Senators roll out bill giving organizations 24 hours to report ransomware attack payments

The leaders of the Senate Homeland Security and Governmental Affairs Committee on Tuesday introduced legislation that would give set timelines for cyber incident reporting, including giving certain organizations 24 hours to report if they paid the sum demanded in a ransomware attack.

The Cyber Incident Reporting Act, sponsored by committee Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), would also require owners and operators of critical infrastructure to report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours.

Organizations required to report ransomware payments within a day of handing over the funds include critical infrastructure groups along with nonprofits, businesses with more than 50 employees, and state and local governments. 

The payment and incident information would go to a council at CISA, with the agency empowered to subpoena groups that fail to report. Organizations that fail to comply with the information would then be referred to the Justice Department, and potentially banned from doing business with the federal government. 

“This important, bipartisan bill will create the first national requirement for critical infrastructure entities to report to the federal government when their systems have been breached, as well as require most organizations to report when they have paid a ransom after an attack,” Peters said in a statement Tuesday. “This will help our nation deter future attacks, fight back against cybercriminals, and hold them accountable for infiltrating American networks.”

The bill was introduced as part of an effort by Congress to respond to a wave of major cyberattacks over the past year. 

These have included the SolarWinds hack, discovered in December, that allowed Russian government-backed hackers to access nine federal agencies for most of 2020, along with ransomware attacks on Colonial Pipeline, meat producer JBS USA, and IT group Kaseya in recent months. 

Both Colonial Pipeline and JBS USA chose to pay the hackers to regain access to their networks, though the Justice Department was able to recover the majority of funds paid by Colonial. 

“The scourge of cyber-attacks that have disrupted the lives of countless Americans shows we are facing a crisis we are not fully prepared to address,” Peters said. “When entities – such as critical infrastructure owners and operators – fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks.”

Portman stressed in a separate statement that “the federal government must be able to quickly coordinate a response and hold these bad actors accountable” in the face of increasingly damaging attacks. 

“This bipartisan bill will give the National Cyber Director, CISA, and other appropriate agencies broad visibility into the cyberattacks taking place across our nation on a daily basis to enable a whole-of-government response, mitigation, and warning to critical infrastructure and others of ongoing and imminent attacks,” Portman said. “This bill strikes a balance between getting information quickly and letting victims respond to an attack without imposing burdensome requirements.”

The new bill will join two other legislative efforts in Congress aimed at creating federal cybersecurity incident notification program. 

All but three members of the Senate Intelligence Committee in July introduced legislation that would give certain groups 24 hours to report cybersecurity incidents to the federal government. 

The House last week approved its version of the 2022 National Defense Authorization Act with language from bipartisan members of the House Homeland Security Committee that would bans CISA from requiring organizations to report cyber incidents earlier than 72 hours after they occurred.

Industry groups and some federal officials in recent weeks have thrown their weight behind the idea of a 72-hour window for cyber incident reporting, arguing that the 24-hour window was too narrow.

Officials have also pushed for legislation to include fines for organizations that fail to report instead of subpoenas, with CISA Director Jen Easterly testifying to the Senate Homeland Security and Governmental Affairs Committee that subpoenas were “not an agile enough mechanism.”

Senate Intelligence Committee Chairman Mark Warner (D-Va.) said at the AWS Summit in Washington, D.C., on Tuesday that his panel’s bill would likely “merge or collaborate” with the bill introduced by Peters and Portman, and that he had “high hopes” the incident reporting bill would be included in the Senate version of the 2022 NDAA.