Senate committee advances major cybersecurity legislation
The Senate Homeland Security Committee on Wednesday advanced to two bills aimed at boosting the U.S. government’s insight into cyberattacks on critical infrastructure operators and the private sector, as well as federal agencies.
The committee approved by voice vote the Cyber Incident Reporting Act, which would give critical infrastructure owners and operators up to 72 hours to report hacks and 24 hours to divulge ransom payments. The bill differs from one introduced earlier this year by the Senate Intelligence Committee that proposed a 24-hour window.
The senate bill, which was released last month by Chair Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio), also took on ransomware by requiring organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to notify CISA if they make a ransom payment.
The committee rejected an amendment by Sen. Rick Scott (R-Fla.) that would limit the scope of ransom payment reporting amendment to critical infrastructure operators. Many GOP members voiced concern that the mandate would prove burdensome to smaller businesses.
Peters said the 50-person threshold was not “carved in stone” and expressed support for an amendment from Portman that would raise it to somewhere between 200 and 500 personnel, a proposal embraced by some Republicans, like Sen. Mitt Romney (Utah).
The committee later adopted Portman's amendment, which would use the Small Business Act definition for “small business concerns” to exempt small businesses that meet that definition from having to comply with the ransom payment reporting requirement in the bill. The definition does not set a single threshold based on number of employees for all businesses.
Lawmakers also adopted by voice vote a Portman amendment that would, among other things, exempt religious organizations from having to report ransom payments.
In addition, the panel also okayed legislation from Peters and Portman that would update the 2014 Federal Information Security Modernization Act. It would require the Office of Management and Budget to develop digital security guidance for civilian federal agencies and mandate those organizations report breaches to CISA and OMB.
The measure comes in response to a recent review by the Senate committee on digital defenses within the federal government that found many key agencies lack good cyber hygiene.
Peters said he hoped to hitch the incident reporting legislation to the Senate version of the defense policy roadmap.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.