WASHINGTON: Sens. Mark Warner, D-VA, Marco Rubio, R-Fla., and Susan Collins, R-ME, unveiled today a bill that will require federal agencies, many government contractors, and critical infrastructure owners and operators to report within 24 hours of discovery of any cyber incidents “that pose a threat to national security.”
One of the bill’s goals is to “enable the development of a common operating picture of national-level cyber threats,” according to a draft shared with Breaking Defense on Tuesday evening.
The bill, titled the Cyber Incident Notification Act of 2021, marks a major step in trying to address a challenge long recognized by Congress, the US government, and many in the private sector: A deficit of cyber information sharing hinders the government’s ability to respond to major cyber incidents.
Lack of timely information also affects the ability of federal agencies, companies, and other affected entities to quickly learn about and adapt cyber defenses to real-time, ongoing cyber incidents, such as the Microsoft Exchange cyberespionage campaign earlier this year that affected some 140,000 US entities. The US government, along with a broad coalition of allies and partners, on Monday formally attributed that campaign to China.
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” Warner, chairman of the Senate Select Committee on Intelligence and one of the bill’s co-sponsors, said in a press release. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
Warner’s comments on the inadequacy of “voluntary reporting” echo sentiments he has expressed for months, including allusions to this bill.
There is currently no federal law that requires cyber incident reporting to the federal government. Some states have data breach notification laws, but those laws’ requirements often revolve around the theft of consumer financial data or personal identifiable information (PII), such as Social Security numbers, and the notifications are sent to affected consumers.
Existing data breach notification laws do not apply to incidents such as the SolarWinds cyberespionage campaign or the Colonial Pipeline ransomware attack, despite the national security implications they revealed.
The need for mandatory reporting came in to focus following SolarWinds, which was voluntarily reported by cybersecurity company FireEye following the campaign’s discovery after nine months of investigation, and Colonial Pipeline, during which CISA then-Acting Director Brandon Wales told Congress his agency was not receiving the technical information it needed to communicate and respond.
The legislation enjoys broad bipartisan support, including from Intelligence Committee member Collins, who introduced an information sharing bill in 2012 that failed to gain traction. Collins characterized this bill as “common sense and long overdue.”
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” Collins said in the press release. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”
The proposed law requires federal agencies and critical infrastructure owners and operators — as well as government contractors and subcontractors, excluding those providing housekeeping and custodial services or non-IT products or services below micro-purchase threshold — to report cyber incidents to Homeland Security’s Cybersecurity and Infrastructure Agency (CISA) within 24 hours of discovery.
It instructs CISA to “establish Cyber Intrusion Reporting Capabilities to facilitate the submission of timely, secure, and confidential cybersecurity notifications.”
The bill also addresses several longtime concerns of private entities by providing “limited immunity” to reporting companies and requiring CISA to implement data security to protect PII and privacy.
Notably, the law would exempt cyber incident notifications from the Freedom of Information Act. The law would also bar notifications from being used as evidence in any civil or criminal cases against the reporting entity or being subject to subpoenas, except for legal actions brought by the federal government or congressional subpoenas for oversight, respectively.
The bill’s introduction follows the recent Senate confirmations of National Cyber Director Chris Inglis and CISA Director Jen Easterly, who both hold roles that will be central to coordinating national cyber defense in response to future incidents.
Rubio, vice chairman of the Intel Committee and one of the bill’s co-sponsors, said cyberattacks are “out of control,” and the government must take “decisive action.” He added that all US organizations should “act immediately” once an attack is discovered.
“The longer an attack goes unreported, the more damage can be done,” Rubio said in the press release. “Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”