Legislation requiring critical infrastructure companies to report cyber-attacks to the federal government has been introduced in the United States Senate.
Leaders of the Senate Homeland Security and Governmental Affairs Committee put forward the new cyber-incident reporting bill yesterday. If enacted, critical infrastructure owners and operators would have to report cyber-attacks to the government within 72 hours.
The proposed bill echoes the defense authorization bill passed by the House of Representatives that requires critical infrastructure owners and operators to report significant cybersecurity incidents within a 72-hour time frame.
Included in the new legislation is a proposal to create a Cyber-Incident Review Office within the Cybersecurity and Infrastructure Security Agency (CISA). The role of the office would be to receive, aggregate, and analyze reported incidents.
The new bill would also make it mandatory for organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to inform CISA of any ransomware payments they make. Organizations infected with ransomware would be required by law to consider recovery tactics other than paying their attackers.
CISA would be empowered under the new legislation to subpoena entities that flout the incident-reporting and ransomware-payment requirements. Potential penalties for those that do not comply include referral to the Department of Justice and being banned from federal contracting.
Under the legislation, participants from federal agencies would create a Joint Ransomware Task Force "to coordinate an ongoing, nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation."
Homeland Security and Governmental Affairs chairman Gary Peters, who introduced the bill, said it could help to limit the impact of cyber-assaults.
“When entities, such as critical infrastructure owners and operators, fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Peters in a statement.
Earlier this month, Peters said that the Federal Information Security Modernization Act – which was last updated over six years ago – did not go far enough to protect federal networks. He then called for cyber-attack reports to be shared by the federal government in a timely manner.