The Strengthening American Cybersecurity Act is made up of three bills that aim to improve public and private-sector security, including modernizing federal agencies' cyber posture and updating how they can adopt cloud-based technologies. Covered businesses would be required to report specific breaches to the Cybersecurity and Infrastructure Security Agency within 72 hours, and ransomware payments within 24 hours.
The legislation, which was passed unanimously hours before President Biden delivered his State of the Union address to Congress, now heads to the House.
Improving visibility of privately owned computer networks has been a priority for the Biden administration since a 2020 cybersecurity firm discovered a Russia-linked breach of federal agencies via a compromised SolarWinds Corp. software update. Since a ransomware attack on Colonial Pipeline Co. disrupted the East Coast's largest fuel conduit last year, officials have unveiled sector-specific regulations requiring many pipeline and rail operators to report hacks.
The legislation passed by the Senate on Tuesday would broaden such rules to include many companies in 16 federally designated critical infrastructure sectors, such as energy or financial services. Officials in the United States hope to analyze and disseminate data about cyberattacks among federal agencies and private-sector firms in order to prevent similar incidents in the future.
While the bill provides some guidance on which companies would be covered by the rule, citing potential economic disruption or national-security threats, CISA would make specific decisions in a formal rule-making process. CISA would similarly decide which types of incidents companies must report and what information they must share.
The legislation, introduced in February by Sens. Gary Peters (D-MI) and Rob Portman (R-OH), the chair and ranking member of the Homeland Security and Governmental Affairs Committee, would give CISA two years after the law's enactment to propose rules and another 18 months to complete them. Businesses would be protected from liability for the information they share, and there would be no penalties for failing to comply.
"You're going to want to comply because CISA is there to support you," Mr. Peters said in an interview on Tuesday. "The only way the industry can protect itself is for people to be aware of their surroundings."
CISA launched a voluntary information-sharing partnership with telecommunications companies and cloud-service providers last year to coordinate public-private responses to a flaw discovered in Log4j, an obscure but widely used software, in December. According to corporate executives and lobbyists, strict regulation could jeopardize such collaboration.
Over the last decade, lawmakers from both parties have tried and failed to pass an incident-reporting statute, despite industry opposition and warnings that reporting rules would complicate companies' response to breaches. The Senate version, which broadly mirrors a blueprint previously passed by the House, reflects many trade groups' requests during a months-long lobbying campaign.
"72 hours is widely accepted across our membership as reasonable and doable," said Christopher Roberti, senior vice president for cyber, intelligence, and supply-chain security policy at the US Chamber of Commerce, last month. "What we like about this legislation is that there is a strong opportunity for engagement with the private sector as it [CISA] promulgates the rules."