Senators propose including a 72-hour timeline for reporting cyber incidents in the defense bill

A bipartisan group of senators is moving to insert a provision in the upcoming annual National Defense Authorization Act (NDAA) that would give certain critical infrastructure groups 72 hours to report major cyber incidents to the government.

The amendment, announced Thursday night, would also give critical infrastructure groups, nonprofits, state and local governments, and certain businesses 24 hours to report payments made to hackers due to a ransomware attack.

Reports on the incidents and payments would go to the Cybersecurity and Infrastructure Security Agency (CISA) as part of an effort to provide the government with greater transparency on the state of the nation’s cybersecurity following a year of intense attacks. .

The amendment is sponsored by the chairman of the Senate Committee on Government Affairs and National Security. Gary PetersGary Peters Activists lobbying the Interior for emergency protections for gray wolves Lawmakers are divided on next steps to secure transportation sectors against hackers Democrats say they have a way to negotiate climate provisions in the bill of expenses PLUS (D-Mich.), Rank Member Rob portmanRobert (Rob) Jones Portman Framing Our Future Beyond the Climate Crisis Conclusion Ohio’s Redistricting Commission Surrenders on the US House of Representatives Map MORE (R-Ohio), Chairman of the Senate Intelligence Committee Mark WarnerMark Robert Warner Progressives Declare Victory in Fight Against Spending Bill Tuesday’s Election Results Raise Questions About Biden Mellman’s Agenda: Election Lessons MORE (D-Va.) And Sen. Susan collinsSusan Margaret Collins Meghan Markle Personally Called Republican Senators To Boost Paid Leave: Report Democrats Stand Up To Manchin, Make New Push For Family Leave Manchin Doubles As House Puts Paid Leave On Bill Of expenses PLUS (R-Maine).

“Cyber ​​attacks and ransomware are a serious national security threat that has affected everything from our energy sector to the federal government and Americans’ own sensitive personal information,” Peters said in a statement.

The amendment is the result of negotiations between senators: Peters and Portman legislation introduced in September proposing the 72-hour schedule, while Warner, Collins, and all but three members of the Senate Intelligence Committee submitted a separate bill in July, setting a 24-hour schedule.

Industry groups They have rejected the 24-hour notification requirement, arguing that this did not give them enough time to assess incidents and limit the reporting of less important incidents.

“I am grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires a Timely report these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes, ”Peters said.

Calling for more action to address the threats, Warner pointed to the escalation of cyber incidents, which included ransomware attacks earlier this year at Colonial Pipeline and meat producer JBS USA, as well as the SolarWinds hack last year.

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is no one responsible for gathering information on the scope and scale of these incidents,” he said. Warner in a statement. . “We cannot rely on voluntary reporting to protect our critical infrastructure; we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, all the resources of the federal government can be mobilized to respond, and avoid its impact. “

“I am glad that we have been able to reach a bipartisan compromise on this amendment that addresses many of the core issues raised by these high-profile hacking incidents,” he added.

The amendment also includes language that updates the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, which is based on a separate piece of legislation. inserted by Peters and Portman last month.

“This bipartisan amendment to significantly update FISMA will provide the accountability necessary to address long-standing weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to promptly inform the American people if their information is compromised,” Portman said. it’s a statement.

The mandatory NDAA is often used to push other measures that would not otherwise get a vote. Last year’s NDAA included more than two dozen major cyber recommendations, including the establishment of the position of national cyber director in the White House.

Collins emphasized Thursday that an information requirement and other measures in the amendment were necessary to increase the security of the nation.

“You need to have a clear view of the dangers the nation faces from cyberattacks in order to prioritize and act to mitigate and reduce the threat,” Collins said. “Failure to implement a robust cyber incident reporting requirement will only provide our adversaries with more opportunities to gather information about our government, steal intellectual property from our companies and damage our critical infrastructure.”

“I urge my colleagues to pass our amendment, which is common sense and long overdue,” he said.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *