Skip to content

Senate Passes Cyber Package That Would Require Firms to Report Hacks

Legislation clears major hurdle for rules seen as key for U.S. cybersecurity

The Senate Tuesday passed a cybersecurity package that would require companies to report damaging hacks and ransomware payments to the government, bringing closer to reality rules the Biden administration sees as key to protecting U.S. critical infrastructure.

The Strengthening American Cybersecurity Act comprises three bills intended to bolster public- and private-sector security, including by modernizing federal agencies’ cyber posture and updating how they can adopt cloud-based technologies. Covered firms would have to report designated breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours, as well as ransomware payments within 24 hours.

Passed by unanimous consent hours before President Biden addressed Congress in his State of the Union address, the legislation now heads to the House.

Improving visibility of privately owned computer networks has been a priority for the Biden administration after a Russia-linked breach of federal agencies through a compromised SolarWinds Corp. software update was first spotted by a cybersecurity firm in 2020. Officials have unveiled sector-specific regulations requiring many pipeline and rail operators to report hacks since a ransomware attack on Colonial Pipeline Co. disrupted the East Coast’s largest fuel conduit last year.

The legislation passed by the Senate Tuesday would expand such rules for many companies across 16 federally designated sectors of critical infrastructure, such as energy or financial services. U.S. officials hope to analyze and disseminate data about cyberattacks among federal agencies and private-sector firms to prevent similar incidents elsewhere.

While the bill provides some guidance on which companies would be covered by the rule, pointing to potential economic disruption or national-security threats, CISA would decide specifics in a formal rule-making process. CISA similarly would decide which types of incidents companies have to report, along with what information they would have to share.

The legislation, introduced in February by Sens. Gary Peters (D., Mich.) and Rob Portman (R., Ohio), who serve as chair and ranking member of the Homeland Security and Governmental Affairs Committee, would give CISA two years after enactment of the law to propose rules and an additional 18 months to complete them. Businesses would have liability protections for information they share and would face no fines for not complying.

“You’re going to want to comply because CISA is there providing robust support for you,” Mr. Peters said in an interview Tuesday. “The only way the industry can protect itself is that people have to have situational awareness.”

CISA last year launched a voluntary information-sharing partnership with telecommunications companies and cloud-service providers, coordinating public-private responses to the flaw found in December in obscure but widely used software known as Log4j. Corporate executives and lobbyists say strict regulation could threaten such collaboration.

Lawmakers from both parties have tried and failed to create an incident-reporting statute over the past decade amid pushback from industry and warnings that reporting rules would complicate companies’ response to breaches. The version passed by the Senate Tuesday, which broadly mirrors a blueprint previously passed by the House, reflects many trade groups’ requests during a monthslong lobbying push.

“Seventy-two hours is broadly accepted across our membership as being reasonable and doable,” Christopher Roberti, the U.S. Chamber of Commerce’s senior vice president for cyber, intelligence and supply-chain security policy, said last month. “What we do like in this legislation is there is a robust opportunity for engagement with the private sector as it [CISA] is promulgating the rules.”