Blunt, Colleagues Introduce Bipartisan Cyber Reporting Bill Following SolarWinds and Colonial Hacks | #government | #hacking | #cyberattack


WASHINGTON – Today, U.S. Senator Roy Blunt (Mo.), a
member of the U.S. Senate Select Committee on Intelligence, helped introduce
bipartisan legislation requiring federal agencies, government contractors, and
critical infrastructure owners and operators to report cyber intrusions within
24 hours of their discovery. The bill is led by U.S. Senator Mark Warner (Va.)
and, in addition to Blunt, is cosponsored by U.S. Senators Marco Rubio (Fla.),
Susan Collins (Maine), Richard Burr (N.C.), Martin Heinrich (N.M.), James Risch
(Idaho), Dianne Feinstein (Calif.), Michael Bennet (Colo.), Angus King (Maine),
Bob Casey (Pa.), Ben Sasse (Neb.), Kirsten Gillibrand (N.Y.), Joe Manchin
(W.Va.), and Jon Tester (Mont.).

The
legislation is in part a response to the hack of IT management firm SolarWinds,
which resulted in the compromise of hundreds of federal agencies and private
companies, and the May 2021 ransomware attack on the Colonial Pipeline, which
halted pipeline operations temporarily and resulted in fuel shortages along the
Atlantic seaboard of the United States, as well as a recent onslaught of
ransomware attacks affecting thousands of public and private entities.

Under
existing law, there is currently no federal requirement that individual
companies disclose when they have been breached, which experts have noted
leaves the nation vulnerable to criminal and state-sponsored hacking activity.
The bipartisan Cyber Incident Notification Act of 2021 would require federal
government agencies, federal contractors, and critical infrastructure operators
to notify the Department of Homeland Security’s Cybersecurity and
Infrastructure Security Agency (CISA) when a breach is detected so that the
U.S. government can mobilize to protect critical industries across the country.
To incentivize this information sharing, the bill would grant limited immunity
to companies that come forward to report a breach, and instruct CISA to
implement data protection procedures to anonymize personally identifiable
information and safeguard privacy.

“The
sooner we know a cyberattack has occurred, the sooner we can evaluate the
threat, repair the damage, and respond to a direct attack on our critical
infrastructure,” said Blunt. “Missourians are rightfully concerned about
the rapid rise in cyber intrusions, and it is past time for Congress to
implement a routine federal standard for reporting these attacks. I’m proud to
join my colleagues in introducing this bipartisan bill that will help protect
Americans from cyberattacks and strengthen our nation’s efforts to hold
perpetrators accountable.”

“It
seems like every day Americans wake up to the news of another ransomware attack
or cyber intrusion,” said Warner. “The SolarWinds breach demonstrated
how broad the ripple effects of these attacks can be, affecting hundreds or
even thousands of entities connected to the initial target. We shouldn’t be
relying on voluntary reporting to protect our critical infrastructure. We need
a routine federal standard so that when vital sectors of our economy are
affected by a breach, the full resources of the federal government can be
mobilized to respond to and stave off its impact.”

“Cyberattacks
against American businesses, infrastructure, and government institutions are
out of control,” said Rubio. “The U.S. government must take decisive
action against cybercriminals and the state actors who harbor them. It is also
critical that American organizations act immediately once an attack occurs. The
longer an attack goes unreported, the more damage can be done. Ensuring prompt
notification will help protect the health and safety of countless Americans and
will help our government track down those responsible.”

“Having
a clear view of the dangers the nation faces from cyberattacks is necessary to
prioritizing and acting to mitigate and reduce the threat,” said Collins.
“My 2012 bill would have led to improved information sharing with the federal
government that likely would have reduced the impact of cyber incidents on both
the government and the private sector.  Failure to enact a robust cyber
incident notification requirement will only give our adversaries more
opportunity to gather intelligence on our government, steal intellectual
property from our companies, and harm our critical infrastructure.  I urge
my colleagues to pass the Cyber Incident Notification Act of 2021, which is
common sense and long overdue.”

“After
years of talk about how our nation needs a real public-private partnership for
better cybersecurity, we finally have concrete and critical action — the
introduction of the bipartisan Cyber Incident Notification Act of 2021,” said
Glenn Gerstell, former National Security Agency (NSA) General Counsel.
“We
can’t track, or have any hope of stopping, foreign or domestic sources of cyber
maliciousness unless we can find out about cyber problems quickly. This bill
goes a long way in starting to solve the problem.”

“It’s
encouraging to see continued bipartisan Congressional recognition of CISA’s
critical role as the front door for industry to engage with the U.S. government
on cybersecurity,” said Chris Krebs, former Director of the Cybersecurity
and Infrastructure Security Agency.

“This
bill significantly advances the discussion around the need for mandatory
notification of significant cyber activity to provide greater common
situational awareness, better defend networks, and deepen our understanding
about the scale and scope of the threat,” said Suzanne Spaulding, former
Department of Homeland Security Under Secretary for Cyber and Infrastructure
Protection.









































A
copy of the legislation can be found here.





Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

twenty − twelve =