The US Senate on Tuesday passed major cybersecurity legislation to require organizations in critical industry sectors to report cyberattacks and ransomware payments to the US Government. The legislation, consisting of three bills, was unanimously passed by the Senate. “Strengthening American Cybersecurity Act of 2022” aims to make both the public and private sectors better defended online. The act has been moved to the House for further consideration before being signed into a law.
Previous attempts to pass similar legislation have stalled due to timing constraints. However, the legislation has been fast tracked in light of the recent conflict in Ukraine. It is also thought Western sanctions on Russia could result in retaliatory cyberattacks.
Under the new legislation, critical infrastructure owners and civilian federal agencies will be required to report a cyberattack within 72 hours to US Cybersecurity and Infrastructure Agency (CISA). In addition, any organizations deemed to operate critical infrastructure, such as energy or health care, must report ransomware payments within 24 hours. Organizations that suffer cyberattacks must preserve the data and update CISA as new or different information that becomes available.
The new legislation aims to help gather intelligence on cyberattacks, such as, who may be behind the attacks and what techniques are being used by attackers. It also aims to create greater transparency as to which companies suffer attacks, how many and to what extent the damage is. Companies may not have reported attacks in the past.
CIO and security leaders have been told they will need to update existing incident response plans to reflect the new reporting requirements. Executive management will need to be educated on the new legislation and how it impacts their business. Companies are being encouraged to implement and maintain rigorous security monitoring and preventative tools, increasing their security protocols to prevent attacks.
The bill also updates the Federal Information Security Modernization Act to codify the responsibilities of top cyber officials like the National Cyber Director and authorize the Federal Risk and Authorization Management Program cloud computing program for five years.