Legislation on infrastructure cyberattacks signed into law

Legislation introduced by U.S. Sens. Rob Portman (R-OH) and Gary Peters (D-MI) that would enhance the country’s ability to combat cybersecurity threats against critical infrastructure such as the electric grid and oil and gas pipelines was signed into law as part of the government funding legislation.

Portman and Peters, ranking member and chairman of the Homeland Security and Governmental Affairs Committee, respectively, said that a provision of the funding bill matches their Cyber Incident Reporting Act that would require critical infrastructure owners and operators to report any substantial cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA). Those same operators/owners are also required to report if they make any ransomware payments.

The legislation will help the United States combat potential cyberattacks from foreign adversaries, including potential threats from the Russian government in retaliation for U.S. support in Ukraine.

“As our nation rightly supports Ukraine during Russia’s illegal, unjustifiable assault, I am concerned the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase. The federal government must be able to quickly coordinate a response and hold these bad actors accountable,” Portman said. “Now that our bipartisan legislation has been signed into law, it will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks. The legislation strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

Under the provision, owners and operators would have 72 hours to report a cyberattack and 24 hours to report making a ransomware payment. The provision also gives CISA the authority to subpoena entities that fail to report incidents or payments and the authority to refer those who don’t comply with subpoenas to the U.S. Department of Justice. Additionally, the provision requires CISA to launch a program that warns organizations of vulnerabilities ransomware actors to exploit and directs the director of CISA to establish a joint ransomware task force.

“In the face of significant cybersecurity threats to our country – including potential retaliatory cyberattacks from Russia for our support in Ukraine – we must ensure our nation is prepared to defend our most essential networks. This historic, new law will make major updates to our cybersecurity policy to ensure that, for the first time ever, every single critical infrastructure owner and operator in American is reporting cyber-attacks and ransomware payments to the federal government,” Peters said. “I applaud President Biden for signing this historic effort into law to provide CISA – our lead cybersecurity agency – with the insight and resources needed to help critical infrastructure companies respond to and recover from network breaches so they can continue providing essential services to the American people.”