Draft incident reporting legislation by Senate Homeland Security and Governmental Affairs Chairman Gary Peters (D-MI) and ranking member Rob Portman (R-OH) contains detailed language on ransomware including specific requirements related to reporting attacks and payments, along with a new task force and pilot program.
The Senate panel’s draft bill was shared with stakeholders this week and would launch a ransomware vulnerability warning pilot program and DHS-led task force, among the elements aimed specifically at ransomware that differ from the version crafted by the House Homeland Security Committee.
The draft Senate Homeland Security bill is similar in many respects to the draft by House Homeland Security cyber subcommittee Chairwoman Yvette Clarke (D-NY) and Homeland Security ranking member John Katko (R-NY) that was the subject of a hearing on Wednesday.
The Bank Policy Institute’s Heather Hogsett, who testified favorably on the Clarke-Katko bill at the Wednesday hearing, said of Peters-Portman: “To achieve the important goals of the legislation, any reporting bill that becomes law should avoid duplicating or conflicting with existing requirements, establish reporting expectations with sufficient time for firms to investigate and implement response measures, and enhance effective public-private partnerships.”
She said, “The newly released Senate Discussion Draft incorporates these important elements, aligns closely with bipartisan efforts in the House and warrants serious consideration.”
But the specific ransomware language is raising questions in some industry circles.
“The Clarke bill language already applies to ransomware incidents, but there seems to be another purpose to the language in Peters-Portman, they’re trying to disincentivize companies from making ransomware payments,” commented another industry source, who said the two bills are mostly identical otherwise.
“We need time to digest that language but it seems like apples and oranges” with the overall purpose of the Clarke bill, which is “very cybersecurity focused,” the source said.
The Peters-Portman bill would “require entities, including covered entities and except for individuals and small businesses, that make a ransom payment, either directly or through a third party, as the result of a ransomware attack against the entity to submit to the [new Cyber Incident Review] Office reports containing information relating to the ransomware attack and ransom payment.”
Both bills would create a CISA incident review office and require covered critical infrastructure entities to report “promptly” on “covered incidents,” while specifying that CISA cannot mandate submission of reports any sooner than 72 hours after confirmation of a covered incident.
Both call for CISA to issue an interim final rule on reporting procedures and requirements within nine months and explicitly call for gathering extensive input from the private sector during the rulemaking process.
The Peters-Portman measure also calls for entities to report when they make ransomware payments – and says CISA may set the timeline for submission of those reports between 24 and 72 hours of an entity making a ransomware payment.
Such reports are to include specific details on the use of virtual currency, and the bill says the incident review office shall “receive, aggregate, analyze, and secure reports related to ransom payments to identify tactics, techniques, and procedures, including identifying and tracking ransom payments utilizing virtual currencies, adversaries use to perpetuate ransomware attacks and facilitate ransom payments.”
Under Peters-Portman, CISA is directed within 90 days to “establish a ransomware vulnerability warning pilot program to leverage existing authorities and technology to specifically develop processes and procedures, and to dedicate resources, to identifying information systems that contain security vulnerabilities associated with common ransomware attacks, and to notify the owners of those vulnerable systems of their security vulnerabilities.”
The pilot program shall:
(1) identify the most common security vulnerabilities utilized in ransomware attacks and mitigation techniques; and
(2) utilize existing authorities, such as Crossfeed, identify Federal and other relevant information systems that contain the security vulnerabilities identified in paragraph (1).
It establishes a process for CISA to notify an entity at risk of a ransomware attack.
Further, DHS is to launch the interagency Ransomware Task Force within six months of the bill’s enactment “to coordinate an ongoing, nationwide campaign against ransomware attacks.”
“The Senate draft shows there is agreement between the House and Senate Homeland Security committees on the general approach, the two bills are basically the same,” said an industry source. “The Peters-Portman ransomware language muddies the waters a bit, but the core of the two bills is the same.” – Charlie Mitchell (firstname.lastname@example.org)