A bipartisan contingent of 14 senators on Wednesday introduced a bill requiring federal agencies, government contractors and critical infrastructure owners and operators to report cyber breaches of their networks within a day of discovery.
The bill follows increasing calls and interest from Democratic and Republican lawmakers in the House and Senate reacting to a spate of espionage and ransomware attacks against the federal government, the private sector and critical infrastructure in the U.S. There is also increased backing for mandatory breach notification reporting from some in industry, which traditionally has opposed such requirements.
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” Sen. Mark Warner (D-Va.), chairman of the Senate Intelligence Committee and a lead sponsor of the bill, said in a statement. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target. We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
The SolarWinds [SWI] breach refers to a Russian hack of a Texas-based software company whose network management platform is widely used. That incident, which was discovered last December, was believed to be espionage driven.
This year there have been two high profile ransomware attacks against companies in the U.S. In May, a Russian-based criminal group used a ransomware attack against pipeline operator Colonial Pipeline that led to the company temporarily pausing operations. That incident was followed shortly by a ransomware attack against Brazil’s food processing giant JBS, leading to the temporary shutdown of some operations in Australia, Canada and the U.S.
The Cyber Incident Notification Act of 2021 would require affected entities to notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) of a breach. Even with the current voluntary disclosures, the private sector wants to have just one place to go in the federal government to report cyber incidents rather than have to try and work through multiple agencies at the same time.
The bill would also provide incentives to reporting by granting limited liability protections to companies that disclose incidents. Another incentive in the bill to reporting is a requirement that CISA establish data and privacy protection procedures for the information it receives.
If the bill becomes law, CISA would have 240 days to establish the cyber intrusion reporting structure.
Federal authorities have said that the more companies report cyber incidents, the easier it is to connect the dots related to cyber events and stop the spread of a malicious campaign.
“There are multiple tools within our organizations and our partners in order to interdict and stop in real time some of these victimizations that are occurring, not only within the network itself but in terms of the transfer of the funds that have been taken by these illicit actors,” Jeremy Sheridan, assistant director of the Office of Investigations at the U.S. Secret Service, told a House Homeland Security panel on Thursday. “Within the Secret Service, we have our global rapid response and incident tracking team that is able to domestically stop wire transfers if notified within a certain amount of time.”
Rep. Elissa Slotkin (D-Mich.), chairwoman of the Intelligence and Counterterrorism subcommittee, interjected, “If notified.”
Sheridan said yes, “If notified.”
Additional sponsors of the incident reporting bill include Sens. Marco Rubio (R-Fla.), ranking member of the Intelligence Committee, Susan Collins (R-Maine), Richard Burr (R-N.C.), Martin Heinrich (D-N.M.), James Risch (R-Idaho), Angus King (I-Maine), Roy Blunt (R-Mo.), Michael Bennet (D-Colo.), Bob Casey (D-Pa.), Ben Sasse (R-Neb.), Kirsten Gillibrand (D-N.Y.), Joe Manchin (D-W.Va.), and Jon Tester (D-Mont.).
Similar legislation is being considered in the House.