iscover
ReporterShare this article on:
Powered by
MOMENTUM
MEDIA
The US Senate has passed a major cyber security legislation this week, moving one step closer toward forcing critical infrastructure companies to report cyber attacks and ransomware payments.
According to CNN, the new Strengthening American Cybersecurity Act combines parts of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.
The new act, which combines language from three bills, would also require the government to take a risk-based approach to cyber security and would also authorise the Federal Risk and Authorization Management Program (FedRAMP) to ensure federal agencies can adopt cloud-based technologies.
The passage comes as US federal officials have repeatedly warned of the potential for Russian cyber attacks against the United States amid the escalating conflict in Ukraine.
The legislation, which still has to pass in the House, would require critical infrastructure owners and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours if they experience a substantial cyber attack.
It would also require critical infrastructure companies to report ransomware payments to the federal government within 24 hours.
In a statement, Democratic Senator Gary Peters of Michigan, who was the lead author on the package of bills, noted that online attacks have the potential to disrupt the economy, drive up gasoline prices and threaten supply chains.
"As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber attacks from the Russian government.
"This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cyber criminals and foreign adversaries who launch these persistent attacks.
"Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks," Peters said.
The reporting requirements were introduced in the Senate after several high-profile cyber security and ransomware incidents put pressure on lawmakers to better protect critical infrastructure and discourage attacks.
The 200-page act includes several measures designed to modernise the federal government's cyber security posture. The legislation updates the threshold for agencies to report cyber incidents to Congress and gives CISA more authority to ensure it is the lead federal agency in charge of responding to cyber security incidents on federal civilian networks.
The act also aims to authorise the FedRAMP for five years to ensure federal agencies can "quickly and securely adopt cloud-based technologies that improve government operations and efficiency".
The act attempts to streamline federal government cyber security laws to improve coordination between federal agencies and requires all civilian agencies to report all cyber attacks to CISA.
Last May, a ransomware attack on Colonial Pipeline prompted the company to shut down thousands of miles of pipeline and led to increased prices and gas shortages. That incident was followed several weeks later by a cyber attack on a major US meat producer, highlighting the impact ransomware can have on vital services in the US.
Peters further explained that the "landmark, bipartisan bill" would ensure that CISA is the lead agency helping critical infrastructure operators and the government respond to hacks.
"I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cyber security as new vulnerabilities are discovered, and ensure that the federal government can safety and securely utilise cloud-based technology to save taxpayer dollars," Peters said.
[Related: UK NCSC pushes to bolster cyber defences after Russia attacked Ukraine]
Be the first to hear the latest developments in the cyber industry.
