The Senate passed legislation Tuesday evening requiring critical infrastructure owners to report to the feds when they suffer a major cyberattack or make a ransomware payment — shaking loose a bill that got stuck in the chamber last year.
Under the measure, which now moves to the House for potential consideration, those critical infrastructure owners and operators as well as federal agencies would have to disclose a significant incident to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency within 72 hours. The same owners and operators would have to report any ransomware payments to CISA, too, only within 24 hours.
Its intent is to give CISA the information it needs to more widely share threat data to help curtail major cyberattacks rippling through key targets, such as what happened in late 2020 when federal contractor SolarWinds suffered a compromise that ended up spreading to federal agencies and major tech companies.
The bill also contains other provisions designed to strengthen federal agencies’ digital defenses. The package got sidelined at the end of 2021 when lawmakers couldn’t resolve a dispute in time over whom the ransomware requirements should apply to, leaving it out of an annual defense policy bill that Congress has enacted for 61 straight years.
“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyberattacks from the Russian government,” said Senate Homeland Security Chairman Gary Peters, D-Mich., the bill’s top sponsor. “Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks.”
Bill co-sponsor Sen. Angus King, I-Maine, said Senate passage was a big deal.
“I think this is one of the most important pieces of cyber legislation that we’ve ever enacted,” King told CyberScoop. “I think people are well aware that this is one of the weapons that [Russian President Vladimir] Putin has at his disposal and that we’d better be prepared, and this is a very important piece of that defense.”
Senate backers said they would continue to work with the sponsors of a similar House bill that nonetheless contains differences with the Senate version, such as a different timeframe for reporting incidents.
“Given the situation and the high level of concern that people have about cyber and a potential cyberattack on critical infrastructure,. I’m pretty confident that the House will move quickly,” King said.
The Senate legislation passed without objection.