The Senate Homeland Security and Government Affairs Committee voted today to approve the Cyber Incident Reporting Act, which would require critical infrastructure operators to report cyberattacks to the Federal government, and require most government and business entities to report to the government if they make a ransomware payment.
The bill sponsored by committee Chairman Gary Peters, D-Mich., and Sen. Rob Portman, R-Ohio, the committee’s ranking member, features a 72-hour cyberattack reporting window for critical infrastructure companies that was the subject of significant industry lobbying in recent weeks.
At a committee markup session today, much of the debate about the bill centered on the ransomware notification requirements. As the bill is currently written, all government entities would be required to report ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA), along with businesses that employ more than 50 people.
Committee members discussed relaxing that requirement for smaller businesses, and while they came to no formal conclusion today, appeared to be in agreement to back off on a 50-person classification for business.
The intent of the ransomware reporting provision is to give CISA a more complete view of ransomware attack trends, and in turn, improve the Federal government’s ability to help government and private organizations better defend against them.
Sen. Peters said at today’s markup session that the ransomware reporting requirement is necessary to follow along with recent FBI guidance that all organizations should refuse to pay ransom demands. “When you give criminals a ransom, guess what you get? You more attempts to get ransom,” he said.
Sen. Maggie Hassan, D-N.H., said that cyber threats and ransomware attacks are “the largest threat we have overall to our businesses … and our national security.” She added, “the way that cyber connectivity works, we are only as strong as the weakest link that we have.”
Sen. Peters said he wants to get the bill included in the FY2022 National Defense Authorization Act (NDAA), giving the committee a few weeks from now to work out differences in the ransomware reporting requirements for smaller businesses.