Senators add CISA cyberattack/ransomware reporting amendment to defense bill
Four US Senators have introduced a new bipartisan amendment to the 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.
Two Democrats -- Gary Peters and Mark Warner -- worked alongside two Republicans -- Rob Portman and Susan Collins -- to push the amendment, which they said was based on Peters and Portman's Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.
The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months.
Victims organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.
But the 72-hour limit does not apply to all organizations. Some -- which the senators said included businesses, nonprofits and state and local governments -- would be forced to report ransomware payments to the federal government within 24 hours of payment being made.
"Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress," the senators said in a statement.
"It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks."
Warner, chairman of the Senate Select Committee on Intelligence, said the SolarWinds hack changed how the government needs to approach cyberattacks.
"It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents," Warner said.
"We can't rely on voluntary reporting to protect our critical infrastructure -- we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off its impact. I'm glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents."
Peters, chairman of the Homeland Security and Governmental Affairs Committee, noted that cyberattacks and ransomware incidents have affected everything from energy sector companies to the federal government itself.
He lauded the amendment for putting CISA "at the forefront of our nation's response to serious breaches."
Portman explained that the amendment updates the Federal Information Security Modernization Act and gives the National Cyber Director, CISA, and other appropriate agencies "broad visibility" into the cyberattacks taking place across the country.
"This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised," Portman said.
The $740 billion NDAA is sure to be passed before the end of the year but Senate Majority Leader Chuck Schumer faced backlash from Republicans and members of his own party this week for delaying the passage of the bill. The House approved their version of the bill in September and the House Armed Services Committee was finished with its version in July.
It is unclear whether the cybersecurity provisions in the bill will change once Senate and House leaders reconcile their differing versions of the NDAA.
While some companies and organizations have been reticent to embrace any mandatory cyberattack reporting measures, cybersecurity experts said overall, the country needs the rules in order to promote better habits.
Hank Schless, senior manager at cybersecurity firm Lookout, said that as national security and cybersecurity become more intertwined, having acknowledgement of its importance from both sides of the aisle will help get more done.
"This amendment follows suit of GDPR, which also requires organizations to inform any affected parties of a data breach within 72 hours. This holds organizations more accountable, and it will be interesting to see if there are any fines associated with failure to report these incidents as there are with GDPR. What's interesting is that most entities will be required to report whether they paid the ransom in the event of a ransomware attack. It's hard to guess what type of impact this may have," Schless said.
"If they're required to disclose when payment is made, perhaps these entities will be less willing to pay the ransom. Seeing this type of action at the Federal level shows that the US may be closer to implementing a nationwide data protection policy that's the equivalent of GDPR. Regardless of whether that ends up being the case, seeing this type of action at the highest level is encouraging for the future cyber defenses of the nation."
Rick Holland, CISO at Digital Shadows, said the status quo isn't working and expressed support for breach notification and ransomware payment requirements.
"We don't have a holistic view of how bad the problem is, and reporting mandates can at least quantify the scope of the issue. The challenge is that reporting isn't addressing the root cause of these incidents. The status quo is analogous to patients with chronic illnesses like heart disease; it has taken years to get to this state. There isn't a magical intervention that will mitigate the risk overnight," Holland said.
He went on to compare the amount of funding designated for cybersecurity to the funding given to fighter jet programs and other defense priorities.
"We have to address the root causes of the illness, not just the symptoms. Coordination and reporting won't solve our problems; organizations need to invest in cybersecurity, starting with people," Holland added. "Cybersecurity needs to have the same priority as these 'next generation' weapons systems."