Senate approves cyber incident reporting bill amid worries about Russian threats

The Senate on Tuesday easily approved a bipartisan package of cybersecurity bills, including legislation that would require mandatory incident reporting for critical infrastructure firms.

The swift passage — done by unanimous consent ahead of President Joe Biden’s State of the Union address — marks an about face from just months ago when the measure was stripped from the annual defense policy bill.

The package represents “commonsense, bipartisan legislation that will help protect critical infrastructure from the absolute relentless cyber attacks that we see that threaten both our economy as well as our national security,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.) said on the Senate floor before the vote.

“I think this is especially important right now as we face increased risk of cyber attacks from Russia — and the cyber criminals that they harbor — in retaliation for our support for Ukraine,” Peters added. “I appreciate the Senate for coming together here tonight to get this important landmark bill done.”

The cyber incident reporting bill would mandate that critical infrastructure operations alert the Homeland Security Department within 72 hours of a hack and 24 hours if the organization made a ransomware payment.

The package — which combines three pieces of legislation Peters and Rob Portman (Ohio), the Homeland Security panel’s top Republican, previously advanced out of their committee — features a bill to update the Federal Information Security Modernization Act for the first time since 2014. The measure would codify the responsibilities of the government’s top cyber officials, such as the recently created National Cyber Director.

In addition, the package included legislation to authorize the General Services Administrations’ FedRAMP procurement program for five years.

The bill’s approval triggered quick praise by senior Democrats.

“So glad to see the Senate pass the Strengthening American Cybersecurity Act – with the mounting threat of Putin launching more cyber attacks against Ukraine or even the US, there has never been a more critical time to act to strengthen our cyber defenses,” Senate Intelligence Committee Chair Mark Warner (D-Va.) tweeted.

“This legislation has been around for a while,” Senate Majority Leader Chuck Schumer (D-N.Y.) said on the chamber floor. “For too long, certain business interests opposed it. But now they have come to see the light.”

He said that once the bill is signed into law “America will be a safer place from one of the greatest scourges we worry about: cyberattack.”

“I’m glad we’re doing this,” Schumer added.

Attention now turns to the House, where the supporters of the cyber incident reporting mandate have vowed to get the legislation to the president’s desk. 

However, they predicted the measure would likely have to be attached to another, must-pass piece of legislation, like the annual defense policy roadmap.