US President Joe Biden has signed a $1.5 million government funding bill, which includes a law requiring critical infrastructure operators to report if their organization has been hacked or paid ransom to ransomware operators.
According to the “Strengthening American Cybersecurity Act”, operators of critical infrastructure must notify the Cybersecurity and Infrastructure Security Agency (CISA) of the US Department of Homeland Security within 72 hours after a cyber incident or within 24 hours if the organization has paid a ransom to ransomware operators. This also gives CISA the right to subpoena organizations that do not report a cyber incident or similar payments.
As The Record reported, CISA will have up to two years to publish a notice in the Federal Register about the proposed rulemaking to implement reporting efforts, although this may happen faster due to increased concerns about cyber attacks by Russian hackers.
According to Senator Rob Portman, the law “will provide the National Director of Cybersecurity, CISA and other relevant agencies with a broad understanding of cyber attacks taking place in the country. This will ensure a nationwide response, mitigation of consequences and the adoption of protective measures.