Senate Passes Peters Landmark Provision Requiring Critical Infrastructure to Report Cyber-Attacks as Part of Funding Bill

WASHINGTON, D.C. – A landmark provision authored by U.S. Senator Gary Peters (MI), Chairman of the Homeland Security and Governmental Affairs Committee, to significantly enhance our nation’s ability to combat ongoing cybersecurity threats against critical infrastructure has passed the Senate as a part of the government funding legislation. The provision, which matches a provision in a bill Peters previously introduced and passed out of the Senate unanimously, would require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency (CISA) if they experience a substantial cyber-attack or if they make a ransomware payment. Once signed into law, the provision will mark a significant step to help the United States combat potential cyber-attacks sponsored by foreign adversaries, including online threats from the Russian government in retaliation for U.S. support in Ukraine.

“Critical infrastructure operators defend against malicious hackers every day, and right now, these threats are even more pronounced due to possible cyber-attacks from the Russian government in retaliation for our support of Ukraine. It’s clear we must take bold action to improve our online defenses. This provision will create the first holistic requirement for critical infrastructure operators to report cyber incidents so the federal government can warn others of the threat, prepare for widespread impacts, and help get our nation’s most essential systems back online so they can continue providing invaluable services to the American people,” said Senator Peters. “Our provision will also ensure that CISA – our lead cybersecurity agency – has the tools and resources needed to help reduce the impact that these online breaches can have on critical infrastructure operations. This historic effort will make sure our nation can deter cyber-attacks against critical infrastructure companies, such as energy providers and banks, which can significantly disrupt American lives and livelihoods and I look forward to seeing the President sign it into law.”

Last year, cybercriminals breached the network of a major oil pipeline forcing the company to shut down over 5,500 miles of pipeline – leading to increased prices and gas shortages for communities across the East Coast. Last summer, the country’s largest beef supplier was hit by a cyber-attack, prompting shutdowns at company plants and threatening meat supplies all across the nation. As these kinds of attacks continue to rise, Peters’ historic provision would help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.

The provision, which is based on Peters’ Cyber Incident Reporting Act, would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyber-attack and within 24 hours of making a ransomware payment. The provision gives CISA the authority to subpoena entities that fail to report cybersecurity incidents or ransomware payments. Organizations that fail to comply with the subpoena can be referred to the Department of Justice. The provision requires CISA to launch a program that will warn organizations of vulnerabilities that ransomware actors exploit, and directs the Director of CISA to establish a joint ransomware task force to coordinate federal efforts, in consultation with industry, to prevent and disrupt ransomware attacks. The federal rulemaking process that will formalize aspects of this legislation also requires substantial consultation with industry and the provision creates a federal council to coordinate, deconflict, and harmonize federal incident reporting requirements to reduce duplicative regulations.

As Chairman of the Homeland Security and Governmental Affairs Committee, Peters has led efforts to increase our nation’s cybersecurity defenses. Peters’ bill to enhance cybersecurity assistance to K-12 educational institutions across the country was recently signed into law. His provision to provide staffing for the National Cyber Director office to improve cybersecurity policy was signed into law as a part of the annual defense bill. The senator secured several provisions in the bipartisan infrastructure law to bolster cybersecurity – including $100 million fund to help victims of a serious attack recover quickly.

###