Senate committee advances major cybersecurity legislation


The Senate Homeland Security Committee on Wednesday advanced to two bills aimed at boosting the U.S. government’s insight into cyberattacks on critical infrastructure operators and the private sector, as well as federal agencies.

The committee approved by voice vote the Cyber Incident Reporting Act, which would give critical infrastructure owners and operators up to 72 hours to report hacks and 24 hours to divulge ransom payments. The bill differs from one introduced earlier this year by the Senate Intelligence Committee that proposed a 24-hour window.

The Senate Homeland legislation mirrors a bipartisan measure from the House Homeland Security Committee that was attached to that chamber’s annual defense policy bill as an amendment.

The senate bill, which was released last month by Chair Gary Peters (D-Mich.) and Ranking Member Rob Portman (R-Ohio), also took on ransomware by requiring organizations, including businesses with more than 50 employees, nonprofits, and state and local governments, to notify CISA if they make a ransom payment.

The committee rejected an amendment by Sen. Rick Scott (R-Fla.) that would limit the scope of ransom payment reporting amendment to critical infrastructure operators. Many GOP members voiced concern that the mandate would prove burdensome to smaller businesses.

Peters said the 50-person threshold was not “carved in stone” and expressed support for an amendment from Portman that would raise it to somewhere between 200 and 500 personnel, a proposal embraced by some Republicans, like Sen. Mitt Romney (Utah).

The committee later adopted Portman’s amendment but didn’t provide an exact figure before adjourning. Lawmakers also adopted by voice vote a Portman amendment that would, among other things, exempt religious organizations from having to report ransom payments.

In addition, the panel also okayed legislation from Peters and Portman that would update the 2014 Federal System Incident Response Act that would require federal civilian agencies to report breaches to CISA and OMB, as well as include new authorities that make CISA the lead agency on cybersecurity incidents affecting federal civilian agency networks.

The measure comes in response to a recent review by the Senate committee on digital defenses within the federal government that found many key agencies lack good cyber hygiene.

Peters said he hoped to hitch the incident reporting legislation to the Senate version of the defense policy roadmap.

The post Senate committee advances major cybersecurity legislation appeared first on The Record by Recorded Future.

Article Link: Senate committee advances major cybersecurity legislation - The Record by Recorded Future