The rules are part of a larger effort by the Biden administration and Congress to strengthen the country's cyberdefenses following a series of high-profile digital espionage campaigns and disruptive ransomware attacks. The reporting will provide the federal government with much greater visibility into hacking efforts that target private companies, which have frequently avoided seeking assistance from the FBI or other agencies.
"It's clear that we need to take bold action to improve our online defenses," said Sen. Gary Peters, a Michigan Democrat who chairs the Senate Homeland Security and Government Affairs Committee and drafted the legislation, in a statement on Friday.
The legislation requiring reporting requirements was approved by the House and Senate on Thursday and is expected to be signed into law by President Joe Biden soon. It requires any entity considered part of the nation's critical infrastructure, which includes the finance, transportation, and energy sectors, to report any "significant cyber incident" to the government within three days, and any ransomware payment to be made within 24 hours.
Ransomware attacks, in which criminals hack targets and encrypt their data until ransoms are paid, have grown in popularity in recent years. Last year's attacks on the world's largest meatpacking company and the largest U.S. fuel pipeline — which resulted in days of gas station shortages on the East Coast — demonstrated how extortionist hacking gangs can disrupt the economy and endanger lives and livelihoods.
Russian and Chinese state hackers have continued to have success hacking into and spying on US targets, including critical infrastructure targets. Russia's SolarWinds cyberespionage campaign, discovered at the end of 2020, was the most notable.
Experts and government officials are concerned that Russia's war in Ukraine has increased the threat of cyberattacks on US targets by state or proxy actors. Russia is home to a large number of ransomware operators.
"As our nation rightly supports Ukraine during Russia's illegal and unjustifiable assault," said Ohio Republican Sen. Rob Portman, "I am concerned that the threat of Russian cyber and ransomware attacks against U.S. critical infrastructure will increase."
The Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security is designated as the lead agency to receive notices of hacks and ransomware payments under the legislation. This alarmed the FBI, which had openly campaigned for changes to the bill in an unusually public disagreement over legislation supported by the White House overall.
"We want one call to be a call to all of us," FBI Director Christopher Wray said at a cyber event at the University of Kansas last week. "What is required is not a plethora of different reports, but real-time access to the same report by all those who require it." So that's what we're talking about — not multiple reporting chains, but multiple concurrent accesses to the information."
The FBI has also expressed concern that the liability protections that would apply to companies that report a breach to CISA would not apply to companies that report a breach to the FBI, which the bureau believes will unnecessarily complicate law enforcement efforts to respond to hacks and assist victims.
Lawmakers who worked on the bill have pushed back against the FBI, claiming that the agency's concerns about being notified of hacks and liability issues were adequately addressed in the final version.
The new rules also give CISA the authority to subpoena companies that fail to report hacks or ransomware payments, and companies that fail to comply with a subpoena may be referred to the Justice Department for investigation.