Portman, Peters Introduce Bipartisan Legislation Requiring Critical Infrastructure Entities to Report Cyberattacks

Bill Also Requires Most Private Entities to Report Ransomware Payments & Will Bolster National Cyber Defenses

WASHINGTON, DC – Today, U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyberattack, and most entities to report if they make a ransomware payment. The bill will improve federal agencies’ understanding of how to best combat cyberattacks, help our nation hold hackers accountable for targeting American networks, and bolster the federal government’s ability to help prevent these attacks from further compromising national security and disrupting the lives and livelihoods of Americans. Portman and Peters are also drafting separate legislation that will update the Federal Information Security Modernization Act – including requiring federal agencies and contractors to report when they are hit by cyberattacks.


“As cyber and ransomware attacks continue to increase, the federal government must be able to quickly coordinate a response and hold these bad actors accountable,” said Senator Portman. “This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.” 

“The scourge of cyber-attacks that have disrupted the lives of countless Americans shows we are facing a crisis we are not fully prepared to address. When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Senator Peters. “This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack. This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks.” 

Recent serious attacks include a breach earlier this year of a major oil pipeline that forced the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortage for communities across the East Coast. After that, the world’s largest beef supplier paid a ransom to malicious cyber actors who had infiltrated their networks and threatened the U.S. meat supply. The senators’ bipartisan legislation would provide federal agencies with data needed to better understand these attacks and strengthen public-private communication to combat cybercriminals and protect American businesses, including critical infrastructure. 

The Cyber Incident Reporting Act, which builds on legislation authored by U.S. Representatives John Katko (R-NY), House Homeland Security Committee Ranking Member, and Yvette Clarke (D-NY) would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a cyberattack. The bill also creates a requirement for other organizations, including nonprofits, businesses with more than 50 employees, and state and local governments, to notify the federal government within 24 hours if they make a ransom payment. The legislation directs federal agencies that are notified of attacks to provide that information to CISA and creates a Cybersecurity Incident Reporting Council to coordinate federal reporting requirements. The bill provides CISA with the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Entities that fail to comply with the subpoena can be referred to the Department of Justice and barred from contracting with the federal government. The legislation would also require entities who plan on making a ransom payment to evaluate alternatives before making the payment. Finally, the bill requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the National Cyber Director to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry. 

As Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, Portman and Peters have led several efforts to strengthen our nation’s cybersecurity. The senators recently convened a hearing with top federal cybersecurity officials to examine additional resources and authorities the federal government needs to deter cyberattacks. In August, the senators released Federal Cybersecurity: America’s Data Still at Risk, a report on Federal agency cybersecurity, focused on eight specific agencies that revealed ongoing improvements are also needed to Federal agency cybersecurity. Portman and Peters’ bipartisan legislation to promote stronger cybersecurity coordination between DHS and state and local governments has advanced in the Senate. In June, the senators also convened a hearing with the Chief Executive Officer of Colonial Pipeline to examine the ransomware attack against the company. 

Text of the Cyber Incident Reporting Act, as introduced, can be found here.