While previous cybersecurity legislation has largely been unable to pass through Congress, the Strengthening American Cybersecurity Act of 2022 was introduced by U.S. Senators Rob Portman (R-OH) and Gary Peters (D-MI), and has been viewed as a priority as threats of cyber incidents continue to rise. The Senate unanimously passed the Act, which, in its current form, would require federal agencies and critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency (CISA). Should the legislative package make it through the House unchanged, it would also require critical infrastructure companies to report ransomware payments within 24 hours. The Act combines language from the three bills Senators Portman and Peters have authored in the past – the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act.

Attacks on Critical Infrastructure

Since the beginning of the COVID-19 pandemic, remote work has created more vulnerabilities for organizations, and 2021 brought an uptick of cyber threats to the U.S.’s critical infrastructure sectors. Just last year, hackers breached the network of the Colonial Pipeline, shutting down thousands of miles of pipeline, which resulted in increased prices and fuel shortages across the East Coast. JBS S.A., the world’s largest beef supplier had to shut down plants due to a cyberattack, leading to threats to the meat supply across the country. The Strengthening American Cybersecurity Act of 2022 was introduced in the face of increased potential cyber-attacks sponsored by the Russian government due to U.S. support of Ukraine.

“Cyber-attacks against federal networks and critical infrastructure companies – including oil pipelines, meatpacking centers, and wastewater treatment plants – have disrupted lives and livelihoods across the country. That is why, for months, I have been leading efforts to fight back against cybercriminals and foreign adversaries who launch these incessant attacks.” – Senator Gary Peters

Cyber Initiatives by Private Sector

With widespread threats to the U.S. economy and supply chains, all industries should be taking notice. CISA representatives are encouraging organizations of all sizes to be “prepared to respond to disruptive cyber activity.” The government is encouraging the private sector to modernize cyber defenses and to prepare for the threat of ransomware and other cyber-attacks. Many companies have been investing heavily in improving their cyber infrastructure and training their cybersecurity professionals. With the new Act on its way through Congress, and with cyber threats growing each day, companies would be well-served to ramp up their cybersecurity programs and strengthen their defenses.  In that regard, CISA has provided a number of recommendations for business leaders and Americans that provides a good summary of key areas of risk.