A bill introduced this week would require critical infrastructure owners and operators to report "substantial" cyber incidents to the U.S. government.
The newly proposed bill, the Strengthening American Cybersecurity Act, would give critical infrastructure entities a 72-hour reporting deadline to notify the Cybersecurity and Infrastructure Security Agency (CISA) after experiencing a cyberattack. Critical infrastructure operators would also be required to notify CISA within 24 hours if they make a ransomware payment. Sen. Gary Peters (D-Mich.), who introduced the bill, said its aim is to bolster critical infrastructure security, as well as empower CISA to collect more data on critical infrastructure threats.
“This landmark, bipartisan legislative package will provide our lead cybersecurity agency, CISA, with the information and tools needed to warn of potential cybersecurity threats to critical infrastructure, prepare for widespread impacts, coordinate the government’s efforts, and help victims respond to and recover from online breaches,” said Peters in a statement this week. “Our efforts will significantly bolster and modernize federal cybersecurity as new, serious software vulnerabilities continue to be discovered, such as the one in log4j.”
The bill combines the language from three existing bills that Peters had previously authored, in hopes of raising the probability of getting these joint efforts passed: The Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, which aims to update FISMA for the first time since 2014, and the Federal Secure Cloud Improvement and Jobs Act, which would authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies.
The idea of mandatory incident reporting has gained traction over the past year, even as the National Defense Authorization Act omitted cyber incident reporting language in December for fiscal year 2022, to the disappointment of several lawmakers. Beyond critical infrastructure, many agencies across different sectors have been mulling incident reporting mandates, such as the U.S. Securities and Exchange Commission (SEC) this week discussing a 48-hour incident reporting mandate for investment advisers, companies and funds; and the Federal Deposit Insurance Corporation (FDIC) in November approved a rule requiring banks to notify regulators of security incidents within 36 hours.
At the same time, government agencies are working to become more efficient in how incident reporting is processed and handled, at least for federal agencies. In December, new guidance issued by the Office of Management and Budget (OMB) ordered CISA to create a strategy for implementing automated reporting tools.
“Cyber-attacks against federal networks and critical infrastructure companies – including oil pipelines, meatpacking centers, and wastewater treatment plants – have disrupted lives and livelihoods across the country."
Cyber incident reporting not only helps government agencies better understand how security threats are playing out and how to better defend against them, but can also give vital information for preventing other attacks, lawmakers have argued. While entities like the Cyberspace Solarium Commission has long advocated for this, FireEye’s voluntary disclosure of its own breach in December 2020 that led to the discovery of the SolarWinds hack shed a stark light on the significance of incident reporting.
Peters hopes that his bill would ensure critical infrastructure entities like electric grids, water networks and transportation systems can more quickly recover if they are hit by cyberattacks. Critical infrastructure security has been in the spotlight over the past year, as highlighted in President Joe Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity. As the chairman of the Senate Homeland Security and Governmental Affairs Committee, Peters has a previous track record with cybersecurity legislation, including authoring the “K-12 Cybersecurity Act,” which enhances cybersecurity assistance to K-12 educational institutions across the country and was signed into law in October; and the “State and Local Government Cybersecurity Act,” which would encourage federal security experts to share information regarding threats, flaws, and breaches, and that passed the Senate in January.
“Cyber-attacks against federal networks and critical infrastructure companies – including oil pipelines, meatpacking centers, and wastewater treatment plants – have disrupted lives and livelihoods across the country,” said Peters. “That is why, for months, I have been leading efforts to fight back against cybercriminals and foreign adversaries who launch these incessant attacks.”
Ben Miller, vice president of Professional Services and R&D with Dragos, said he would like more information about the logistics of this potential law, such as how it prevents “circular reporting” where two agencies are informed of security incidents but work separately.
“Certainly it makes sense that the government should know when critical infrastructure is actively being attacked,” said Miller. “It gets more complicated to then understand how the government can and can’t act on that information. CISA has done well in serving as an enabler rather than serving as a regulator or enforcer. This could send mixed messages to the industry on how they can best partner with CISA.”