Lawmakers on Capitol Hill are scrambling to introduce legislation to address a devastating spike in ransomware and other cyberattacks on critical organizations such as Colonial Pipeline and JBS USA.
The effort marks a rare area of bipartisanship in an increasingly divided Congress, with lawmakers under pressure to confront cyber threats emanating from both foreign nations and cybercriminal groups making millions from holding companies for ransom.
“We think it’s essential for us to get our hands around this issue of ransomware, Colonial Pipeline is the biggest example, and then JBS, the meatpacking company, but it happens every day, and it happens to smaller companies too and individuals,” Senate Homeland Security and Governmental Affairs Committee ranking member Rob PortmanRobert (Rob) Jones PortmanRepublicans criticizing Afghan refugees face risks Anti-Trump Republicans on the line in 2022 too Major US port target of attempted cyber attack MORE (R-Ohio) told The Hill Thursday.
“We need a better federal defense and offense on it, and we need to be sure it’s a partnership with the private sector,” he added.
Portman is currently working with Senate Homeland Security Committee Chairman Gary PetersGary PetersHillicon Valley — Presented by Xerox — Officials want action on cyberattacks Officials urge Congress to consider fining companies that fail to report cyber incidents Senate Democrats announce million investment in key battlegrounds ahead of 2022 MORE (D-Mich.) on legislation to address the increase in ransomware and other crippling cyberattacks on critical organizations.
Peters told reporters last week that the legislation would be “comprehensive” and was necessary as cyberattacks have increasingly become “attacks on our very way of life.”
“I think every member on this committee agrees that this committee will focus our collective attention and resources on dealing with this problem,” Peters testified at committee hearing last week.
The bipartisan bill is part of a larger effort by Congress to address the rapidly expanding cyber threats, which have been in the spotlight in recent months due to both foreign and cybercriminal attacks.
Ransomware attacks disrupted operations in May at both Colonial Pipeline, the provider of 45 percent of the East Coast’s fuel, and JBS USA, the largest beef supplier in the nation, endangering critical supply chains.
These attacks came as the federal government continued to recover from the SolarWinds hack, in which Russian-government-backed hackers compromised nine federal agencies, and vulnerabilities on Microsoft’s Exchange Server application that potentially compromised thousands of groups.
In the wake of these attacks, Senate Majority Leader Charles SchumerChuck SchumerAnti-Trump Republicans on the line in 2022 too Democrats urge Biden to go all in with agenda in limbo Democrats press Schumer on removing Confederate statues from Capitol MORE (D-N.Y.) last week called on Peters and other Senate committee leaders to conduct a “government-wide review” of the incidents and make rolling out legislation to strengthen U.S. cybersecurity a priority.
“We in Congress have a responsibility to conduct oversight and determine whether our government needs an additional authority and resource to take the fight to cyber criminals and foreign intelligence services,” Schumer said on the Senate floor.
Peters is not the only committee leader working to put together cyber legislation.
Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerPanic begins to creep into Democratic talks on Biden agenda Democrats surprised, caught off guard by 'framework' deal Schumer announces Senate-House deal on tax 'framework' for .5T package MORE (D-Va.), Vice Chairman Marco RubioMarco Antonio RubioThe Memo: Biden's immigration problems reach crescendo in Del Rio Democrats face bleak outlook in Florida The Hill's 12:30 Report - Presented by Facebook - Dems attempt to tie government funding, Ida relief to debt limit MORE (R-Fla.), and committee member Sen. Susan CollinsSusan Margaret CollinsLooking to the past to secure America's clean energy future Collins to endorse LePage in Maine governor comeback bid McConnell privately urged GOP senators to oppose debt ceiling hike MORE (R-Maine) are circulating draft legislation meant to tackle the threat of ransomware attacks, first reported by CNN on Wednesday.
The draft bill, which was obtained by The Hill, would require federal agencies, federal contractors and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).
It would give CISA 180 days after the bill became law to establish a reporting system to compile these reports and require the agency to submit annual potentially classified reports to Congress on all incidents.
The bill would critically also grant liability protections to groups that report breaches, with current voluntary standards for reporting often complicating the reporting process in recent years.
“I haven’t compared theirs and ours, it’s just based on our work in Intel and what we’ve learned, and as far as the rollout, we’d love to have it next week, but if not it will probably be after we come back in July,” Rubio told The Hill on Thursday.
In a separate effort, Sens. Lindsey GrahamLindsey Olin GrahamNorth Dakota Republican latest House breakthrough COVID-19 case Texas House Republican tests positive for coronavirus in latest breakthrough case Graham told Trump he 'f'd up' the presidency: book MORE (R-S.C.), Sheldon WhitehouseSheldon WhitehousePlastics industry lashes out at 'regressive' Democratic tax plan Democrats draw red lines in spending fight What Republicans should demand in exchange for raising the debt ceiling MORE (D-R.I.), Richard Blumenthal (D-Conn.), and Thom TillisThomas (Thom) Roland TillisGOP senators unveil bill designating Taliban as terrorist organization Without major changes, more Americans could be victims of online crime How to fix the semiconductor chip shortage (it's more than manufacturing) MORE (R-N.C.) on Thursday reintroduced legislation originally rolled out in 2018 that would crack down on cyber criminals.
Their bill, the International Cybercrime Prevention Act, would tighten consequences for hacking a critical infrastructure organization, such as a dam or a hospital, along with expanding the Justice Department’s ability to go after botnet groups.
“What we’re seeing here is not just a weed, it’s an invasive species, it’s comparable to an invasive species that needs to be stopped in your garden before it takes over everything in that garden,” Blumenthal told reporters of cyber threats at a Capitol Hill press conference Thursday. “Here the garden will succumb to that invasive species if we don’t stop it.”
Graham said at the same press conference that he would “insist” on adding it to any infrastructure package the Senate potentially agrees on as a way to move it through Congress quickly.
“Now we’ve got a moment in time when we can’t ignore it anymore, I now deem this infrastructure,” Graham said.
One key issue being looked at by both Capitol Hill and the Biden administration is creating mandatory cyber legislation or regulations to force critical infrastructure groups to enhance security.
The Transportation Security Administration last month issued a new security directive requiring pipeline companies to report cybersecurity incidents to CISA within 12 hours of them occurring, and are working on further regulations.
Sen. Ron WydenRonald (Ron) Lee WydenOn The Money — House pushes toward infrastructure vote Hillicon Valley — Presented by Xerox — EU calls out Russian hacking efforts aimed at member states Why Democrats opposing Biden's tax plan have it wrong MORE (D-Ore.), a member of the Senate Intelligence Committee, on Thursday criticized what he described as past “happy talk bills” that created only voluntary cybersecurity standards and left the door open to more attacks.
“I am pleased that it looks like we are going to insist on more accountability, so to speak, with contractors,” Wyden told The Hill.
While there are multiple bills with several sponsors in the mix, there is no disagreement that following a year in which hackers targeted everything from hospitals to schools to government agencies, action must be taken to stem the tide of attacks.
“You look back at some of the previous bills and it was not what I think the country needed and I think now every senator is saying to themselves, ‘this is pretty obvious,’ ” Wyden said.