Hit by ransomware or paid a ransom? Now some companies will have to tell the government

US lawmakers make mandatory cyberattack reporting law for critical infrastructure.
Written by Liam Tung, Contributing Writer

Owners and operators of US critical infrastructure will now in some cases be legally required to report cyberattacks and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).  

The bipartisan provision was passed by the US Senate as part of the $1.5 trillion FY 2022 funding bill with language matching the related Strengthening American Cybersecurity Act, which unanimously passed Senate earlier this month and requires critical infrastructure operators and owners to report substantial cyberattacks, like ransomware, to CISA within 72 hours and within 24 hours of making a ransomware payment.

It aims to give the US government, through CISA, greater visibility into the current threat landscape facing US private and public sector organizations. CISA was granted $2.6 billion under the funding bill, or $568 million more than last year to bolster the security of American networks.   

SEE: There's a critical shortage of women in cybersecurity, and we need to do something about it

The authors of the bill and funding provision, senators Rob Portman (R-OH) and Gary Peters (D-MI), said it was urgently needed to counter potential cyberattacks sponsored by the Russian government in retaliation for US support in Ukraine. 

"This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation's most essential systems back online so they can continue providing invaluable services to the American people," said Senator Peters. 

"Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations." 

CISA can also subpoena operators that fail to report incidents or ransomware payments. Failing to comply with the subpoena can be referred to the Justice Department and could result in a ban on contracting with the federal government.  

Reporting ransomware payments within 24 hours to CISA is required for nonprofits, businesses with more than 50 employees, and state and local governments. 

The bill was introduced in September in the wake of Colonial Pipeline's week-long outage after suffering a major ransomware attack and a similar attack on meat processor JBS. Colonial paid around $4 million in cryptocurrency to the attackers.  

The provision requires that CISA launch a program to warn organizations of vulnerabilities that ransomware actors exploit. It directs the CISA director, Jen Easterly, to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks.

The FBI has campaigned against mandatory reporting to CISA, Associated Press reports

"We want one call to be a call to us all," FBI Director Christopher Wray said last week. "What's needed is not a whole bunch of different reporting but real-time access by all the people who need to have it to the same report." He also raised concerns about liability coverage that organizations have when reporting to CISA but not the FBI. 

CISA's Easterly said the cyber incident reporting legislation and funding provision was a "game changer". 

"CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting US networks and critical infrastructure," said Easterly. 

"This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims."

Editorial standards