Bipartisan legislation introduced in the Senate July 21 would require Federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of discovery.
The Cyber Incident Notification Act of 2021 was introduced by Sen. Mark Warner, D-Va. – joined by Sens. Marco Rubio, R-Fla., Susan Collins, R-Maine, and others – and comes in the wake of several high-profile cyber intrusions this year, including a supply chain-driven attack against IT management firm SolarWinds, and a ransomware attack on Colonial Pipeline.
There is currently no broad-based requirement for most companies to disclose cyber intrusions to the government.
The new legislation would require Federal agencies, contractors and critical infrastructure operators to report breaches to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). In return, the bill would grant limited immunity to companies that report breaches, and instruct “CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.”
Text of the bill says the measure would aim to “ensure timely Federal Government awareness of cyber intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the public.”
Former CISA Acting Director Brandon Wales called on Congress in May to take action on requiring disclosure of cyber breaches to the Federal government “so that we can share that information and raise the baseline of cybersecurity.”
“For CISA to do its job, and for the Federal government to broadly execute the mission that the American people want us to do which is protect critical infrastructure broadly, we need information from victims of cyber incidents,” Wales said.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” said Sen. Warner in a statement. “We need a routine Federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the Federal government can be mobilized to respond to and stave off its impact.”
Joining Sens. Warner, Rubio, and Collins in co-sponsoring this bill are Sens. Dianne Feinstein, D-Calif., Richard Burr, R-N.C., Martin Heinrich, D-N.M., James Risch, R-Idaho, Angus King, I-Maine, Roy Blunt, R-Mo., Michael Bennet, D-Colo., Bob Casey, D-Penn., Ben Sasse, R-Neb., Kirsten Gillibrand, D-N.Y., Joe Manchin, D-W.V., and Jon Tester, D-Mont.
“Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure,” said Sen. Collins.