Washington, D.C. – U.S. Senator Susan Collins (R-ME), a senior member of the Intelligence Committee, along with Senators Gary Peters (D-MI), Rob Portman (R-OH), and Mark Warner (D-VA), introduced a bipartisan amendment to the annual defense authorization bill to require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a cyber-attack. Most entities would be required to report if they make a ransomware payment. The amendment is based on the Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Senator Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass our amendment, which is common sense and long overdue.”
The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack. Many other organizations, including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment following an attack. Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress. It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.
+++
Following the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, Senator Collins joined Senators Warner and Marco Rubio (R-FL) in introducing a bipartisan bill in July that would require federal agencies, government contractors, entities that provide cybersecurity incident response services, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.
In 2012, Senator Collins introduced a bipartisan bill with former Senator Joe Lieberman that would have encouraged companies that operate critical infrastructure — such as water plants, electric companies and transportation networks — to take steps to boost the security of their computer systems and networks. It also aimed to make it easier for industry to share information about cyber threats spotted on their networks with the government.
###