Portman on Senate Floor: “House Must Quickly Pass the Strengthening American Cybersecurity Act to Protect the Nation from Cyberattacks”

WASHINGTON, DC – Today on the Senate floor, U.S. Senator Rob Portman (R-OH), Ranking Member of the Homeland Security and Governmental Affairs Committee, delivered remarks applauding the Senate passage of his bipartisan landmark legislative package, the Strengthening American Cybersecurity Act, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against our critical infrastructure and the federal government. Portman urged the House of Representatives to quickly pass the legislation as it is urgently needed in the face of potential cyberattacks sponsored by the Russian government in retaliation for U.S. support of Ukraine. 

The legislation combines language from three bills Portman and U.S. Senator Gary Peters (D-MI) authored and advanced out of their Committee – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act. The combined bill will require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack. It would also require critical infrastructure owners and operators to report ransomware payments to CISA, modernize the federal government’s cybersecurity posture, and authorize the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency. 

A transcript of his remarks can be found below and a video can be found here.

“I’m coming on the floor today to talk about another issue that is really important to our country and that is protecting us from cyberattacks. Last night, I commend this body because the United States Senate passed legislation called the Strengthening American Cybersecurity Act of 2022. What does that mean? It means that we took the time to do our homework, had hearings and reported out legislation that helps protect our government data, including personal data of American citizens, but also our national security data and other sensitive information from cyberattacks. Also, we put in place provisions to help protect the private sector, particularly critical infrastructure. And what’s going on right now around the world, particularly with regard to Russia and Ukraine, incredibly important that we put up better defenses here in this country, as well as helping Ukraine and other countries to fight against these cyberattacks. 

“In recent years, we’ve seen this time and time again. I’m sure you remember the Colonial Pipeline, remember they shut down gasoline distribution to the eastern part of the United States. These were cyberattacks. You’ve probably heard of some of these other cyberattacks like SolarWinds or ones where these criminal gangs demand a ransom using so called ransomware. This is happening increasingly and again, my concern is particularly with what’s going on today in our volatile and dangerous world that it will continue to happen and even become much more dangerous for us. The House of Representatives now has a chance to take up this legislation and pass it. They’ve been working with us on this all along on a bicameral basis, the House and the Senate. Republican, Democrat. This hasn’t been a partisan issue. It’s been one of these issues where we’ve worked together. 

“Senator Peters, who is the Chair of the Homeland Security and Government Affairs Committee. I’m the ranking Republican, top Republican. We worked together on this, but so did a lot of other members across the aisle, Senator Rubio and Senator Warner, Senator Collins and others. They, by the way, represent the Intelligence Committee, which also has a strong interest in this. In my role as the Ranking Member on Homeland Security, we spent a lot of time focused on the oversight of this issue, how to respond to things like SolarWinds we talked about or Colonial Pipeline or other cyberattacks. And what we have found is that these cyberattacks are increasingly sophisticated and that our own government doesn’t have the tools that they need. And that’s why this legislation is so important. 

“Russia’s invasion of Ukraine is an atrocity. It must not stand. But one of the things they have done in Ukraine for the last eight years and really before that as well, but particularly the last eight years since 2014 when Ukraine decided to turn to the west, to turn to us, because Russia has done these cyberattacks relentlessly in Ukraine, and they are stepping them up right now, along with the horrible scenes we see of the bombings of innocent civilians in their apartment buildings. I saw today that not only have hospitals and childcare institutions been bombed, but also the Holocaust Memorial in Kyiv has been damaged. So what the Russians are doing is appalling, and the entire freedom loving world needs to stand up to it. And we need to help Ukraine more. But one thing they have also done is they’ve launched these cyberattacks against the Ukrainian government and against the private sector infrastructure in Ukraine. That, too, is a place where we can help. But again, we need to be sure that we have our own house in order here to be able to be more helpful, to be able to provide the best practices and to help Ukraine be able to deal with these attacks, both kinetic attacks, these military attacks, and also the cyberattacks. 

“Many times, the cyberattacks are also mixed with disinformation attacks because the Russians are flooding the zone and trying to take their disinformation and their lies and spread it around to the Ukrainian people. By the way, not many people are believing it anymore because it’s so outrageous. In China, we see another sophisticated cyber adversary ramping up their rhetoric and their incursion into Taiwan’s air defense zone. All these threats make enacting this legislation we passed last night all the more important. Our legislation has three complementary bills combined into one. 

“First, it will protect our critical infrastructure better from cyberattacks by increasing our visibility as a country into these cyberattacks and building the government’s ability to warn potential victims and mount a nationwide defense and provide best practices to our critical infrastructure. It will strengthen the government’s own response and recovery capabilities, protecting sensitive data as well. And finally, it will make government acquisition and use of cloud services more secure, more accountable, more efficient, and significantly keep countries like China and Russia from being able to access the cloud. All of these bills were passed out of the Homeland Security and Governmental Affairs Committee with strong bipartisan support. And again, it passed the Senate overwhelmingly last night. 

“The first of these bills that I mentioned is called the Cyber Incident Reporting for Critical Infrastructure Act. Cyberattacks against US critical infrastructure, whether by foreign governments like Russia and China or criminal organizations, are, of course, a serious national security threat. Today, no one US government agency has visibility into all the cyberattacks occurring against critical infrastructure on a daily basis. We need that. We need to know what’s going on, to be able to warn other infrastructure, to be able to respond quickly. Right now, if Russia initiates a cyber-campaign against US critical infrastructure, there would be nothing to ensure that the US government is notified of that so it can mount a nationwide response and again, warn other critical infrastructure operators similarly situated. This bill would change that, enabling a coordinated, informed US response to cyberattacks against the United States. The Cyber Incident Reporting Act will require critical infrastructure owners and operators to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to what’s called the Cybersecurity and Infrastructure Security Agency. It’s called CISA. CISA has done an effective job in the Trump administration, now in the Biden administration, but they need these tools to be able to do a better job. CISA, having this information, would be able to use the data to immediately contact the FBI and other appropriate law enforcement, but also to help with best practices to mitigate the damage and to warn other critical infrastructures of threats, help these victims recover, analyze trends, and enable a whole of the nation defense in response to these attacks. It’s cyberattacks. It’s not soldiers with guns, but it can have some of the same horrible impacts and damage to our economy and to individuals. Again, think of the oil pipeline, Colonial Pipeline, being basically shut off to the whole east coast of the United States.

“The second bill, that’s part of this package is called the Federal Information Security Modernization Act, or FISMA. FISMA is the acronym for the way in which we protect our federal agencies. And unfortunately, we know that federal agencies, government agencies have failed to protect Americans’ data, our data, personal data. Last August, I released a report with Chairman Peters detailing the significant cybersecurity vulnerabilities of eight different key federal agencies; Homeland Security, State, Transportation, Housing and Urban Development, Health and Human Services, Agriculture, Education, and the Social Security Administration. The Social Security Administration, where a lot of our sensitive information is kept. This report that we issued followed a report just a few years ago in 2019 that I issued with Senator Carper when I was Chair of the Permanent Subcommittee on Investigations. And we investigated all eight of these agencies to determine how they were doing in terms of pushing back against cyberattacks. In last year’s report, only the Department of Homeland Security had an effective cybersecurity program. No other agency we reviewed met the standard, and we found that government wide the average cybersecurity grade and pushing back against these cyberattacks was a C minus, not the grade I would have wanted to take home to my parents, but that’s the truth. We’re just not prepared. 

“The report identifies several common agency vulnerabilities, including the failure to protect personally identifiable information. Again, think about some of these agencies, HHS or Social Security. That’s a big issue. Second, maintain an accurate list of the agency’s IT equipment so they know what they have. Third, install security patches quickly. And fourth, replace vulnerable and insecure legacy technology. A lot of these agencies have technology that needs to be updated. That’s stove-piped, in other words, isn’t working well together, and that makes it difficult for them to push back against these cyberattacks. In the seven years since FISMA was last updated, federal agencies have had the same vulnerabilities year after year, putting America’s data at risk. So this legislation takes the important steps to remedy these systemic problems we identified. It incorporates recommendations from my bipartisan reports with Senator Peters and Senator Carper, and will adopt a risk-based approach to cybersecurity budgeting, position the Cybersecurity and Infrastructure Security Agency, CISA we talked about earlier, as a lead agency in securing these federal networks, there needs to be accountability, and that’s missing now. We need to require agencies to notify Americans whose personal identifiable information is compromised during a breach. To me, this is just a basic requirement for government. If you have personal information that’s been breached because the government system has not been properly protected, you ought to be told about that so you can take your own steps to protect yourself. Complement the cyber reporting for a Critical Infrastructure Act by ensuring that federal agencies and contractors also notify CISA when they suffer a breach. We talked about that earlier, but having that information is very helpful. And finally, update the requirements for congressional notification when an agency suffers a major cyber incident. We have an oversight responsibility here. We need to know if there’s been a major cyberattack. 

“Finally, this legislation includes a third part, which is called the FedRAMP Authorization Act. This is the one that will authorize the Federal Risk and Authorization Management Program that deals with cloud computing and protecting the cloud. FedRAMP is a government wide program administered by the General Services Administration that provides agencies and cloud service providers with a standard approach to evaluating, authorizing, and monitoring the security of cloud services. So when a federal government agency wants to use the cloud services, they’ve got to go through this process. In the first four years of FedRAMP, the program authorized only 20 cloud service providers. Today, there are more than 230 cloud service providers, 30 percent of which are small businesses. This act builds on the successes of FedRAMP. Agencies continue to push to adopt commercial cloud solutions by addressing existing costs and processing times, but it also includes measure to strengthen the government’s response to foreign interference in our cloud systems. Supply chain security experts have warned us about the weaknesses in FedRAMP that leave our cloud systems vulnerable to interference from countries like Russia and China, North Korea, Iran. The reforms in this bill will allow for increased transparency and better monitoring of possible foreign influences in FedRAMP approved systems. 

“For example, it requires an agency to review on an interagency basis government standards to identify and assess the origin of software and code, to provide the transparency and accountability needed into the FedRAMP approved systems that are developed and maintained by foreign engineers in countries like Russia and China. This bill also requires private sector third party assessment organizations to disclose to GSA any information they have related to any foreign interests, any foreign influences, any foreign control, of course, or ownership, and to report a change in foreign ownership or control to GSA within 48 hours. We’ve had instances like this where we’re using cloud based services that then become bought by a foreign entity and that is not reported and therefore, they continue to provide these services, which is something we need to stop. 

“I commend the hard work of so many of my colleagues in crafting this broader legislation, including Chairman Peters, Chairman Warner, Ranking Member Rubio, Senator Collins on the Intelligence Committee as well as so many other colleagues on the Homeland Security and Government Affairs Committee and the Intel Committee. I also want to thank our colleagues in the House, particularly Representatives Clark and Katko, because this has been a truly bicameral exercise both in terms of the oversight, identifying what the problems are and coming up with appropriate legislation. And by the way, this legislation is strongly supported by those in the administration who are responsible for dealing with cyberattacks. They need these tools and they want these tools. 

“We are not done yet because it’s just passed the Senate. It has not passed the House. But we need to move quickly to enact these important changes to modernize our cybersecurity posture. I urge the House to act quickly to be sure we can protect ourselves from cyberattacks, particularly in this increasingly dangerous environment. I would hope that we could send this incredibly important legislation to the president’s desk for signature very soon. And be sure we are doing all we know to do to be able to better protect our country and our citizens from cyberattacks.”