New Legislation Eyes Both Ransom, Incident ReportingBipartisan Bill Would Require 24-Hour Ransom Notice, 72-Hour Incident Report
A bipartisan effort to implement cybersecurity incident reporting and the tracking of ransomware payments has been introduced by leaders of the Senate Homeland Security and Governmental Affairs Committee. While it differs from other reporting legislation introduced in the Senate Intelligence Committee in July, lawmakers say they hope to reconcile the two bills.
In the proposed legislation - the Cyber Incident Reporting Act - certain organizations would be required to report ransom payments within 24 hours of delivery, and owners and operators of critical infrastructure would be required to report security incidents to the Cybersecurity and Infrastructure Security Agency within 72 hours of discovery.
The bill has been put forward by committee Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, and would require state and local governments, critical infrastructure groups, nonprofits and businesses with 50 or more employees to report ransom payments within 24 hours.
'First National Requirement'
The Senate bill would also amend the Homeland Security Act of 2002 to establish a Cyber Incident Review Office at CISA. The new body would have subpoena power over groups that fail to report - which could lead to inquiries from the Department of Justice and potential prohibition from doing business with the federal government.
"This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack," says Peters in a statement. "This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks."
On the legislation, Von Welch, associate vice president for information security and executive director for cybersecurity innovation at Indiana University, tells Information Security Media Group, "With short timelines measured in days, the impact [of the bill] is that network defenders must take time away from responding to the incident, to report on it."
The Senate bill responds to a string of cyberattacks that have crippled networks over the past year, including the Colonial Pipeline ransomware attack that forced the company to shut down over 5,500 miles of pipeline. Then, JBS, the world's largest beef supplier, was hit with ransomware that disrupted facilities across the U.S. and threatened the meat supply.
"This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis, to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks," Portman says in a statement.
He adds, "This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements."
Not a Sufficient Time Frame?
Commenting on these notification windows, Chenxi Wang, a former vice president of research at Forrester and a former professor at Carnegie Mellon University, says, "It is not clear that 72 hours is a sufficient period of time for an organization to report an incident to CISA versus a focus on comprehensive assessment, validation, isolation and remediation of the potential incident to reduce the risk of further damage."
Wang, currently the general partner of cybersecurity venture capital fund Rain Capital, continues, "The disclosure of an incident that is ongoing or still being actively investigated may lead to unintended consequences such as the perpetrators covering their trails or inadvertently making the breach more difficult to remediate."
Cybersecurity officials in the Biden administration - including CISA Director Jen Easterly and National Cyber Director Chris Inglis - also said in a hearing last week that they would rather Congress include language in the bill that would levy fines against critical infrastructure operators that do not comply, rather than give additional subpoena power to CISA (see: Senators Debate Cyber Rules for US Critical Infrastructure).
Peters and Portman's bill joins other congressional efforts around incident reporting. For example, comparable legislation introduced in July by leaders of the Senate Intelligence Committee would require federal agencies, federal contractors and organizations that are considered critical to U.S. national security to report security incidents to CISA within 24 hours of discovery (see: Senators Introduce Federal Breach Notification Bill).
Under this Cyber Incident Notification Act of 2021, companies that do not report an incident within 24 hours could face a maximum financial penalty equal to 0.5% of the previous year's gross revenue.
Intelligence Committee Chairman Mark Warner, D-Va., said during an Amazon Web Services Summit in Washington, D.C., on Tuesday that his bill will likely merge with the version the Homeland Security and Governmental Affairs Committee introduced this week, and incident reporting language may appear in the Senate's version of the National Defense Authorization Act.
Following the introduction of Warner's bill this summer, some cybersecurity experts and industry groups said that it's unrealistic to expect organizations to report incidents within 24 hours of discovery.
Last week, the House approved its 2022 National Defense Authorization Act with language from bipartisan lawmakers that prohibits CISA from making the reporting time frame less than 72 hours.
'A Helpful Step'
Kayne McGladrey, an advisory board member for the Technology Alliance Group NW and cybersecurity strategist for the firm Ascent Solutions, tells ISMG, "These [various legislative efforts] all stem from the issue that there is no single source of truth on the volume or scope of cyberattacks, which has led to the perception that it is difficult to apply commensurate public and private policy responses."
Scott Shackelford, director of the cybersecurity and internet governance program at Indiana University, adds, "Requiring such reporting at the federal level is a helpful step in the right direction. Under Europe's data governance regime … GDPR, it's been standard since 2018 to have 72 hours to report incidents. … [Yet] enforcing that requirement is another matter, even if it does pass."
Nasser Fattah, chair of the North America Steering Committee for Shared Assessments, an organization developing best practices and educational tools around third-party risk assurance, notes, "There has been eager anticipation for the government to intervene and play a bigger role in cybersecurity attacks, particularly with critical infrastructure." He says that ideally, under this bill, "the government gets timely information related to a ransomware attack," which it can use to "formulate an overall response [to] best serve businesses of all shapes and sizes."