Senate approves historic cyber incident reporting bill, sends to Biden's desk
The Senate on Thursday passed landmark legislation that will mandate critical infrastructure operators alert the federal government when they are hacked or make a ransomware payment.
“Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine," Senate Homeland Security Committee Chair Gary Peters (D-Mich.), who authored and shepherded the measure with ranking member Rob Portman (R-Ohio), said in a statement.
"It’s clear we must take bold action to improve our online defenses," Peters added.
Lawmakers approved the bill late last night as part of a sweeping $1.5 trillion government funding deal. The House passed the legislation earlier this week. The bipartisan spending agreement now goes to President Joe Biden, who is expected to sign it into law.
The cyber incident reporting bill would mandate that critical infrastructure operations alert the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization pays a ransom.
In a statement, CISA Director Jen Easterly applauded the bill’s passage, calling it a “game-changer.”
She said the agency “will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure.”
Easterly also vowed her organization would work “collaboratively and transparently with our industry and federal government partners” — a nod to the private sector, which has fought against reporting mandates for years, and government agencies like the Justice Department and FBI, who wanted the reporting mandate amended so that the FBI would receive any hack information along with CISA, as well as additional legal liability protections for victims.
“Thank you to Congress for passing the bill that mandates cyber incident reporting to the federal government. This is a huge step forward for our nation’s cybersecurity,” Homeland Security Secretary Alejandro Mayorkas tweeted.
The measure’s swift passage marks a complete turnaround from just a few months ago when it was stripped from the annual defense policy bill at the last minute.
It also gives congressional cybersecurity advocates a major legislative victory, as Capitol Hill has struggled to cement a cohesive policy response to the massive SolarWinds breach and last year’s high-profile ransomware attacks on the Colonial Pipeline and meat processing giant JBS.
Once the bill is signed into law, CISA will have up to two years to publish a notice in the Federal Register on proposed rulemaking to implement the program.
However, the agency could move forward much faster as officials and policymakers worry that Russian cyberattacks could spiral out of Moscow’s invasion of Ukraine or that the Kremlin could launch digital strikes on U.S. targets as Washington enacts economic sanctions over the conflict.
In addition to the cyber incident bill, the $1.5 trillion omnibus includes roughly $2.6 billion for CISA’s budget, a $300 million boost over the Biden administration’s funding request.
Easterly said the monetary boost “represents a recognition of the importance of our mission and the confidence of the Congress in our ability to defend our nation’s networks and critical infrastructure.”
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.