Congress has delivered on its top cybersecurity priority this session, with both houses approving new legal mandates as part of a government spending bill that will require critical infrastructure companies to report breaches, ransomware payments and other “significant” cyber incidents to the federal government.
After some initial hiccups (this is Congress, after all) that led to the requirements being left out of last year’s National Defense Authorization Act, the two bodies came together over legislative language that would compel companies to report incidents within 72 hours of experiencing a cyberattack and within 24 hours of making a ransom payment.
Getting the bill passed was viewed as urgent by leaders on the House and Senate Homeland Security Committees as U.S. companies faced an unrelenting storm of ransomware attacks over the past year that disrupted the nation’s gas and food supplies, rendered local schools and governments inoperable and sent untold millions to the coffers of criminal ransomware gangs, who often turned around and invested that money in better malware and infrastructure to facilitate the next wave of attacks.
“This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” Sen. Gary Peters, D-Mich., chair of the Senate Homeland Security Committee and one of the authors of legislation that the cyber incident reporting provision was modeled on, said in a statement. “Our provision will also ensure that CISA — our lead cybersecurity agency — has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations.”
Policymakers have been interested in boosting private sector reporting around cyberattacks for years, but the political environment and lobbying from the private sector reticent to report cyberattacks to the government had historically sank previous efforts.
Former State Department Cyber Coordinator Chris Painter, who also worked at the FBI and National Security Council, reacted to the news on Twitter by reminiscing on how he "first worked on reporting [legislation] at the Department of Justice 20 years ago and was frustrated for many years when it always stalled."
In the wake of a Russian invasion of Ukraine, biting Western sanctions on the Kremlin and the threat of retaliatory cyberattacks, getting better situational awareness of cyberattacks on critical infrastructure was viewed as even more urgent. Sources in Congress familiar with the committee's legislative strategy told SC Media in January that they were eyeing upcoming government spending talks as a possible vehicle for including the provision, something that wound up eventually panning out after a temporary continuing resolution allowed lawmakers to negotiate a longer funding package.
“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable,” said Sen. Rob Portman, R-Ohio, ranking Republican on the Homeland Security Committee and a co-sponsor of the reporting bill along with Peters.
The new law will give the Cybersecurity and Infrastructure Security Agency (CISA), as well as other the national cyber director and FBI, increased visibility and insight into the volume and depth of cyber attacks that hit critical infrastructure. Up to this point, policymakers were essentially left to guess.
“Given that critical infrastructure is owned privately and the previous absence of reporting requirements, I’m really not sure whether anybody has a good handle on the number of incidents," Brett Callow, a ransomware analyst at Emsisoft, told SC Media last month when asked about available statistics around ransomware attacks on critical infrastructure. “We certainly don’t, and I couldn’t begin speculate as to whether there’s been an increase or decrease.”
The new legislation will give agencies like CISA far deeper and more granular insights into these questions. Director Jen Easterly called the bill’s passage a “game changer” that would allow her agency to develop new analyses and allocate resources to the companies and industrial sectors that are most at risk.
“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims,” Easterly said.
The legislation now heads to the desk of President Joe Biden, who is expected to approve and sign it.