Cyber incident reporting measures approved in the omnibus spending bill

Critical infrastructure entities and federal agencies will have to report significant cyber incidents to CISA within 72 hours and ransomware attacks within 24 hours under legislation passed by the House that will likely become law.

The U.S. House of Representatives has passed key provisions of the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which would require critical infrastructure operations to alert the government when they are hacked or pay a ransom to threat actors. It is part of the $1.5 trillion omnibus spending bill passed by the House on Wednesday, which funds the federal government for the rest of the year. 

The incident report provisions contained in the Act, part of the broader Strengthening American Cybersecurity Act, failed to become law last year but passed the Senate unanimously on March 1.

72 hours to report incidents, 24 hours to report ransom payments

The incident reporting requirements contained in the bill require critical infrastructure entities and federal agencies to report significant cyber incidents and ransomware payments to DHS’s Cybersecurity and Infrastructure Security Agency (CISA) no later than 72 hours after the covered entity reasonably believes that the covered cyber incident has occurred and within 24 hours if they make a ransomware payment. Notably, the ransomware payment reporting requirements in the omnibus bill “shall apply even if the ransomware attack is not a covered cyber incident subject to the reporting requirements.”

Critical infrastructure organizations and federal agencies that fail to report incidents or ransomware payments are subject to subpoena by the director of CISA, who will be able to refer the matter to the attorney general to bring a civil action in a district court of the United States to enforce the subpoena. Courts could punish a failure to comply with a subpoena issued as contempt of court.

CISA can also make the incident reports available in an anonymized way and disseminate them, with defensive measures, to appropriate stakeholders, including sector coordinating councils, information sharing and analysis organizations, state, local, tribal, and territorial governments, technology providers, cybersecurity and cyber incident response firms, and security researchers, as appropriate. None of the reporting requirements will go into effect until CISA develops and implements a rulemaking that outlines how the requirements will work, which the agency will have up to 48 months to do.

Ransomware pilot program

CISA is also required to establish a ransomware vulnerability warning pilot program “to leverage existing authorities and technology to develop processes and procedures for specifically, and to dedicate resources to, identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerability.”

The pilot program will identify the most common security vulnerabilities exploited in ransomware attacks and mitigation techniques and use existing authorities to identify information systems that contain the security vulnerabilities. The pilot program is slated to terminate four years after the date of enactment.

Task force to coordinate a campaign against ransomware attacks

Within 180 days after enactment, the bill also requires the CISA director, in consultation with the national cyber director, the attorney general, and the director of the Federal Bureau of Investigation (FBI), to establish and chair a Joint Ransomware Task Force, consisting of federal agency participants, to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.

This task force will prioritize intelligence-driven operations to disrupt specific ransomware actors, consult with private, local government, and international stakeholders to identify needs, and establish mechanisms for providing input into the Joint Ransomware Task Force.

CISA is pleased, but the FBI is left out

Not surprisingly, CISA Director Jen Easterly has praised the reporting mandate as an overdue means of keeping the nation safe from cyber threats. Easterly and CISA have long complained that the lack of incident reporting requirements keeps the federal government in the dark regarding cyber threats and incidents.

However, Deputy Attorney General Lisa Monaco recently said the legislation would make the country “less safe,” and FBI Director Christopher Wray said it had “serious flaws” because it cuts the FBI out of the incident reporting chain, leaving the Bureau less capable of busting up cybercrime gangs.

At a House Intelligence Committee hearing earlier this week, Wray said that “We have agents out in the field who are responding, often within an hour or so, to a business that’s been hit and that’s happening thousands of times a year, so we need to make sure that information flow is protected.”

The Biden administration came down on the side of CISA, with White House National Cyber Director Chris Inglis supporting the bill without changes that would reflect the FBI’s concerns. The $1.5 trillion spending package allocates $2.59 billion for CISA, $300 million more than the Biden administration requested in its budget proposal.

Reaction among officials is generally positive

Reaction from other government officials to House passage of the bill was positive. Bipartisan leaders from the House Homeland Security Committee said in a press release, “Requiring owners and operators to report significant cyber incidents and ransomware attacks to CISA will mean greater visibility for the federal government, earlier disruption of malicious cyber campaigns, and better information and threat intelligence going back out to the private sector, so they can defend against future attacks. The authorities and resources provided in this bill can’t come soon enough, as CISA works to combat rapidly evolving cyber threats in this shifting geopolitical landscape.”

U.S. Senators Mark Warner and Tim Kaine (both D-VA) praised the omnibus bill’s passage, noting that Warner was one of the sponsors of the Strengthening American Cybersecurity Act of 2022, which contained the incident reporting measures.

This omnibus legislation now heads to the Senate, which will likely pass it before March 15, when a stopgap government funding measure expires, before sending it off to the President’s desk for approval.

Update 3/11/22: The Senate approved the omnibus bill last night, which is now headed to President Biden for his signature.

CISA Director Jen Easterly issued a statement saying, “CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure. This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims. CISA is committed to working collaboratively and transparently with our industry and federal government partners in order to enhance the security and resilience of our nation’s networks and critical infrastructure.

“Put plainly, this legislation is a game-changer. Today marks a critical step forward in the collective cybersecurity of our nation.

“We are also grateful to Congress for the unprecedented level of funding provided for CISA in the Fiscal Year 2022 Omnibus. This investment represents a recognition of the importance of our mission and the confidence of the Congress in our ability to defend our nation’s networks and critical infrastructure.”