On 1 March 2022, the U.S. Senate unanimously approved the landmark Strengthening American Cybersecurity Act, which had been jointly authored by Democrats and Republicans.
This legislative package—which combines elements of legislation already passed in 2021—includes numerous measures to modernise and streamline federal government cybersecurity. One of its components—the Cyber Incident Reporting for Critical Infrastructure Act—notably requires critical infrastructure organisations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours.
On Thursday 3 March 2022, the FBI and the Department of Justice (DoJ) reacted strongly to this act, as they are excluded from it. The FBI Director said the legislation would “make the public less safe from cyber threats.” Assistant Attorney General Lisa Monaco claimed the bill leaves the FBI “on the sidelines and makes us less secure at a time when we face unprecedented threats.”
These statements were not well received by congressional representatives. The White House came out in support of the bill, saying that it was “exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions.”
On Friday 4 March 2022, CISA Director Jen Easterly reassured the FBI, writing on Twitter that the agency would share the incident reports with the FBI “immediately.”
“The Cyber Incident Reporting for Critical Infrastructure Act of 2022 is a critical step forward in ensuring our nation’s security. As the nation’s cyber defense agency, it gives CISA another key tool to respond to and mitigate the impact of cyber attacks. We have a terrific operational partnership with our FBI teammates and will continue to do so, to include always ensuring that cyber incident reporting received by CISA is immediately shared with them,” Jen Easterly said.