Portman, Peters Landmark Provision Requiring Critical Infrastructure to Report Cyberattacks Signed Into Law

WASHINGTON, DC – A landmark provision authored by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), Ranking Member and Chairman of the Homeland Security and Governmental Affairs Committee, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against critical infrastructure has been signed into law as a part of the government funding legislation. The provision, which matches the Cyber Incident Reporting Act that the senators previously introduced and passed out the Senate unanimously, would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyberattack or if they make a ransomware payment. The new law is a significant step to help the United States combat potential cyber-attacks sponsored by foreign adversaries, including potential threats from the Russian government in retaliation for U.S. support in Ukraine. 

“As our nation rightly supports Ukraine during Russia’s illegal unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable,” said Senator Portman. “Now that our bipartisan legislation has been signed into law, it will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.” 

“In the face of significant cybersecurity threats to our country – including potential retaliatory cyber-attacks from Russia for our support in Ukraine – we must ensure our nation is prepared to defend our most essential networks. This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in American is reporting cyber-attacks and ransomware payments to the federal government,” said Senator Peters. “I applaud President Biden for signing this historic effort into law to provide CISA – our lead cybersecurity agency – with the insight and resources needed to help critical infrastructure companies respond to and recover from network breaches so they can continue providing essential services to the American people.” 

Last year, cybercriminals breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the country’s largest beef supplier was hit by a cyberattack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Portman and Peters’ historic provision would help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches. 

The provision, which is based on the senators’ Cyber Incident Reporting Act, would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack and within 24 hours of making a ransomware payment. The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. The provision requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the Director of CISA to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry and the provision creates a federal council to coordinate, deconflict, and harmonize federal incident reporting requirements to reduce duplicative regulations.