Cybersecurity bills gain new urgency after rash of attacks

Bipartisan bills aimed at strengthening U.S. cybersecurity after a string of major attacks are making headway in both the House and Senate.

The rare cooperation between Democrats and Republicans is a sharp contrast to the partisan divisions over other measures like voting rights legislation and major infrastructure components.

“Unlike some of the other things I’m working on, huge, huge progress,” Senate Intelligence Committee Chairman Mark Warner (D-Va.) said of a cybersecurity proposal he is spearheading.

“We are very close to having almost every member of the committee on it,” Warner told The Hill on Tuesday. “It has been purely waiting for the members to get back [to Washington]. I’ve got to have a couple of member-to-member discussions, but the notion that we need some level of mandatory incident reporting. The fact that many business groups have coalesced behind this, I think it’s all great news.”

The draft bill, backed by Sens. Marco Rubio (R-Fla.) and Susan Collins (R-Maine) on the Intelligence Committee, would require federal agencies, federal contractors and owners and operators of critical infrastructure to report cybersecurity incidents within 24 hours to the Cybersecurity and Infrastructure Security Agency.

The legislation, in circulation since last month, would grant liability protections to groups that report breaches, going beyond the existing voluntary standards for reporting that have often hindered the government’s response in recent years.

“These voluntary approaches that have been pushed for so long have, in my view, so clearly contributed to some of the problems we have now,” said Sen. Ron Wyden (D-Ore.).

“So we’ve got questions; we are working through them,” he added.

Senate Intelligence Committee member Sen. Roy Blunt (R-Mo.) told The Hill on Wednesday that he would also be co-sponsoring the bill, while Sen. John Cornyn (R-Texas) indicated he might follow suit.

“I very much support the policy, and we are trying to work through some of the details,” Cornyn told reporters Wednesday.

Timing on introduction for the bill is still unclear, but lawmakers are pushing for swift action.

“I hope we can get it introduced as soon as possible,” Rubio said on Tuesday. “It seems not a week goes by that we don’t see a ransomware attack, each apparently more impactful and more devastating than the one before.” 

The progress on cybersecurity legislation comes after months of escalating attacks that have threatened national security and heightened tensions between the U.S. and Russia. 

The SolarWinds hack, discovered in December, allowed Russian government-linked hackers to compromise nine federal agencies and around 100 private sector groups for most of 2020. Ransomware attacks have been on the rise as well, with attacks on Colonial Pipeline, the source of 45 percent of the East Coast’s fuel, and on meat producer JBS USA in May wreaking havoc on critical supply chains. 

A ransomware attack on software company Kaseya earlier this month only served to further inflame concerns, with up to 1,500 companies potentially impacted, and the hack linked to the same Russian-based cyber criminals responsible for the attack on JBS USA.

“It’s a real crisis that we’re facing,” said Sen. Angus King (I-Maine), a member of the Senate Intelligence Committee. “I think this is a moment now where everyone understands the gravity of the problem, and we are addressing it.”

The recent strides on cyber-related bills come amid movement on diverging infrastructure plans — one bipartisan, the other Democratic-only — and a stalemate over sweeping voting rights legislation.

“I just would love an extra 15 minutes today to spend on that as opposed to bipartisan infrastructure or reconciliation,” Warner said of his cybersecurity legislation. 

The Senate Homeland Security and Governmental Affairs Committee is also getting in on the action with work on a bipartisan bill meant to tackle ransomware attacks. Chairman Gary Peters (D-Mich.) told The Hill this week that his committee hopes “to have it ready in the next week or two, and hopefully mark it up shortly thereafter.”

Cornyn noted that negotiations were ongoing between the Senate Intelligence and Homeland Security panels over their two bills, and that “minor differences” were getting resolved.

The Senate is not alone in moving forward with cyber legislation.

The House Homeland Security Committee approved a slate of bills in May aimed at securing critical infrastructure against hackers, including the Pipeline Security Act to shore up the security of companies like Colonial Pipeline.

The committee also approved the State and Local Cybersecurity Act, a major bipartisan proposal that would provide $500 million annually for five years to state and local governments to address increasing cyber threats.

A congressional source told The Hill on Wednesday that some of the committee bills were likely to get a vote on the House floor next week. Additionally, both the House Energy and Commerce and the Senate Judiciary committees are set to hold hearings on ransomware attacks before the end of the month. 

Rep. Jim Langevin (D-R.I.), one of the sponsors of the Pipeline Security Act and chairman of the House Armed Services Committee’s cybersecurity subcommittee, stressed Wednesday that it was past time to approve cyber legislation. 

“The bipartisan urgency to act on cybersecurity reflects the magnitude of threats facing our country,” Langevin said in a statement provided to The Hill. “After leading on this issue for more than a decade, I’m glad to see the progress we’ve made, but we still have much further to go.” 

While both the House and Senate have busy legislative calendars heading into the August recess, lawmakers emphasized that making progress on legislation to secure the nation against cyberattacks was critical.

“Cyberattacks are not going away, they are getting worse,” Cornyn said. “I think we are all feeling a sense of urgency.”