Senators introduce bill requiring some critical groups to report cybersecurity incidents

Senators introduce bill requiring some critical groups to report cybersecurity incidents
© iStock

Leaders of the Senate Intelligence Committee and other bipartisan lawmakers on Wednesday formally introduced legislation requiring federal contractors and critical infrastructure groups to report attempted breaches following months of escalating cyberattacks. 

The Cyber Incident Notification Act would require federal agencies, government contractors and groups considered critical to national security — such as hospitals, utilities, financial services and information technology groups — to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

The bill would grant liability protections to groups that report breaches, along with anonymizing personal information of the companies involved in the incidents in order to encourage reporting. 

ADVERTISEMENT

The bill is primarily sponsored by Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerAdvocates call on top Democrats for 0B in housing investments Democrats draw red lines in spending fight Manchin puts foot down on key climate provision in spending bill MORE (D-Va.), Vice Chairman Marco RubioMarco Antonio RubioMilley says calls to China were 'perfectly within the duties' of his job Overnight Defense & National Security — Milley becomes lightning rod Joint Chiefs Chairman Milley becomes lightning rod on right MORE (R-Fla.) and committee member Susan CollinsSusan Margaret CollinsWelcome to ground zero of climate chaos A tale of two chambers: Trump's power holds in House, wanes in Senate Bipartisan blip: Infrastructure deal is last of its kind without systemic change MORE (R-Maine), with the measure circulating in the Senate and among stakeholders in draft format over the last month.

The issue of mandatory reporting is something that officials and industry alike have pushed for in recent months as cybersecurity threats have increased, since currently there is no federal law requiring companies to notify the federal government that they have been breached. 

“We are troubled in terms of being able to understand the depth and breadth of an intrusion based upon the fact that, for a number of good reasons, some of them obviously legal, that much of the private sector does not share this information readily,” Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, testified to the Senate Intelligence Committee earlier this year.

The new legislation has strong bipartisan backing, with all but three members of the Senate Intelligence Committee signing on as co-sponsors. Sen. Joe ManchinJoe ManchinManchin suggests pausing talks on .5 trillion package until 2022: report Biden pushes back at Democrats on taxes Yarmuth and Clyburn suggest .5T package may be slimmed MORE (D-W.Va.), chairman of the Senate Armed Services Cybersecurity Subcommittee, along with Sen. Jon TesterJonathan (Jon) TesterDemocrats say Biden must get more involved in budget fight Senate backers of new voting rights bill push for swift passage The Hill's 12:30 Report - Presented by Facebook - Polls open in California as Newsom fights for job MORE (D-Mont.), chairman of the Senate Appropriations Defense Subcommittee, are also sponsors. 

The bill is being rolled out as part of the Senate’s response to the multiple major cyberattacks in recent months including the SolarWinds hack, which allowed Russian government-linked hackers to breach nine federal agencies for most of last year, and the ransomware attacks by Russian cyber criminals on Colonial Pipeline and meat producer JBS USA in May. 

ADVERTISEMENT

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” Warner said in a statement Wednesday. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target.”

“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” he stressed. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

Rubio separately described cyberattacks against critical U.S. groups as “out of control.” 

“The U.S. government must take decisive action against cybercriminals and the state actors who harbor them,” Rubio said in a statement Wednesday. “It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”

Cybersecurity group FireEye was credited for helping shine a light on the SolarWinds hack by disclosing it had been breached as part of the massive attack in December. FireEye officials testified to the Senate Intelligence Committee that they were not legally required to do so.  

In light of the legal limitations, Collins said the bill was “common sense and long overdue.”

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” Collins stressed in a statement Wednesday. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”