On March 1, 2022, the U.S. Senate passed by unanimous consent a package of three cybersecurity bills, known collectively as the Strengthening American Cybersecurity Act, which would enhance reporting requirements for certain major cyber incidents and ransomware attacks. Senators Gary Peters and Rob Portman, who co-sponsored the Act, expressed the urgency of enhancing the nation’s cyber readiness “in the face of potential cyber-attacks sponsored by the Russian government in retaliation for U.S. support in Ukraine.”[i]
The legislation would require critical infrastructure companies and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency if they suffer a substantial cyberattack. Critical infrastructure companies would also be required to report making ransom payments in response to a ransomware attack. In addition, the legislation would modernize the federal government’s cybersecurity posture and update the Federal Risk and Authorization Management Program for cloud computing. The legislation now moves to the House for consideration, where a bipartisan group of representatives are working to ensure passage.
Background
Cybersecurity and cyber incident reporting have been a key focus of federal legislative proposals over the past several years. In 2021, bipartisan groups of Senators introduced multiple bills aimed at bolstering the federal government’s ability to respond to major cyberattacks, with a particular focus on ransomware.
In September 2021, Senators Gary Peters (D-MI) and Rob Portman (R-OH) introduced the Cyber Incident Reporting Act, which proposed the first national requirement for critical infrastructure entities to report major breaches to the federal government, as well as a requirement for many organizations to report if they paid a ransom following a cyberattack. Later, in October, Senators Peters and Portman introduced separate legislation, known as the Federal Information Security Modernization Act of 2021, that would strengthen the federal government’s cybersecurity posture by, among other things, mandating security protections for federal information systems and the sensitive data they store. Finally, in December, Senators Peters and Portman, along with Senators Josh Hawley (R-MO), Maggie Hassan (D-NH), and Steve Daines (R-MT), announced the Federal Secure Cloud Improvement and Jobs Act, which would update and authorize the Federal Risk and Authorization Management Program to ensure federal agencies can adopt cloud-based technologies that improve government operations and efficiency.
Each of these bills advanced out of the Senate Committee on Homeland Security and Governmental Affairs, but none proceeded to a full vote in the Senate.
The United States’ support for Ukraine has increased the potential for retaliatory cyberattacks on key U.S. infrastructure by the Russian government. Last week, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued an advisory to “all organizations—regardless of size—[to] adopt a heightened posture when it comes to cybersecurity and protecting their most critical assets.”[ii] In addition to general guidance for organizations to increase their resilience, the advisory encourages corporate leaders to:
- empower their chief information security officers;
- lower their companies’ thresholds for reporting potential cyber incidents to senior management and the U.S. government;
- participate in tabletop exercises along with senior management and board members to test their companies’ responses to major cyber incidents;
- strengthen and test continuity plans for critical business functions; and
- adopt plans for a “worst-case scenario” to protect critical assets in the event of a major intrusion.
The Strengthening American Cybersecurity Act
In response to these developments, Senators Peters and Portman, who serve as Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, respectively, redoubled their efforts to pass legislation that would enhance the federal government’s ability to combat ongoing cybersecurity threats. On March 1, the full Senate passed by unanimous consent the Strengthening American Cybersecurity Act (the “Act”) introduced by Senators Peters and Portman in February. The Act combines provisions from the three bills noted above.
Cyber Incident Reporting
The Act requires entities in a critical infrastructure sector—which includes, for example, communications, critical manufacturing, energy, financial services, food and agriculture, healthcare and public health, information technology, and transportation systems—to report substantial cyber incidents to CISA “not later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred.” Reports made to CISA pursuant to this requirement would be exempt from disclosure under the Freedom of Information Act (“FOIA”) and similar laws.
The Act requires the Director of CISA to issue regulations to, among other things, set out clear descriptions of “the types of entities that constitute covered entities” and “the types of substantial cyber incidents that constitute covered cyber incidents” under the Act. Covered entities must be in “a critical infrastructure sector, as defined in Presidential Policy Directive 21,” and will be identified by CISA based on: “the consequences that disruption to or compromise of such an entity could cause to national security, economic security, or public health and safety”; “the likelihood that such an entity may be targeted by a malicious cyber actor”; and “the extent to which damage, disruption, or unauthorized access to such an entity . . . will likely enable the disruption of the reliable operation of critical infrastructure.” Covered cyber incidents require “substantial loss of confidentiality, integrity, or availability” of an information system or network; “a disruption of business or industrial operations” due to an attack against a system or network; or “unauthorized access or disruption of business or industrial operations due to loss of service.”
Similarly, the Act requires federal civilian agencies to report within 72 hours of determining there is “a reasonable basis to conclude” that they experienced “a major incident” to CISA and other entities, including certain congressional committees, the National Cyber Director, and the Comptroller General of the United States. “Major incidents” will also be defined by regulation, and will include, for example, incidents that are likely to have an impact on U.S. national, homeland, or economic security or the health and safety of the American people; likely to result in the inability of an agency to provide critical services; or likely to have a substantial privacy impact on a significant number of individuals.
Ransomware Response
In addition to the general cyber incident reporting requirement, critical infrastructure entities that make a ransom payment as the result of a ransomware attack must report the payment to CISA within 24 hours. The Act defines “ransomware attack” to mean “an incident that includes the use or threat of use of unauthorized or malicious code on an information system, or the use or threat of use of another digital mechanism such as a denial of service attack, to interrupt or disrupt the operations of an information system or compromise the confidentiality, availability, or integrity of electronic data stored on, processed by, or transiting an information system to extort a demand for a ransom payment.”
The Act also directs the Director of CISA to establish a “ransomware vulnerability warning pilot program,” which is tasked with identifying common security vulnerabilities utilized in ransomware attacks and determining which information systems used by government agencies and private companies contain those security vulnerabilities. The Director would be authorized to notify the owners or operators of any system identified to be vulnerable to ransomware attacks to support mitigation efforts.[iii]
Other Government Focused Provisions
- Federal Information Security Modernization – The Act contains numerous provisions intended to modernize and enhance the federal government’s cybersecurity capabilities. For example, the Act directs the Director of CISA and the Secretary of Homeland Security to issue guidance to federal agencies to conduct penetration testing on agency systems and creates a federal vulnerability disclosure program to promote collaboration with the public and with cybersecurity researchers in identifying vulnerabilities. The Act also adopts several provisions from the Executive Order on Improving the Nation’s Cybersecurity signed by President Biden on May 12, 2021.[iv] For example, the Act directs the head of each federal agency to submit progress reports on the implementation of “zero trust architecture” for agency IT systems based on a presumption of compromise and the need for continuous validation.
- Federal Secure Cloud Improvement – The Act also modernizes the Federal Risk and Authorization Management Program (“FedRAMP”), which was created in 2011 at the General Services Administration (“GSA”) to support the secure authorization and use of cloud computing products and services within the federal government. Among other things, the Act creates a FedRAMP Board to provide recommendations to the GSA Administrator regarding security assessments of cloud computing products and services and establishes a Federal Secure Cloud Advisory Committee “to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities.”
Takeaways
The bipartisan Strengthening American Cybersecurity Act reflects one of the most comprehensive legislative efforts by the Congress to respond to developing cyber threats. While it has not yet passed the House, the increased urgency for cybersecurity reform prompted by the ongoing war between Russia and Ukraine greatly increases the possibility that the legislation will move quickly to the President’s desk.
While the Act has received broad support, the Department of Justice and the Federal Bureau of Investigation (“FBI”) have criticized the legislation for sidelining the FBI and slowing down its response to cyberattacks.[v] The agencies stressed that the FBI should receive reports of major cyber incidents on the same timeline as CISA and with the same protection from FOIA.[vi] Time will tell whether the Justice Department and FBI will be able to obtain changes to the Act, which appears to be on a fast track to enactment.
Companies in critical infrastructure sectors in particular should monitor developments with the Act. Although other efforts at federal cybersecurity laws have faltered in the past, it appears likely that such entities will face enhanced cyber incident reporting requirements in the near future.
[i] Senate Passes Peters and Portman Landmark Legislative Package to Strengthen Public and Private Sector Cybersecurity, U.S. S. Comm. on Homeland Sec. & Governmental Affairs (Mar. 2, 2022), https://www.hsgac.senate.gov/media/majority-media/senate-passes-peters-and-portman-landmark-legislative-package-to-strengthen-public-and-private-sector-cybersecurity-.
[ii] Shields Up Advisory, Cybersecurity and Infrastructure Sec. Agency, https://www.cisa.gov/shields-up.
[iii] Furthermore, the Act directs the Director of CISA, in consultation with the National Cyber Director, the Attorney General, and the Director of the Federal Bureau of Investigation, to create a Joint Ransomware Task Force to “coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.” The Task Force would be made up of federal government employees, and would be responsible for: consulting with private sector entities and state and local governments to identify ransomware-related needs and priorities; identifying a list of “highest threat ransomware entities” to facilitate investigative priorities; collecting and sharing analysis of ransomware trends; creating after-action reports and sharing lessons learned following a federal response to a ransomware attack; and “[d]isrupting ransomware criminal actors, associated infrastructure, and their finances.”
[iv] For further information, see the Cleary Gottlieb publication on “2021 Cybersecurity and Privacy Developments in the United States” at 11-12, https://www.clearygottlieb.com/-/media/files/alert-memos-2022/2021-cybersecurity-and-privacy-developments-in-the-united-states.pdf.
[v] DOJ says hack reporting bill ‘makes us less safe,’ Politico (Mar. 2, 2022), https://www.politico.com/news/2022/03/02/doj-hack-reporting-bill-fbi-less-safe-00013420.
[vi] DOJ pushes Congress for changes in cybersecurity act, Axois (Mar. 3, 2022), https://www.axios.com/doj-fbi-cybersecurity-act-03e91aa6-0b5c-46d7-bff3-2a423bb4af9e.html.