Legislation requiring critical infrastructure owners to report major cyber incidents to the federal government, and mandating that ransomware victims disclose when they make payments, has hit a significant snag in the Senate.
A bipartisan group of senators announced a proposal in November that would require critical infrastructure owners and operators to report within 72 hours to the Department of Homeland Security’s Cybersecurity and Infrastructure Agency when they suffer major cyber incidents, as defined by CISA. It also would require reporting of ransomware payments to CISA from a broader set of organizations, excluding only individuals and some smaller businesses, within 24 hours.
Advocates hope that by requiring swift reporting of major incidents, federal officials can help reduce the damage more quickly. Gathering intelligence about ransomware payments would help law enforcement and national security officials understand and act on digital extortion trends, officials say.
Backers were unable to advance the proposal last week for inclusion in the annual defense policy bill, amid Republican objections. Now, one GOP lawmaker is advancing an alternative proposal that he argues will be less burdensome for businesses that would have to report ransomware payments under the legislation.
Aides say negotiations over the legislation continue in a bid to ease passage of the incident reporting and ransomware payment bill via the fiscal 2022 National Defense Authorization Act (NDAA), a measure that Congress has passed for 60 consecutive years. The snag isn’t necessarily insurmountable, but the oft-sluggish nature of Senate procedure makes it potentially difficult to reach a standalone vote if no compromise is reached.
The underlying reporting proposal is sponsored by Sens. Gary Peters, D-Mich.; Rob Portman, R-Ohio; Mark Warner, D-Va.; and Susan Collins, R-Maine.
“This is a very important policy,” said an aide to Peters, who chairs the Senate Homeland Security and Governmental Affairs Committee. “There’s a lot of bipartisan support for this and Chairman Peters is going to keep working to get this included in the final NDAA.”
However, Sen. Rick Scott, R-Fla., has introduced his own amendment that would limit the ransomware payment reporting requirement to just critical infrastructure owners and operators. Scott in October failed to win adoption of that amendment during debate in Peters’ committee on a party-line vote.
“He believes another onerous government mandate on businesses is not the answer,” a spokesperson said.
It’s a congressional debate with a parallel in the executive branch, where federal agencies have implemented — and plan to implement more — incident reporting deadlines on certain industry sectors. GOP lawmakers have objected to some of those requirements.
The debate took off after the SolarWinds cyber-espionage campaign, which compromised nine federal agencies and many more companies, and the Colonial Pipeline ransomware incident, which spurred a fuel panic on the East Coast.
Senators fling hundreds of amendments at the NDAA annually, a move that has inspired leaders to try to curtail floor votes in favor of including amendments into larger packages that have worked through any disputes. Last year, only a handful of amendments received a recorded vote.