As Russian President Vladimir Putin’s war of aggression in Ukraine rages in the open, U.S. lawmakers have grown concerned about warfare that could break out behind the scenes: cyber attacks.
Though Russia has yet to launch any type of major virtual attack, lawmakers are renewing their efforts to pass a tranche of bills to shore up America’s cybersecurity infrastructure. (For a primer on cybersecurity, check out The Dispatch’s newest newsletter, The Current, by Klon Kitchen.)
On Tuesday, the Senate passed by unanimous consent a package of bills to help better prepare the nation’s cyberinfrastructure for such an attack, the Strengthening American Cybersecurity Act. Unanimous consent means no vote took place because no senators opposed it, and the normal Senate procedural rules were set aside in order to fast-track the bill.
Now, it’s on to the House.
“The need to protect this country from cyberattack—always very, very, very important—has assumed even greater importance now with Putin fighting in Ukraine and threatening cyberattacks throughout the world,” Majority Leader Chuck Schumer said on Tuesday. “And today the Senate is taking an urgently needed step to protect the American people, American critical infrastructure, and American government institutions from the dangerous threat of cyber-attacks.”
When asked by The Dispatch if the U.S. was vulnerable to cyberattacks, a senior Senate aide had a one-word answer: “Yes.” According to another aide, Department of Homeland Security Secretary Alejandro Mayorkas said in a briefing that passing a bill was one of his top priorities.
The bill is three different measures wrapped up into one. The component that’s gotten the most attention, the Cyber Incident Reporting Act, requires cyberinfrastructure entities—organizations in the 16 critical infrastructure sectors, including financial services, healthcare, water systems, and more—to report cyberattacks to the Cybersecurity Infrastructure Security Agency (CISA) within 72 hours of the attack and a ransomware payment within 24 hours. Currently, nothing mandates owners or operators of critical infrastructure facilities to report attacks to the government.
Streamlining the government response will better equip the government to deal with attacks, Sen. Rob Portman, the ranking member of the Senate Homeland Security Committee, said on the Senate floor Wednesday. He added that the bill would enable “a coordinated, informed U.S. response to cyberattacks against the United States.”
Portman renewed his effort to pass the legislation last week, emphasizing its importance in the aftermath of Russia’s offensive into Ukraine.
But the bill has received pushback from some in the executive branch.
The bill doesn’t restrict a cyberinfrastructure entity from reporting an incident to the FBI, but it also doesn’t require it. It does mandate CISA to share incident reports with other relevant federal agencies. This addition came after the FBI expressed concerns about an earlier version of the incident reporting bill.
“This bill reflects changes from DOJ and FBI as well as many others to obtain the broad support it currently enjoys across government and the private sector,” Kylie Nolan, a spokesperson for Portman, told The Dispatch. “It is shameful that for some a bureaucratic turf war appears to be taking precedence over our nation’s security during this critical time.”
A CISA spokesperson told The Dispatch the agency does not comment on pending legislation, but simply added: “While there are not any specific, credible, cyber threats to the U.S., we encourage all organizations—regardless of size—to take steps now to improve their cybersecurity and safeguard their critical assets.”
House members, meanwhile, seem eager to pass the legislation.
Democrat Rep. Bennie Johnson, chairman of the House Homeland Security Committee, told The Dispatch an incident reporting requirement is especially important. “Most people assume that it already exists, but it does not exist in a planned, coordinated way,” he said.
Rep. John Katko, the ranking Republican on the House Homeland Security Committee, told The Dispatch he is a “big proponent” of the legislation.
“Especially right now we really need it,” he said. “We have to have all hands on deck.” He wants to study the other bills before deciding to support the package in the House, but, “if it’s the incident reporting—for sure. We need to get it done.”
The second component, the Federal Information Security Modernization Act of 2021, is meant to update cyber security measures across the federal government. “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security,” Chairman of the Homeland Security Committee Gary Peters said in a statement about the bill.
The bill also changes requirements for when Congress should be notified of cyber attacks.
The final component of the package is the Federal Secure Cloud Improvement and Jobs Act, which authorizes the government to use money for the Federal Risk and Authorization Management Program, known as FedRAMP. That’s the program the government uses to evaluate cloud services that agencies may want to use.
A representative of Majority Leader Steny Hoyer’s office, which sets the legislative schedule in the House, couldn’t provide an update Thursday on when the House will take up the measures.