Representative Yvette D. Clarke (D-NY), Chairwoman of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, along with other representatives and with other ranking officers of the Cybersecurity, Infrastructure Protection & Innovation Subcommittee, presented the Cyber Incident Reporting for Critical Infrastructure Act of 2021. Meanwhile, the Biden administration expressed public support during congressional testimony for such requirements.
If this legislation is to come to fruition, it would require the DHS Cybersecurity and Infrastructure Security Agency (CISA) to organize requirements and procedures for critical infrastructure owners and operators to report cyber-attack incidents under this law. Additionally, under this legislation, critical infrastructure organizations and operators have to report cyber-attacks to the cybersecurity and Infrastructure Security agencies within 72 hours.
The bill will also mandate it to organizations, including businesses with more than 50 employees, state and governments, and non-profits organizations, to report CISA of any ransomware payments they make within 24 hours. Along with this, the law reads that any organization when infected by ransomware should use recovery tactics instead of paying ransom to the attackers.
According to the act, a new office will come into existence under CISA and it will be named “Review new Cyber Incident Office”. The office will be responsible for receiving, aggregating, and analyzing the reported cyberattack incidents.
The introduced law is partly in response to a surge of major cyber-attacks particularly from ransomware that has hit the government agencies and private sectors which own and operate 85% of critical infrastructure.
“As our nation continues to be faced with more frequent and increasingly sophisticated cyberattacks, authorizing mandatory cyber incident reporting is a key cybersecurity and national security priority,” said Chairman Thompson.
“I applaud Chairwoman Clarke, as well as Ranking Member Katko and Ranking Member Garbarino, for their months of dedicated work to put together this legislation to require covered critical infrastructure entities to report certain cyber incidents to CISA. Once enacted, CISA will be on the path to getting the information it needs to identify malicious cyber campaigns early, gain a greater understanding of the cyber threat landscape, and be a better security partner to its critical infrastructure partners.” He added.
