Federal agencies and critical infrastructure owners and operators may need to change how they respond to cyber attacks. The U.S. Congress passed new legislation mandating they report attacks within 72 hours. In addition, it requires them to report ransomware payments within 24 hours.

Provision impacts 16 critical infrastructure sectors

This new federal legislation was also influenced by the ongoing war in Ukraine. The Strengthening American Cybersecurity Act was first approved by the Senate in early March. Later, house lawmakers packaged the reporting clause into a larger omnibus spending bill. The Senate also passed this by a large margin earlier this month. The new bill now awaits President Joe Biden’s signature for approval.

The legislation targets organizations across 16 federally designated critical infrastructure sectors, including energy, financial, manufacturing and health care services. The larger omnibus bill includes some $14 billion in emergency assistance to Ukraine in its defense against Russia, with lawmakers often citing the rise of cyber threats in the conflict.

The provision includes further assistance for the departments of Defense, State, Justice, Treasury, Commerce and others. They will receive technological and continuity-of-government aid, which includes IT infrastructure and cybersecurity services.

Bipartisan support during Ukraine conflict

U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), chairman and ranking member of the Homeland Security and Governmental Affairs Committee, authored the bipartisan mandate.

In a statement, Senator Peters said, “Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses. This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people.”

If signed by President Biden, the legislation would amend federal government cybersecurity laws to strengthen teamwork between federal agencies, require the federal government to adopt a risk-based approach to cybersecurity and require civilian agencies to report all cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within strict time limits. It would require reporting of cyber incidents to be completed within 72 hours and ransomware payments within 24 hours.

The provision also gives CISA the authority to subpoena entities that fail to report cyber attacks or the payment of ransomware. Meanwhile, it will oblige CISA to sponsor a program to alert agencies of exploitable vulnerabilities connected with ransomware. CISA Director Jen Easterly will establish a joint ransomware task force to organize the federal efforts.

Cybersecurity game changer

Commenting on the passage of the mandate, Easterly took to Twitter to say, “Thrilled to see that the cyber incident reporting legislation has passed! This bill is a game-changer & a critical step forward for our Nation’s cybersecurity. As the nation’s cyber defense agency, it will help @CISAgov better protect our networks & critical infrastructure.”

Easterly also commented that CISA will use incident reporting to render assistance to victims suffering attacks, analyze reporting to spot trends across sectors and quickly share information with network defenders to warn potential victims and help prevent further attacks.