(Bloomberg) — The $1.5 trillion government funding package that President Joe Biden signed Tuesday includes sweeping cybersecurity legislation that will require critical infrastructure operators to quickly report data breaches and ransomware payments.
The new law mandates that companies report hacks to the U.S. Department of Homeland Security within 72 hours of discovery of the incident, and 24 hours if they make a ransomware payment. FBI officials last year estimated that the bureau has visibility into a quarter of cyber incidents, resulting in a government-wide lack of information about the nature of many data breaches, the tactics of cybercriminals and the U.S. industries that are most vulnerable.
The law’s mandatory requirement is expected to give U.S. officials deeper insight into the nature of global hacking.
The legislation positions DHS’s Cybersecurity and Infrastructure Security Agency as a central hub for receiving private sector incident response reports, sharing threat data and tracking the evolution of ransomware, a pernicious issue for American business that has been difficult to quantify. Victims reported $29 million in ransomware-related losses to the FBI in 2020, the most recent figures available, compared to $406 million in extortion payments observed by the cryptocurrency-tracking firm Chainalysis Inc. during the same year.
CISA Director J