Cybersecurity, Emergency Preparedness, Emerging Issues in Security, Policies and Training

Federal Legislation Requires Critical Infrastructure Groups to Report Cyberattacks

Newly passed legislation will require owners and operators of U.S. critical infrastructure to report when they get hacked or make a ransomware payment. Hailed as “historic” and a “game-changer,” the legal provision aims to support the federal government’s ongoing efforts to crack down on cyberattacks.

U.S. Sens. Gary Peters, D-MI, and Rob Portman, R-OH—Chairman and Ranking Member of the Senate Homeland Security and Governmental Affairs Committee, respectively—co-authored the cyber incident reporting provision. The legislation was passed by U.S. Congress as part of the larger FY 2022 omnibus spending bill and, thus, expected to be signed into law by President Joe Biden.

Specifically, the provision will require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they are experiencing a substantial cyberattack and within 24 hours of making a ransomware payment. The provision gives CISA, part of the U.S. Department of Homeland Security, authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the U.S. Department of Justice.

The provision matches the Cyber Incident Reporting Act that Portman and Peters previously introduced and passed out the Senate unanimously. According to the senators, the legislation is essential following high-profile cyberattacks against the Colonial Pipeline and JBS Foods, as well as amid rising concerns about online threats from the Russian government in retaliation for U.S. support in Ukraine. 

“It’s clear we must take bold action to improve our online defenses,” said Peters. “This historic effort will make sure our nation can deter cyberattacks against critical infrastructure companies, such as energy providers and banks, which can significantly disrupt American lives and livelihoods.”

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase,” said Portman. “The federal government must be able to quickly coordinate a response and hold these bad actors accountable.”

CISA, itself, has applauded the agency’s “many partners in Congress” for passing the legislation.

“Put plainly, this legislation is a game-changer,” said CISA Director Jen Easterly. “Today marks a critical step forward in the collective cybersecurity of our nation.”

The provision also requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and it directs the CISA director to establish a joint ransomware taskforce to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.

According to the provision’s co-sponsors, the federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry, and the provision creates a federal council to coordinate, deconflict, and harmonize federal incident reporting requirements to reduce duplicative regulations. 

Portman claimed the legislation “strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

The Biden administration has taken several steps to help bolster the nation’s cybersecurity, including executive orders and public-private partnerships. On March 9, the U.S. Securities and Exchange Commission proposed a rule of its own that would require publicly traded companies to report cyberattacks within four days.