Leaders of the Senate Homeland Security and Governmental Affairs Committee released legislation today requiring critical infrastructure owners and operators to report cyber attacks to the government within 72 hours, while a bill is forthcoming requiring agencies and federal contractors to also report hacks.
The bill released by Chairman Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio) would create a Cyber Incident Review Office within the Cybersecurity and Infrastructure Security Agency to receive, aggregate and analyze reported incidents.
“When entities, such as critical infrastructure owners and operators, fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” Peters said in a statement.
The bill comes after numerous cyber attacks against critical infrastructure in recent months, including the ransomware attack that temporarily shut down Colonial Pipeline in May.
The legislation is similar to a provision in the House-passed defense authorization bill that would also require critical infrastructure owners and operators to report incidents within a 72-hour time frame. Industry had pushed for at least a three-day window for reporting after Sen. Mark Warner (D-Va.) and Sen. Marco Rubio (R-Fl.) introduced legislation earlier this summer requiring incident notification within 24 hours.
The Senate bill would also take on ransomware by requiring organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to notify CISA if they make a ransom payment. It would require entities to evaluate alternative options before making a ransom payment, as the U.S. government currently advises organizations to not pay ransomware gangs to unlock their data due to concerns it will further incentivize those groups.
CISA would be able to issue subpoenas to organizations that don’t comply with requirements to report incidents or ransomware payments. Those that fail to comply could be referred to the Department of Justice and potentially barred from federal contracting.
The bill would also direct agencies that are notified of cyber attacks to provide that information to CISA, and it would create a Cybersecurity Incident Reporting Council to coordinate federal cyber incident reporting rules.
It would likely be some time before the incident reporting requirements are put into practice. The bill would require CISA to publish an interim final rule implementing the reporting mandate within 270 days, including a 60-day consultative period and a 90-day comment period “with appropriate stakeholders.” The final rule would be required within a year of the interim rule’s publication.
Meanwhile, Peters and Portman plan on introducing “separate legislation that will update the Federal Information Security Modernization Act — including requiring federal agencies and contractors to report when they are hit by cyber-attacks,” according to the committee.