On March 1, the U.S. Senate passed major cybersecurity legislation by unanimous consent. The Strengthening American Cybersecurity Act (the Act) would require critical infrastructure organizations to report substantial cyberattacks within 72 hours and ransomware payments within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA). The Act will now go to the House of Representatives, where several members are already lobbying to pass the bill quickly, although it is not currently on the schedule for debate or vote.
The House has tried to pass cyber legislation in the past, with no success. However, the Act comes on the backdrop of several high-profile cyber incidents and repeated warnings of potential cyberattacks against the U.S. by Russia as the conflict with Ukraine escalates.
The Act combines pieces of three bills. The Cyber Incident Reporting Act outlines the reporting requirements above. The Federal Information Security Modernization Act of 2021 amends the primary law governing cybersecurity of civilian agencies and incorporates new entities, like CISA and the National Cyber Director, into the federal reporting chain; it also requires the U.S. government to use risk-based modeling for cybersecurity preparedness and response. The Federal Secure Cloud Improvement and Jobs Act authorizes more resources for the government to adopt cloud-based technology through the Federal Risk and Authorization Management Program and allows the government to better account for vulnerabilities in the software supply chain.
A primary goal of the Act is to make CISA the central government agency for reporting, coordination, and response for cyber related incidents. When reviewing past cyber events, congressional investigators found that victims were often confused about which federal agency to contact, with some contacting the FBI, some Treasury, and some CISA or other agencies. Investigators also found that federal agencies were often not central players in the incident response, and they were given limited information, making it difficult to determine who else might be impacted and how to prevent the attacks from spreading.
The quick reporting deadline has been met with some concern from the private sector, which argue that top priorities in incident response are safety and securing critical operations and not necessarily information sharing.
Critical infrastructure is also not well-defined. The Act uses the broad definition found in Section 1016(e) of the U.S. Patriot Act of 2001: “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” A more interpretative guide, though, may be CISA's definition of critical infrastructure sectors which include: 1) Chemicals; 2) Energy; 3) Critical Manufacturing; 4) Food and Agriculture; 5) Healthcare and Public Health; 6) Financial Services; 7) Transportation; 8) Commercial Facilities, which include a diverse range of sites that draw large crowds for shopping, business, entertainment, or lodging; 9) Communications; 10) the Defense Industrial Base, which enables research, development, design, production, delivery, and maintenance of military weapons systems, subsystems, and components or parts to meet U.S. military requirements; 11) Nuclear Reactors, Materials, and Waste; 12) Water and Wastewater Systems; 13) Information Technology; 14) Emergency Services; 15) Government Facilities; and 16) Dams.
The Baker Botts Privacy and Security Team is monitoring these developments closely, including the House review of the Act, and will provide updates.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.