The Senate passed legislation requiring operators of power plants and other critical infrastructure to report digital breaches to the federal government, according to POLITICO Pro (subscription).
The purpose: The bipartisan bill is designed to give the Department of Homeland Security more insight into digital threats to U.S. infrastructure.
Timing of bill related to Russia’s invasion of Ukraine: Supporters of the bill stressed the need to defend against foreign computer hackers in the wake of Russia’s invasion of Ukraine and increased tension between the U.S. and Russia.
Biden administration says no imminent threat: While acknowledging that the U.S. infrastructure, specifically the energy sector, should remain vigilant during the Ukraine crisis, the Biden administration said there is currently no credible Russian threat to U.S. infrastructure.
Bill requires quick reporting: The Senate’s bill, titled Strengthening American Cybersecurity Act, would require companies holding major U.S. assets to report “substantial cyber incidents” to the Department of Homeland Security within 72 hours and report a ransomware payment within 24 hours.
Recent hacks spur action: The wheels started turning on new cybersecurity legislation after the 2020 SolarWinds hack, in which Russian hackers compromised at least nine federal agencies, and the Colonial Pipeline Co. hack last spring, which stalled gas flow to much of the East Coast.
House to consider legislation: It is now up to the House to pass its own version of the bill, which some representatives are saying is a top priority in the coming months.
Our take: “Manufacturers support a reasonable and flexible reporting deadline so long as good-faith efforts of critical infrastructure owners and operators are recognized when a covered incident occurs,” said NAM Vice President of Infrastructure, Innovation and Human Resources Policy Robyn Boerstling.
- “Rigid deadlines might not appropriately reflect the needed time to assess and investigate the covered cyber incident. While the proposed legislation sets a 72-hour deadline in statute and would be consistent with the European Union’s GDPR data breach standard, manufacturers believe the Department of Homeland Security’s CISA should be afforded some flexibility to shift deadlines based on emerging information and other factors. Additionally, as states continue to increasingly regulate cyber incidents, any federal legislative effort should seek to pre-empt state initiatives and avoid duplicative requirements at both the state and federal levels. Appropriate and sufficient liability protections are also critically important for manufacturers.”
Are you prepared for and protected from a cyberattack? NAM Cyber Cover was designed specifically to provide enhanced risk mitigation and protection for manufacturers, including insurance that covers pollution and bodily harm. Discover what vulnerabilities you may have, as well as other vendors with whom you work, as part of the proactive services created to protect the supply chain. Find out more at www.namcybercover.com.
Join the NAM for a webinar on Tuesday, March 15, at 1:00 p.m. EDT to learn more about protecting your organization from liability in the event of a cyberattack. Register here.