WASHINGTON, D.C. – U.S. Senator Gary Peters (D-MI) spoke with the Washington Post about his work as Chairman of the Homeland Security and Governmental Affairs Committee, to pass landmark cybersecurity reforms that strengthen our national security. The Washington Post noted that under Peters’ leadership, Congress is advancing more significant cybersecurity reforms than during any previous term.
His historic, bipartisan bill to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack or if they make a ransomware payment was signed into law as a part of the recent government funding legislation. Peters’ bipartisan bill to enhance cybersecurity assistance to K-12 educational institutions across the country was also signed into law. Additionally, Senator Peters secured several provisions in the bipartisan infrastructure law to bolster cybersecurity – including $100 million fund to help victims of a serious attack recover quickly. Peters has also authored and passed significant reforms out of the Senate to require civilian federal agencies to report to CISA if they experience a substantial cyber-attack and ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency. Peters’ bipartisan bill to promote stronger cybersecurity coordination between the Department of Homeland Security and state and local governments has also passed the Senate.
People are paying more attention to hacks, and that’s helping Congress pass more cybersecurity bills
This is shaping up to be the most productive congressional term for cybersecurity in history — in no small part because of the efforts of Senate Homeland Security Committee Chair Sen. Gary Peters (D-Mich.).
Peters and the committee’s top Republican, Sen. Rob Portman (Ohio), shepherded the largest expansion of requirements for industry to share hacking information with government into law last year.
Before the close of this term, they hope to get at least two more big cyber bills into law — one that would upgrade the government’s aging and clunky information security requirements and another that would make it easier for government agencies to securely use cloud-computing systems. Both have already passed in the Senate.
That’s on top of other legislation Congress has passed surging funding to cyber offices including the Cybersecurity and Infrastructure Security Agency and expanding those agencies’ mandates.
The efforts have gone a long way toward upgrading the government’s cyber posture to meet the current threat — though there’s still a long way to go, most cyber analysts agree.
“If we’re going to be effective in fighting cybercriminals and cyberattacks, we have to be able to fight in a coordinated fashion and this puts the framework in place where we can do that,” Peters told me in an interview. “We’ve come a long way, but we can’t stop there.”
There were two big enabling factors for this burst of cyber legislation.
First: There was immense public pressure to get something done quickly — especially in the wake of a series of cyber crises including ransomware attacks against the oil, IT and agricultural sectors and heightened fears of Kremlin hacking after Russia’s invasion of Ukraine.
Peters described the results as a mix of legwork and timing.
- “We did all the groundwork to have really good bills,” Peters told me. “So when something happens that really brings everybody’s attention to an issue, we can act on it very quickly and provide a solution that people can immediately vote on and feel comfortable they’re taking action.”
Indeed, the cyber incident reporting bill passed the Senate with unanimous support — as did the other two bills they hope to get over the finish line.
- “That gives me a lot of leverage talking to my friends in the House that we’ve got 100 senators in support of the bills as written here in the Senate,” he said.
Second: Congress has slow-rolled cyber legislation for so long that even pretty common-sense measures seem like super big deals at this point.
- The cyber reporting bill that passed last year requires companies in critical infrastructure sectors, such as energy, transportation and manufacturing, to alert the government about significant cybersecurity incidents. It also requires those companies to alert the government when they pay ransoms to hackers.
- But it doesn’t require companies to meet any particular cyber standards. That’s a move many experts say is long past due — but it would probably take an even greater cyber crisis to impose such rules more broadly. The executive branch has imposed minimum cyber standards on a handful of sectors where it has the regulatory authority, such as pipelines
- By contrast: The last time Congress passed a big cyber bill affecting industry in 2015 it merely gave companies the option of sharing hacking information with the government without any legal jeopardy. Even that measure was highly controversial and barely made it into law.
Peters’s next big cyber target is legislation aimed at helping make small businesses more resilient against ransomware and other hacks. Small businesses are a frequent target for ransomware hackers because they tend to have far weaker defenses than larger firms. But it’s proven difficult to get government cyber resources out to small businesses because they’re so diverse and widespread.
- “It is absolutely an existential threat to small businesses if they’re hit with a ransomware attack. So we’re thinking through how do we help small businesses defend themselves? How do we leverage federal cyber resources to work with small businesses?” Peters said. “It’s not an easy problem, but it’s one that we have to address.”