(Trends Wide) — Top National Security Committee senators introduced legislation Tuesday to require critical infrastructure companies to report cyberattacks to the federal government and to require most organizations to report to the federal government if they make ransomware payments.
If enacted, the bill will create the first national requirement for critical infrastructure entities to report when their systems have been breached.
Homeland Security and Government Affairs Chairman Gary Peters, Democrat of Michigan, and senior member Senator Rob Portman, Republican of Ohio, introduced the bill less than a week after several members of the Biden administration they expressed their public support during their testimony before Congress for such requirements.
The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they are experiencing cyber attacks. Non-profit organizations, businesses with more than 50 employees, and state and local governments must notify the federal government within 24 hours if they make ransom payments.
Cyber Attack Law Enforcement
The bill comes after several high-profile cybersecurity and ransomware incidents earlier this year lobbied lawmakers to better protect critical infrastructure and discourage ransomware incidents. In May, a ransomware attack on Colonial Pipeline led the company to shut down thousands of miles of pipelines and led to soaring prices and gas shortages.
This was followed by a ransomware incident at a major beef and pork producer, JBS USA, which threatened the US meat supply.
“When entities, such as owners and operators of critical infrastructure, are victims of network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for potential impacts, and help to prevent other widespread attacks, “Peters said in a statement.
Enforcement mechanisms are built into the legislation.
The bill would give the Infrastructure and Cybersecurity Security Agency the authority to subpoena entities that do not report cybersecurity incidents or ransomware payments. If a business or non-profit organization does not comply with the subpoena, it may be referred to the Department of Justice and may be barred from contracting with the federal government.
Companies planning to make ransom payments will also need to evaluate alternatives before making payments, in accordance with the law.
The federal government advises against making ransom payments, but many companies feel they have no choice when their systems are locked down or threatened by data exposure.
The bill requires the Cybersecurity and Infrastructure Security Agency to launch a program that will warn organizations about vulnerabilities exploited by ransomware actors. It also directs the national cyber director to establish a joint task force to prevent and disrupt ransomware attacks.
During her first congressional hearing since taking office, the Director of the Infrastructure Security and Cybersecurity Agency, Jen Easterly, asked for reports of cyber incidents to help victims of attacks, as well as to analyze the information and share it in broader way to see if similar intrusions are found elsewhere.
“We absolutely agree that it is about time for cyber incident reporting legislation to be released, and we are excited to be working with you on this,” Easterly told Peters last week.
However, Easterly said he doesn’t think the subpoena authority is “nimble enough” for his agency to get the information as quickly as possible to prevent others from falling prey to a similar attack.
Instead, he said the fines should be considered for enforcement.
“I have come from four and a half years in the financial services industry, where fines are a mechanism to enforce regulations,” Easterly said.
(Trends Wide) — Top National Security Committee senators introduced legislation Tuesday to require critical infrastructure companies to report cyberattacks to the federal government and to require most organizations to report to the federal government if they make ransomware payments.
If enacted, the bill will create the first national requirement for critical infrastructure entities to report when their systems have been breached.
Homeland Security and Government Affairs Chairman Gary Peters, Democrat of Michigan, and senior member Senator Rob Portman, Republican of Ohio, introduced the bill less than a week after several members of the Biden administration they expressed their public support during their testimony before Congress for such requirements.
The legislation would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they are experiencing cyber attacks. Non-profit organizations, businesses with more than 50 employees, and state and local governments must notify the federal government within 24 hours if they make ransom payments.
Cyber Attack Law Enforcement
The bill comes after several high-profile cybersecurity and ransomware incidents earlier this year lobbied lawmakers to better protect critical infrastructure and discourage ransomware incidents. In May, a ransomware attack on Colonial Pipeline led the company to shut down thousands of miles of pipelines and led to soaring prices and gas shortages.
This was followed by a ransomware incident at a major beef and pork producer, JBS USA, which threatened the US meat supply.
“When entities, such as owners and operators of critical infrastructure, are victims of network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for potential impacts, and help to prevent other widespread attacks, “Peters said in a statement.
Enforcement mechanisms are built into the legislation.
The bill would give the Infrastructure and Cybersecurity Security Agency the authority to subpoena entities that do not report cybersecurity incidents or ransomware payments. If a business or non-profit organization does not comply with the subpoena, it may be referred to the Department of Justice and may be barred from contracting with the federal government.
Companies planning to make ransom payments will also need to evaluate alternatives before making payments, in accordance with the law.
The federal government advises against making ransom payments, but many companies feel they have no choice when their systems are locked down or threatened by data exposure.
The bill requires the Cybersecurity and Infrastructure Security Agency to launch a program that will warn organizations about vulnerabilities exploited by ransomware actors. It also directs the national cyber director to establish a joint task force to prevent and disrupt ransomware attacks.
During her first congressional hearing since taking office, the Director of the Infrastructure Security and Cybersecurity Agency, Jen Easterly, asked for reports of cyber incidents to help victims of attacks, as well as to analyze the information and share it in broader way to see if similar intrusions are found elsewhere.
“We absolutely agree that it is about time for cyber incident reporting legislation to be released, and we are excited to be working with you on this,” Easterly told Peters last week.
However, Easterly said he doesn’t think the subpoena authority is “nimble enough” for his agency to get the information as quickly as possible to prevent others from falling prey to a similar attack.
Instead, he said the fines should be considered for enforcement.
“I have come from four and a half years in the financial services industry, where fines are a mechanism to enforce regulations,” Easterly said.