The Senate on Tuesday passed major cybersecurity legation, moving one step closer toward forcing critical infrastructure companies to report cyberattacks and ransomware payments.
The passage comes as federal officials have repeatedly warned of the potential for Russian cyberattacks against the United States amid the escalating conflict in Ukraine.
The legislation, which still has to pass in the House, would require critical infrastructure owners and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they experience a substantial cyberattack.
It would also require critical infrastructure companies to report ransomware payments to the federal government within 24 hours.
“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government,” Democratic Sen. Gary Peters of Michigan, who was the lead author on the package of bills, said in a statement, noting that online attacks have the potential to disrupt the economy, drive up gasoline prices and threaten supply chains.
The reporting requirements were introduced in the Senate after several high-profile cybersecurity and ransomware incidents put pressure on lawmakers to better protect critical infrastructure and discourage attacks. Last May, a ransomware attack on Colonial Pipeline prompted the company to shut down thousands of miles of pipeline and led to increased prices and gas shortages. That incident, was followed several weeks later by a cyberattack on a major US meat producer, highlighting the impact ransomware can have on vital services in the US.
Peters said that the “landmark, bipartisan bill” would ensure that CISA is the lead agency helping critical infrastructure operators and the government respond to hacks.
The Strengthening American Cybersecurity Act, which combines language from three bills, would also require the government to take a risk-based approach to cybersecurity and would also authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can adopt cloud-based technologies.
“This is a very substantial piece of cyber legislation,” Padraic O’Reilly, co-founder of cyber risk firm, CyberSaint, told CNN.
O’Reilly said the current geopolitical landscape has made the legislation “significantly less controversial” as the US braces for a potential cyberattack from Russian actors.
The “risk-based” cybersecurity requirements for the federal government “jumped out,” he said of the legislation.
This type of cybersecurity takes into account the likelihood of something bad happening, its impact and deciding how best to spend money to make it better.
The legislation would require federal agencies to use this approach, which would likely spill over into the private sector, said O’Reilly.
“To see that risk-based approach written into law … is really quite powerful,” he said.
The 72-hour reporting deadline raised concern for some companies, according to Danielle Jablanski, an operational technology cybersecurity strategist at Nozomi Networks, who noted that information sharing may not be the top priority in a crisis. The focus instead might be on safety and critical operations, she said.
“The deadline is difficult, because there’s so many priorities at stake,” Jablanski said, adding that the legislation doesn’t holistically help critical infrastructure owners and operators prioritize everything that’s at stake during an attack.
However, she said the government is in the best position to encourage information sharing that can benefit multiple companies and industries.
Several members of the US House of Representatives, including Democrat Yvette Clarke and Republican John Katko, both of New York, are working with Peters and GOP Sen. Rob Portman of Ohio to pass the bill in the House.
Portman also said he is concerned about retaliatory cyber and ransomware attacks from Russia as the US “rightly” supports Ukraine.
“The federal government must quickly coordinate its response to potential attacks and hold these bad actors accountable,” he said in a statement.
During her first congressional hearing after taking office, CISA Director Jen Easterly called for cyber incident reporting to help victims of hacks, as well as to analyze the information and share it more broadly to see if similar intrusions are found elsewhere.
“We absolutely agree it’s long past time to get cyber incident reporting legislation out there, and we’re excited to work with you on this,” Easterly told Peters in September.
This story has been updated with additional developments Wednesday.