Connecting state and local government leaders
Proposals under consideration would require the owners and operators of critical infrastructure, potentially including state and local governments, to report cybersecurity incidents to a federal agency.
Critical infrastructure owners and operators would be required to report cybersecurity incidents under legislation proposed in Congress—potentially including some state and local governments.
The leaders of the Senate’s Homeland Security and Governmental Affairs Committee were the latest to introduce legislation that would require victims to disclose incidents like cyber and ransomware attacks to the Cybersecurity and Infrastructure Security Agency in a bid to improve information sharing.
The legislation, introduced Tuesday, requires that covered entities notify CISA of incidents within 72 hours. It does not explicitly list state and local governments as covered entities, but instead leaves the determination of what critical infrastructure owners and operators would be required to make notifications up to CISA.
The bill does, however, require that state and local governments, as well as nonprofits and businesses with more than 50 employees, disclose any ransomware payment within 24 hours.
The breach earlier this year by a hacker into a water treatment facility system in Oldsmar, Florida underscored the need for local governments and utilities to upgrade their software and facilities to protect critical infrastructure from cybersecurity threats. Other municipal hacks and ransomware attacks have shuttered schools, knocked government services offline, and even allowed hackers to steal sensitive police files.
“When entities—such as critical infrastructure owners and operators—fall victim to network breaches or pay hackers to unlock their systems, they must notify the federal government so we can warn others, prepare for the potential impacts, and help prevent other widespread attacks,” said Sen. Gary Peters, the chairman of HSGAC and a bill sponsor.
Similar cyber notification measures were included in the National Defense Authorization Act, which the House approved last week. The measure would create a new Cyber Incident Review Office and direct CISA to establish requirements and procedures for covered critical infrastructure owners and operators to report cybersecurity incidents.
While the consensus is that more information about cyberattacks needs to be shared, lawmakers are still working to find the best way to mandate cyber incident reports to ensure CISA gets helpful and timely information.
“Everyone says we’ve got to do a better job of sharing and reporting information,” said Alan Shark, the executive director of CompTIA’s Public Technology Institute.
In the past, resistance to reporting mandates has come from the private companies rather than the public sector, he said.
“The private sector does not say it’s opposed to sharing information. They are opposed to being forced to do so,” Shark said.
To address that issue, Sen. Mark Warner of Virginia, who has proposed a separate cyber incident notification bill, said legislation needs to include an enforcement mechanism.
“If you don’t report, there has to be some level of penalty,” Warner said Tuesday as he spoke at the Amazon Web Service Summit in Washington, D.C.
Warner’s bill gives CISA the ability to assess a fine if a covered entity is found to have not properly disclosed a cyber incident. He acknowledged that finding the right balance to compel reporting will be important because CISA needs to be able to collaborate with partners and should not be seen as a regulator.
"I think we will come to a conclusion, and I have high hopes that this will be attached to the defense authorization bill," Warner said.
Andrea Noble is a staff correspondent with Route Fifty.