Senate cyber bill would require immediate reporting of cyber intrusions

U.S. Sens. Mark Warner (D-VA), Marco Rubio (R-FL), and Susan Collins (R-ME) introduced Wednesday the Cyber Incident Notification Act of 2021, which seeks to make it mandatory for federal agencies, government contractors, and critical infrastructure to report cyber intrusions to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours of discovery.

Legislators cited the SolarWinds and Colonial Pipeline attacks from over the past year as partial inspirations for the bill. In those attacks, IT management firm SolarWinds was hacked, leading to compromised details of hundreds of federal agencies and private companies alike, while in the case of the Colonial Pipeline, a ransomware attack caused pipeline operations to halt for days, causing fuel shortages along the East Coast.

Under current law, companies are not required to disclose when they have been breached.

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” Warner said. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target. We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

Warner, Rubio, and Collins agreed that reporting is necessary so the U.S. government can mobilize defensive efforts and protect critical industries. In return, limited immunity would be provided to those companies that do report a breach. CISA would then be required to create data protection procedures to anonymize personally identifiable information and privacy.

“Cyberattacks against American businesses, infrastructure, and government institutions are out of control,” Rubio said. “The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”

The legislation’s three sponsors were joined by a dozen fellow lawmakers as co-sponsors.