Lawmakers rally around cyber legislation following string of attacks

Lawmakers on Capitol Hill are scrambling to introduce legislation to address a devastating spike in ransomware and other cyberattacks on critical organizations such as Colonial Pipeline and JBS USA.

The effort marks a rare area of bipartisanship in an increasingly divided Congress, with lawmakers under pressure to confront cyber threats emanating from both foreign nations and cybercriminal groups making millions from holding companies for ransom.

“We think it’s essential for us to get our hands around this issue of ransomware, Colonial Pipeline is the biggest example, and then JBS, the meatpacking company, but it happens every day, and it happens to smaller companies too and individuals,” Senate Homeland Security and Governmental Affairs Committee ranking member Rob Portman (R-Ohio) told The Hill Thursday.

“We need a better federal defense and offense on it, and we need to be sure it’s a partnership with the private sector,” he added.

Portman is currently working with Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) on legislation to address the increase in ransomware and other crippling cyberattacks on critical organizations.

Peters told reporters last week that the legislation would be “comprehensive” and was necessary as cyberattacks have increasingly become “attacks on our very way of life.”

“I think every member on this committee agrees that this committee will focus our collective attention and resources on dealing with this problem,” Peters testified at committee hearing last week.

The bipartisan bill is part of a larger effort by Congress to address the rapidly expanding cyber threats, which have been in the spotlight in recent months due to both foreign and cybercriminal attacks.

Ransomware attacks disrupted operations in May at both Colonial Pipeline, the provider of 45 percent of the East Coast’s fuel, and JBS USA, the largest beef supplier in the nation, endangering critical supply chains.

These attacks came as the federal government continued to recover from the SolarWinds hack, in which Russian-government-backed hackers compromised nine federal agencies, and vulnerabilities on Microsoft’s Exchange Server application that potentially compromised thousands of groups.

In the wake of these attacks, Senate Majority Leader Charles Schumer (D-N.Y.) last week called on Peters and other Senate committee leaders to conduct a “government-wide review” of the incidents and make rolling out legislation to strengthen U.S. cybersecurity a priority.

“We in Congress have a responsibility to conduct oversight and determine whether our government needs an additional authority and resource to take the fight to cyber criminals and foreign intelligence services,” Schumer said on the Senate floor.

Peters is not the only committee leader working to put together cyber legislation.

Senate Intelligence Committee Chairman Mark Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.), and committee member Sen. Susan Collins (R-Maine) are circulating draft legislation meant to tackle the threat of ransomware attacks, first reported by CNN on Wednesday.

The draft bill, which was obtained by The Hill, would require federal agencies, federal contractors and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency (CISA).

It would give CISA 180 days after the bill became law to establish a reporting system to compile these reports and require the agency to submit annual potentially classified reports to Congress on all incidents.

The bill would critically also grant liability protections to groups that report breaches, with current voluntary standards for reporting often complicating the reporting process in recent years.

“I haven’t compared theirs and ours, it’s just based on our work in Intel and what we’ve learned, and as far as the rollout, we’d love to have it next week, but if not it will probably be after we come back in July,” Rubio told The Hill on Thursday.

In a separate effort, Sens. Lindsey Graham (R-S.C.), Sheldon Whitehouse (D-R.I.), Richard Blumenthal (D-Conn.), and Thom Tillis (R-N.C.) on Thursday reintroduced legislation originally rolled out in 2018 that would crack down on cyber criminals.

Their bill, the International Cybercrime Prevention Act, would tighten consequences for hacking a critical infrastructure organization, such as a dam or a hospital, along with expanding the Justice Department’s ability to go after botnet groups.

“What we’re seeing here is not just a weed, it’s an invasive species, it’s comparable to an invasive species that needs to be stopped in your garden before it takes over everything in that garden,” Blumenthal told reporters of cyber threats at a Capitol Hill press conference Thursday. “Here the garden will succumb to that invasive species if we don’t stop it.”

Graham said at the same press conference that he would “insist” on adding it to any infrastructure package the Senate potentially agrees on as a way to move it through Congress quickly.

“Now we’ve got a moment in time when we can’t ignore it anymore, I now deem this infrastructure,” Graham said. 

One key issue being looked at by both Capitol Hill and the Biden administration is creating mandatory cyber legislation or regulations to force critical infrastructure groups to enhance security.

The Transportation Security Administration last month issued a new security directive requiring pipeline companies to report cybersecurity incidents to CISA within 12 hours of them occurring, and are working on further regulations.

Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, on Thursday criticized what he described as past “happy talk bills” that created only voluntary cybersecurity standards and left the door open to more attacks. 

“I am pleased that it looks like we are going to insist on more accountability, so to speak, with contractors,” Wyden told The Hill.

While there are multiple bills with several sponsors in the mix, there is no disagreement that following a year in which hackers targeted everything from hospitals to schools to government agencies, action must be taken to stem the tide of attacks.

“You look back at some of the previous bills and it was not what I think the country needed and I think now every senator is saying to themselves, ‘this is pretty obvious,’ ” Wyden said.