discourage ransomware incidents. In May, a ransomware attack on Colonial Pipeline prompted the company to shut down thousands of miles of pipeline and led to increased prices and gas shortages. That was followed by a ransomware incident on a major beef and pork producer, JBS USA, threatening the US meat supply.
“When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Peters in a statement.
Enforcement mechanisms are built into the legislation.
The bill would give the Cybersecurity and Infrastructure Security Agency the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. If a business or nonprofit fails to comply with the subpoena, it can be referred to the Department of Justice and barred from contracting with the federal government.
Businesses that plan on making ransom payments will also be required to evaluate alternatives before making the payments, according to the legislation.
The federal government advises against making ransom payments, but many businesses feel they have no other choice when their systems are locked or they are threatened with data exposure.
The bill requires the Cybersecurity and Infrastructure Security Agency to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit. It also directs the national cyber director to establish a joint ransomware task force to prevent and disrupt ransomware attacks.
During her first congressional hearing since taking office, Cybersecurity and Infrastructure Security Agency Director Jen Easterly called for cyber incident reporting to help victims of hacks, as well as to analyze the information and share it more broadly to see if similar intrusions are found elsewhere.
“We absolutely agree it’s long past time to get cyber incident reporting legislation out there, and we’re excited to work with you on this,” Easterly told Peters last week.
However, Easterly said she doesn’t believe that subpoena authority is “agile enough” for her agency to get the information as rapidly as possible to prevent others from falling prey to a similar attack.
Instead, she said fines should be considered for enforcement.
“I just came from four and a half years in the financial services sector, where fines are a mechanism that enables compliance enforcement,” Easterly said.