Sens. Mark R. Warner (D-VA), Marco Rubio (R-FL) and Susan Collins (R-ME) have introduced legislation requiring federal agencies, government contractors and infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.
The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country.
To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” said Sen. Warner. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
“Cyberattacks against American businesses, infrastructure, and government institutions are out of control. The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible,” Sen. Rubio said.
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Sen. Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.”
In addition to Sens. Warner, Rubio and Collins, the legislation is co-sponsored by Senate Intelligence Committee members Sens. Dianne Feinstein (D-CA), Richard Burr (R-NC), Martin Heinrich (D-NM), James Risch (R-ID), Angus King (I-ME), Roy Blunt (R-MO), Michael Bennet (D-CO), Bob Casey (D-PA), Ben Sasse (R-NE), and Kirsten Gillibrand (D-NY), along with Sen. Joe Manchin (D-WV), Chairman of the Senate Armed Services Subcommittee on Cybersecurity, and Sen. Jon Tester (D-MT), Chairman of the Senate Appropriations Subcommittee on Defense.
“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action – the introduction of the bipartisan Cyber Incident Notification Act of 2021. We can’t track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem,” said Glenn Gerstell, former National Security Agency general counsel.
“It’s encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,” said Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency.
“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.
A copy of the legislation is available here.