Following the release of a similar bill by a bipartisan contingent of House members, two Senators on Tuesday released their version of a bill that would require owners and operators of critical infrastructures to report to the federal government on cyber incidents.
Like the House draft measure, the Cyber Incident Reporting Act would require critical infrastructure entities to report to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of detecting that they are under a cyber-attack.
“This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organization to report when they have paid a ransom after an attack,” Sen. Gary Peters (D-Mich.), chairman of the Senate Homeland Security and Governmental Affairs Committee, said in a statement. Peters introduced the bill along with Sen. Rob Portman (R-Ohio), the ranking member on the committee.
There are currently some federal regulations requiring reporting on cyber incidents. For example, following a ransomware attack earlier this year against gas pipeline operator Colonial Pipeline, the Transportation Security Agency issued two directives that require pipeline operators to report to the agency on potential and confirmed incidents and to take specific mitigation measures.
The proposed 52-page Senate legislation builds a measure by New York Reps. Yvette Clarke (D) and John Katko (R). Their 33-page Cyber Incident Reporting for Critical Infrastructure Act of 2021 passed the House last week as an amendment to the fiscal year 2022 National Defense Authorization Act. The bill may also be introduced as standalone measure in the House.
The 72-hour reporting requirement is seen by industry as giving victims of cyber-attacks time to sort out that they have been attacked and begin remediation measures while alerting appropriate federal authorities and stakeholders. Last week, in testimony to the Senate Homeland Security panel, CISA Director Jen Easterly said her agency “ideally” would like to be notified within 24 hours of a cyber incident to enable rapid analysis and information of the threat to other potential victims.
However, Easterly on Tuesday appeared to back off from a hard 24-hour requirement, saying during a fireside chat hosted by Amazon’s [AMZN] cloud services division Amazon Web Services that based on her prior experience in the financial services industry, “it doesn’t make sense to say, ’24 hours from detection,’ because you will flood us with noise. We need signal, right? So, we don’t want to be over burdened with noise and we don’t want to overburden industry under duress trying to manage an incident. And so, what we want is to work with industry through a rulemaking period so we can make sure that we get this right.”
The Peters and Portman bill also contains other provisions, including a requirement that businesses and entities with more than 50 employees, as well as state and local governments, notify the federal government within 24 hours of making a ransomware payment. It also requires federal agencies that are notified of attacks to report the information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements.
To help enforce the incident reporting requirement, CISA would have subpoena authority for entities that don’t report on incidents and ransomware payments. Entities that don’t comply with the subpoena’s can be reported to the Department of Justice and be barred from contracting with the federal government.