Senate passes bill to mandate reporting of cyberattacks
House members were unable to pass their own version last year
The Senate on Tuesday passed a package of cybersecurity bills that would require operators of critical infrastructure as well as federal civilian agencies to report cyberattacks on their networks to the Cybersecurity and Infrastructure Security Agency.
The bill combines three separate measures championed by Sen. Gary Peters, D-Mich., chairman of the Homeland Security and Governmental Affairs Committee, and the panel’s top Republican, Sen. Rob Portman of Ohio.
[Justice Department expands effort to tackle tech-enabled threats]
The measure is Congress’ response to a series of significant cyberattacks, including the SolarWinds assault and the ransomware attack on Colonial Pipeline, that not only affected the victim organizations but also left federal agencies reeling to figure out who else might be affected and how to prevent the attacks from spreading.
Congressional investigators found that in many such high-profile attacks the victims often were unclear about which federal agency to alert. In some cases, victims called the FBI, the Treasury Department or other agencies.
The Senate passed the bill shortly before President Joe Biden delivered his State of the Union address, in which he highlighted the united Western front against Russia’s invasion of Ukraine. U.S. officials have been warily watching signs for widespread Russian cyberattacks on Ukraine that could also spread to the rest of the world.
Peters said in a statement that as the United States and allies support Ukraine, “we must ready ourselves for retaliatory cyber-attacks from the Russian government.”
Cyberattacks can “significantly disrupt our economy — including by driving up the price of gasoline and threatening our most essential supply chains — as well as the safety and security of our communities,” Peters said.
The measure would help the U.S. government coordinate responses in a timely manner in the event of retaliatory cyber strikes from Moscow, Portman said in a statement.
The bill would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack, and within 24 hours if they make a ransomware payment.
The bill also would require federal civilian agencies to report all cyberattacks to CISA and notify Congress.
Other elements of the bill would ensure that federal agencies migrate their work to cloud-based networks.
The House has yet to pass a similar bill after some lawmakers unsuccessfully attempted to attach a cyber-themed measure to last year’s defense policy bill.
The House bill is backed by Rep. Yvette D. Clarke, D-N.Y., chair of the Homeland Security subcommittee on cybersecurity, and Rep. John Katko, R-N.Y.
Both lawmakers have said they intend to push their proposal this year, but no floor time for debate and votes has been scheduled.