Peters and Portman Introduce Bipartisan Legislation Requiring Critical Infrastructure Entities to Report Cyber-Attacks

WASHINGTON, D.C. – U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack, and most entities to report if they make a ransomware payment. The bill will improve federal agencies’ understanding of how to best combat cyber-attacks, help our nation hold hackers accountable for targeting American networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans. Peters and Portman are also drafting separate legislation that will update the Federal Information Security Modernization Act – including requiring federal agencies and contractors to report when they are hit by cyber-attacks.

“The scourge of cyber-attacks that have disrupted the lives of countless Americans shows we are facing a crisis we are not fully prepared to address. When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Senator Peters. “This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack. This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks.”

“As cyber and ransomware attacks continue to increase, the federal government must be able to quickly coordinate a response and hold these bad actors accountable,” said Senator Portman. “This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

Recent serious attacks include a breach earlier this year of a major oil pipeline that forced the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortage for communities across the East Coast. After that, world’s largest beef supplier paid a ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply. The senators’ bipartisan legislation would provide federal agencies with data needed to better understand these attacks and strengthen public-private communication to combat cybercriminals and protect American businesses, including critical infrastructure.

The Cyber Incident Reporting Act, which builds on legislation authored by U.S. Representatives Yvette Clarke (D-NY) and John Katko (R-NY), would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a cyber-attack. The bill also creates a requirement for other organizations, including nonprofits, businesses with more than 50 employees, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry.

As Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, Peters and Portman have led several efforts to strengthen our nation’s cybersecurity. The senators recently convened a hearing with top federal cybersecurity officials to examine additional resources and authorities the federal government needs to deter cyber-attacks. In August, the senators released Federal Cybersecurity: America’s Data Still at Risk, a report on federal agency cybersecurity, focused on eight specific agencies that revealed ongoing improvements are also needed to federal agency cybersecurity. Peters and Portman’s bipartisan legislation to promote stronger cybersecurity coordination between DHS and state and local governments has advanced in the Senate. In June, the senators also convened a hearing with the Chief Executive Officer of Colonial Pipeline to examine the ransomware attack against the company.

Text of the Cyber Incident Reporting Act, as introduced, can be found here