Senate Passes Portman, Peters Landmark Provision Requiring Critical Infrastructure to Report Cyberattacks as Part of FY 2022 Funding Bill

Historic Cybersecurity Reporting Legislation to be Signed into Law

WASHINGTON, DC – A landmark provision authored by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against critical infrastructure has passed the Senate as a part of the FY 2022 bipartisan funding agreement. The provision, which matches the Cyber Incident Reporting Act that the senators previously introduced and passed out the Senate unanimously, would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack or if they make a ransomware payment. Once signed into law, the provision will mark a significant step to help the United States combat potential cyberattacks sponsored by foreign adversaries, including online threats from the Russian government in retaliation for U.S. support in Ukraine. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase.  The federal government must be able to quickly coordinate a response and hold these bad actors accountable,” said Senator Portman. “This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”   

“Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses. This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Peters. “Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations. This historic effort will make sure our nation can deter cyber-attacks against critical infrastructure companies, such as energy providers and banks, which can significantly disrupt American lives and livelihoods and I look forward to seeing the President sign it into law.”  

Last year, cybercriminals breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the country’s largest beef supplier was hit by a cyberattack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Portman and Peters’ historic provision would help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches. 

The provision, which is based on the senators’ Cyber Incident Reporting Act, would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack and within 24 hours of making a ransomware payment. The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. The provision requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the Director of CISA to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry and the provision creates a federal council to coordinate, deconflict, and harmonize federal incident reporting requirements to reduce duplicative regulations. 

###