Cybersecurity legislation

Senate Boosts CISA Budget, Mandates Submission of Cyber Incident Reports to Agency

The Senate on Thursday passed a measure designating the Cybersecurity and Infrastructure Security Agency as the mandatory recipient of industry reports about major cyber incidents, while at the same time giving the agency a 22 percent budget increase over its 2021’s appropriation. The allocation of more power and financial resources to CISA was spurred by the SolarWinds breach that led to the compromise of U.S. government agencies and major tech companies, CyberScoop said Friday.

CISA Director Jen Easterly called the legislation a “game-changer,” saying her agency will use the reports submitted by affected industry stakeholders to build a common understanding of how America’s adversaries are targeting its networks and critical infrastructure. She said that unfettered access to cyber incident reports will facilitate assistance to victims and allow CISA to warn other potential victims.

Not all of CISA’s requests were granted by lawmakers, however. Easterly had sought the imposition of fines on organizations that would choose to conceal breaches on their data, but this was turned down. Instead, Senators gave CISA the authority to subpoena information that organizations may be trying to hide.

For his part, Greg Baer, president and chief executive officer of the Bank Policy Institute, said the legislation establishes clear guidelines on what information CISA requires before a breach takes place, allowing cyber experts to focus on doing their jobs in a crisis, while still ensuring the government has what it needs to warn others and coordinate a response.

The Senate measure allocates some $2.6 billion for CISA, $460 million more than the amount sought by the Biden administration. The bill now awaits President Joe Biden’s signature.