On September 28, 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Government Affairs Committee, respectively, introduced a bipartisan bill (the “Bill”) that would require owners and operators of critical infrastructure to notify the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) within 72 hours of having a reasonable belief that a covered cyber incident has occurred. Additionally, the Bill would require most entities (including businesses with 50 or more employees) that make ransom payments following ransomware attacks to report those payments to the CISA within 24 hours of payment. Notably, any entity required to submit a ransom payment report would first be required to conduct a due diligence review of alternatives to paying ransom, including an analysis of whether recovery from the ransomware attack is possible through other means, before making such a ransom payment. Critical infrastructure owners and operators also would be required to provide supplemental reports to the CISA in light of new or different information becoming available. All entities subject to these requirements would face data preservation obligations.
The Director of the CISA, in consultation with the heads of other federal agencies, would be charged with promulgating rules to implement these reporting and data preservation requirements. In addition, the Bill would establish within the CISA a new Cyber Incident Review Office (the “Office”) to receive and analyze reports related to covered cyber incidents, as well as facilitate the voluntary sharing of threat, vulnerability, and mitigation information between critical infrastructure owners and operators. The bill also would require the CISA to develop a ransomware vulnerability warning pilot program that would leverage existing authorities and technology to identify vulnerabilities associated with common ransomware attacks and notify relevant information system owners.
The Bill would grant the CISA Director the authority to issue subpoenas against any entity that fails to comply with its reporting requirements under the Bill. Entities that fail to comply with subpoenas would be subject to referral to the Department of Justice for civil enforcement. Federal contractors that fail to comply with subpoenas would be subject to additional penalties from the General Services Administration, including suspensions or bars from contracting with the federal government.
The Director of the CISA, Jen Easterly, reportedly supports legislation requiring reporting cyber incidents to the CISA, though favors looking at fines as an enforcement mechanism beyond subpoena authority, stating, “I know some of the language talks about subpoena authority. My personal view is, that is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines.”
For more information, read the Bill here.
We previously reported on a separate bipartisan bill introduced on July 21, 2021, which would require federal government agencies, federal contractors, and operators of critical infrastructure to notify the CISA within 24 hours of “confirmation” of a cybersecurity incident.