Major cyber incident reporting requirement, CISA budget hike on precipice of becoming law

The Senate cleared legislation Thursday evening that would make the Cybersecurity and Infrastructure Security Agency a hub to receive mandatory industry reports about major cyber incidents and ransomware payments, as well as boost its budget 22% over last year.

Under the $1.5 trillion fiscal 2022 omnibus spending bill that now heads to the president’s desk for a signature, critical infrastructure owners and operators would have to report significant hacks to the Department of Homeland Security’s CISA within 72 hours and ransomware payments within 24 hours.

CISA Director Jen Easterly called the legislation — in the works since shortly after after late-2020 revelations about the SolarWinds breach that led to the compromise of U.S. government agencies and major tech companies — a “game-changer.”

“CISA will use these reports from our private sector partners to build a common understanding of how our adversaries are targeting U.S. networks and critical infrastructure,” she said. “This information will fill critical information gaps and allow us to rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to spot trends, and quickly share that information with network defenders to warn other potential victims.”

The road to enacting the cyber incident reporting legislation wasn’t without hitches, and didn’t include provisions sought by a variety of outside groups. Easterly had advocated for financial penalties for victims who didn’t comply with the reporting mandates, but instead the agency would have subpoena authority to obtain information about incidents.

Industry groups sought a less definitive timeline for reporting incidents, something an earlier House version of the legislation had accommodated, but lawmakers ultimately settled on a Senate proposal for a 72-hour deadline. The Justice Department protested that it wouldn’t directly receive joint reports alongside CISA, although the White House ultimately supported the bill, as did others.

“This legislation recognizes that front-line defenders can’t drop everything amid a cyber event to try and guess what to report to the government and how to do it,” said Greg Baer, president and CEO of the Bank Policy Institute. “It establishes clear guidelines on what is required to be reported before an event takes place so cyber experts can focus on doing their jobs in a crisis, while still ensuring their government partners have what they need to warn others and coordinate a government response.”

Bill sponsors failed late last year to attach the reporting mandates to a defense policy bill that reliably becomes law each year, but found a more fruitful vehicle in the fiscal 2022 omnibus.

That legislation appropriates approximately $2.6 billion for CISA, not only a boost from the prior fiscal year but $460 million more than the Biden administration requested.

Other agencies would get money designed to reckon with cyberattacks. The FBI would get $44 million to “bolster the Federal Bureau of Investigation’s operational response to cyber and intelligence threats stemming from Russia’s actions” in Ukraine, according to a Senate summary, while DOJ would get $16 million “to prosecute Russian cybercriminals and sanctions violators, and to support tracing, seizing, and forfeiting the proceeds of crime, including cryptocurrency.”

The Department of Energy would receive $30 million for “cybercleansing” and technical support to connect Ukraine to the European Union’s electricity grid. Its Cybersecurity, Energy Security and Emergency Response division would get nearly $30 million more than fiscal 2021.

Congressional summaries of the spending legislation also highlight cybersecurity funding for the Coast Guard, Office of Personnel Management, Secret Service, Transportation Department and Treasury Department.

Corrected 3/21/22: to fix timing of required ransomware payments.