as Part of Funding Bill
WASHINGTON, D.C. – A landmark provision authored by U.S. Senator Gary Peters (MI), Chairman of the Homeland Security and Governmental Affairs Committee, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against critical infrastructure has been signed into law as a part of the government funding legislation. The provision, which matches a provision in a bill Peters previously introduced and passed out the Senate unanimously, would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack or if they make a ransomware payment. The new law is a significant step to help the United States combat potential cyber-attacks sponsored by foreign adversaries, including potential threats from the Russian government in retaliation for U.S. support in Ukraine.
“In the face of significant cybersecurity threats to our country – including potential retaliatory cyber-attacks from Russia for our support in Ukraine – we must ensure our nation is prepared to defend our most essential networks. This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in American is reporting cyber-attacks and ransomware payments to the federal government,” said Senator Peters. “I applaud President Biden for signing this historic effort into law to provide CISA – our lead cybersecurity agency – with the insight and resources needed to help critical infrastructure companies respond to and recover from network breaches so they can continue providing essential services to the American people.”
Last year, cybercriminals breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the country’s largest beef supplier was hit by a cyber-attack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Peters’ historic law will ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems report to CISA in the event of a cyber-attack so that CISA can warn others of the threat, prepare for widespread impacts, and help get these essential systems back online as soon as possible.
The provision, which is based on the Peters’ Cyber Incident Reporting Act, requires critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack and within 24 hours of making a ransomware payment. The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. The provision requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the Director of CISA to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry and the provision creates a federal council to coordinate, deconflict, and harmonize federal incident reporting requirements to reduce duplicative regulations.
As Chairman of the Homeland Security and Governmental Affairs Committee, Peters has led efforts to increase our nation’s cybersecurity defenses. Peters’ bill to enhance cybersecurity assistance to K-12 educational institutions across the country was recently signed into law. His provision to provide staffing for the National Cyber Director office to improve cybersecurity policy was signed into law as a part of the annual defense bill. The senator secured several provisions in the bipartisan infrastructure law to bolster cybersecurity – including $100 million fund to help victims of a serious attack recover quickly.
###