Sen. Gary Peters, D-Mich., chairman of the Senate Committee on Homeland Security and Governmental Affairs, and Sen. Rob Portman, R-Ohio, the committee’s ranking member, have introduced legislation to require critical infrastructure entities to report cyberattacks to the Federal government, and to require most other entities to report to the government if they make a ransomware payment.
The bipartisan legislation requires critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they experience a cyberattack. The Senate bill – dubbed the Cyber Incident Reporting Act – builds on existing legislation introduced in the House earlier this year by Reps. Yvette Clark, D-N.Y., and John Katko, R-N.Y.
The 72-hour reporting window matches up with suggestions made by tech trade groups in the run-up to the legislation’s release.
The senators said the bill is meant to “improve Federal agencies’ understanding of how to best combat cyberattacks, help our nation hold hackers accountable for targeting American networks, and bolster the Federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans.”
In addition to requirements for critical infrastructure operations, the bill also would create a requirement for a wide swath of other organizations—such as nonprofits, businesses with more than 50 employees, and state and local governments—to notify the Federal government within 24 hours if they make a ransomware payment.
If entities fail to report cybersecurity incidents or ransomware payments as directed by the legislation, the bill provides CISA with the authority to subpoena them.
“When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the Federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Sen. Peters. “This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the Federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack.”