WASHINGTON, D.C. – Two bipartisan bills authored by U.S. Senator Gary Peters (MI) requiring critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment, have advanced in the Senate. The legislation was approved by the Senate Homeland Security and Governmental Affairs Committee, where Peters serves as Chair. The bills would improve federal agencies’ understanding of how to best combat online attacks, including ransomware, and to ensure our nation has the tools and resources it needs to protect federal information technology systems.
“Ransomware and other online assaults against public and private networks have caused gas shortages across the East Coast, allowed hackers to access critical federal systems, and compromised the sensitive information of millions of Americans. My bipartisan legislation will help fight back against these serious threats by ensuring CISA is notified of any attack on critical infrastructure companies and civilian federal networks, as well as when most other entities make a ransomware payment,” said Senator Peters. “This information will help lead cybersecurity agencies and Congress in our efforts to establish a comprehensive strategy to punish cybercriminals for targeting American networks and prevent them from disrupting lives and livelihoods across our nation.”
The Cyber Incident Reporting Act would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. The bill also creates a requirement for other organizations, including businesses, nonprofits, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.
The Federal Information Security Modernization Act of 2021 overhauls and updates the Federal Information Security Modernization Act of 2014 to support more effective cybersecurity practices throughout the federal government and improve coordination between the Office of Management and Budget (OMB), CISA, National Cyber Director, and other federal agencies and contractors when addressing online threats. The bill requires civilian agencies to report all cyber-attacks to CISA and major incidents to Congress, and provides additional authorities to CISA to ensure they are the lead agency for responding to incidents and breaches on federal civilian networks. The legislation also codifies aspects of President Biden’s Executive Order on Improving the Nation’s Cybersecurity to enforce higher level security protections for federal information systems and the sensitive data they often store. Finally, the bill requires OMB to develop guidance for federal agencies to use so they can efficiently allocate the cybersecurity resources they need to protect their networks.
As Chairman of the Homeland Security and Governmental Affairs Committee, Peters has led efforts to strengthen our nation’s cybersecurity defenses. Peters recently convened a hearing with top officials to examine the additional resources and authorities the federal government needs to deter cyber-attacks. In April, the Senate passed his provision to help protect our nation’s public water infrastructure technology systems, following recent cyber-attacks on water utilities. Peters is also conducting an investigation into the role cryptocurrencies continue to play in emboldening and incentivizing cybercriminals to commit ransomware attacks. As a part of the Senate-passed bipartisan infrastructure bill, Peters secured several provisions to help state, local, tribal, and territorial governments deter attacks from cybercriminals and modernize systems to protect sensitive data and information, increase our government’s ability to quickly respond to major network intrusions, and provide the newly created office of the National Cyber Director with funding to secure qualified personnel to support its important cybersecurity mission.
###