US Congress Passes Cyber Incident Reporting MandateIncluded in a $1.5 Trillion Spending Package Carrying $14 Billion in Ukrainian Aid
After months of political infighting, a landmark cybersecurity provision requiring critical infrastructure providers to report security incidents and ransom payments has passed both chambers of Congress and now heads to President Joe Biden's desk.
The provision, originally authored by leaders of the Senate Homeland Security and Governmental Affairs Committee - Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio - will require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency if they experience a substantial cyberattack (report due within 72 hours of the attack) or if they make a ransomware payment (report dues within 24 hours of the payment).
The mandate comes as part of an omnibus spending bill that will fund the U.S. government - following a series of continuing resolutions doing so - and carries some $14 billion in emergency assistance to Ukraine amid its war with Russia and the ongoing humanitarian crisis. The assistance includes billions in programs to the departments of Defense, State, Justice, Treasury, Commerce and others for technological and continuity-of-government aid, including, in part, IT infrastructure and cybersecurity services.
Peters and Portman previously introduced stand-alone reporting legislation that passed committee and later introduced a broader package incorporating other sought-after cyber measures in the Strengthening American Cybersecurity Act, which passed the Senate unanimously last week. House lawmakers later embedded the reporting clause into the omnibus bill - which later passed the Senate by a 68-31 margin.
In a statement on Friday, Peters said: "Right now, these threats are even more pronounced due to possible cyberattacks from the Russian government in retaliation for our support of Ukraine. … This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts and help get our nation's most essential systems back online."
Peters says the provisions will ensure that CISA has the tools and resources needed to help reduce the impact of breaches and that entities such as energy providers and banks can deter such attacks.
Portman adds: "This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis. … The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements."
The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. And organizations that fail to comply with the subpoena can be referred to the Department of Justice. It also requires CISA to launch a program to warn organizations of vulnerabilities that ransomware actors exploit and calls for CISA Director Jen Easterly to establish a joint ransomware task force to coordinate federal efforts.
The program will be formalized through the federal rule-making process and will require consultation with industry. Despite being given up to two years to publish a notice in the Federal Register, many expect the nation's operational cyber agency to act swiftly on the rollout, citing increasing threats related to the Russia-Ukraine conflict.
The measure will also create a council to coordinate federal incident reporting requirements.
The wider spending measure also carries $2.6 billion for CISA's budget - which is $300 million more than what the Biden administration requested.
'A Game Changer'
Taking to Twitter following news of its passage, CISA's Easterly said: "Thrilled to see that the cyber incident reporting legislation has passed! This bill is a game-changer and a critical step forward for our nation's cybersecurity."
She said the agency will use the reports to render assistance to victims, analyze the data to spot trends and "quickly share information" with network defenders.
Easterly added that the agency intends to "work collaboratively with our industry and federal partners," and called the legislation "historic." She said "it's easy to report a cyber incident 24/7: email@example.com or call at 888-282-0870."
Secretary of Homeland Security Alejandro Mayorkas said on Twitter: "Thank you to Congress for passing the bill that mandates cyber incident reporting to the federal government. This is a huge step forward for our nation's cybersecurity."
"The presumed data generated by the new [act] will only improve how CISA advises the public on mitigating emerging threats," says Davis McCarthy, principal security researcher at the firm Valtix. "More threat intelligence means whole industries can harden against a threat actor's tactics, reducing the effectiveness of their campaign."
The mandate is a clear victory for cyber advocates on Capitol Hill - who have pushed for the provision. In December 2021, despite bipartisan consensus, the reporting measure was dropped from the annual defense spending bill at the eleventh hour (see: Cyber Incident Reporting Mandate Excluded From Final NDAA).
The passage comes after cybercriminals last year breached the network of Colonial Pipeline, forcing the company to shut down 5,500 miles of pipeline and causing increased prices and panic buying among consumers on the East Coast. Over the holiday season, threat researchers at Alibaba detected a widespread flaw in Apache's logging library - Log4j - embedded in hundreds of millions of systems worldwide.
And with Russian President Vladimir Putin continuing his military offensive in Ukraine - advancing troops toward major population centers and increasingly striking civilian targets - U.S. cyber officials have long warned that Moscow could retaliate against sanctions and activate its hackers to infiltrate U.S. or NATO-member networks. The fears prompted CISA to issue a ""Shields Up" warning to U.S. organizations - urging additional resource allocation to cyber defense.
Also this week, Securities and Exchange Commission Chair Gary Gensler announced that the SEC is considering a proposal to mandate cybersecurity disclosures by public companies - to "strengthen investors' ability to evaluate public companies' cybersecurity practices and incident reporting."
"Over the years, our disclosure regime has evolved to reflect evolving risks and investor needs," said Gensler. "Today, cybersecurity is an emerging risk with which public issuers increasingly must contend. … Investors want to know more about how issuers are managing those growing risks."
The core of the proposal would require mandatory, ongoing disclosures of cyber incidents within four days of detection.
The rule would also require updates in "periodic reports" to give investors "more complete information on previously disclosed, material cybersecurity incidents," Gensler said.
"This is a good move … to standardize breach reporting and procedures for publicly traded companies and hold them accountable," Ray Kelly, a fellow at NTT Application Security, tells ISMG. "The current policies - which do not specify a time frame to report cybersecurity incidents to the public - have essentially allowed companies to disclose this critical information on their own merit, which could affect stock price or mergers and acquisitions."
The proposal passed the commission by a 3-1 vote and now goes to a 60-day public comment period.