Senators introduce bill to strengthen federal cybersecurity after attacks

Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio) introduced a bill Monday to overhaul and improve federal cybersecurity policies following multiple major cyberattacks.

The legislation is aimed at updating the Federal Information Security Modernization Act, signed into law in 2014, and takes steps to clarify reporting requirements for federal agencies if they are successfully targeted by hackers.

“Increasingly sophisticated cyber-attacks against our federal agencies by foreign adversaries – and criminal organizations they often harbor – highlight the urgent need to enhance federal cybersecurity,” Peters said in a statement Monday. 

The bill clarifies the Cybersecurity and Infrastructure Security Agency’s (CISA) role in responding to cybersecurity incidents, with federal agencies required to report major attacks to both CISA and Congress, and would ensure CISA is the lead organization on responding to these incidents.  

It also requires the Office of Management and Budget to develop guidance to help federal agencies best use funds to shore up cybersecurity, and codifies part of the executive order President Biden signed in May aimed at improving federal cybersecurity.  

“Since Congress last addressed this critical issue, online threats have rapidly evolved and CISA had not yet been created,” Peters said. “This bipartisan bill will help secure our federal networks, update cyber incident reporting requirements for federal agencies and contractors to ensure they are quickly sharing information, and prevent hackers from infiltrating agency networks to steal sensitive data and compromise national security.” 

Portman on Monday pointed to two reports put out by the committee since 2019 that found massive cybersecurity shortcomings at several federal agencies. These reports have raised even more concerns following the SolarWinds hack, discovered in December, which involved Russian government-linked hackers compromising at least nine federal agencies for much of 2020. 

“These reports show that federal agencies are unprepared to meet the sophisticated, determined threat we face and have failed to address many vulnerabilities for nearly a decade putting the sensitive data of all Americans at risk,” Portman said. 

Other attacks have forced cybersecurity protections to the forefront of congressional priorities in recent months, including the ransomware attacks on Colonial Pipeline, meat producer JBS USA, and IT company Kaseya, with up to 1,500 organizations compromised by the Kaseya incident. 

Peters and Portman have taken a lead role in pushing for legislation to tackle cybersecurity concerns in the wake of the escalating incidents. The senators introduced a separate bill last week that would require critical infrastructure owners and operators to report cyber incidents to CISA within 72 hours, and that give certain groups 24 hours to report if they paid ransomware demands. 

“The recent cyber and ransomware attacks against the federal government and critical infrastructure demonstrate the persistence and sophistication of our adversaries,” Portman said. “I urge my colleagues to join in supporting this common-sense, bipartisan legislation to update the Federal Information Security Modernization Act.”