A new bipartisan bill in the Senate would require federal contractors, agencies and critical infrastructure operators to report cyber intrusions to the Cybersecurity and Infrastructure Security Agency within 24 hours of discovery.
Senate Select Committee on Intelligence Chairman Mark Warner (D-Va.) introduced the ‘‘Cyber Incident Notification Act of 2021’’ this week along with 14 co-sponsors, including Vice Chairman Marco Rubio (R-Fla.), most other members of the Intel Committee, and Senate Armed Services Cybersecurity Subcommittee Chairman Joe Manchin (D-W.V.). Warner has said the bill was coming since the spring.
In an interview with Federal News Network, Warner said last year’s SolarWinds breach, the Colonial Pipeline ransomware shutdown in May, and this week’s attribution of cyber attacks to China all provide a strong impetus to move beyond today’s largely voluntary system for federal breach notifications, which has persisted despite past legislative efforts to mandate cyber reporting.
“We don’t have any requirement at this point that companies even report,” Warner said. “Colonial Pipeline voluntarily reported. There was another pipeline company that was attacked about the same time, and they didn’t even bother to report until literally months later. That is not a sustainable system. And while this isn’t going to solve the whole problem of cyber, it is an important first step on trying to get this right.”
The bill’s 24-hour reporting requirement includes both cybersecurity intrusion and “potential” cybersecurity intrusions. Ransomware is among the type of incidents that would have to be reported, but the legislation would otherwise leave it to CISA and other agencies to define what events rise to the level of a required notification.
“This is an area where, even within the cyber world, there’s no formal definition of incident … If there are ways to improve on this legislation, I’m wide open to improvements,” Warner said regarding any potential criticisms that the intrusion language is overly vague.
The bill positions CISA as the federal hub for reporting cyber incidents, as opposed to just notifying the FBI’s Internet Crime Complaint Center.
“I have huge respect for the FBI, but the FBI is a law enforcement agency — they’re never going to be a group that’s going to be willingly sharing information with others,” Warner said. “Some of our best assets are on the [National Security Agency] and [Cyber Command] side. But they by law are mostly relegated to defending our country outside the United States, or taking offensive actions. It’s a different part of the house than this homeland defense enterprise that CISA takes. So we think this is the right entity, but we do think there needs to be information sharing, as applicable, with the FBI, and with some of our folks on the Intel community side.”
Warner confirmed the bill will be referred to the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over CISA. The committee is working on a broader breach notification bill, but Warner hopes the cyber reporting bill will move fast.
“I’m anxious to work with HSGAC on the broader bill, but I hope that ours might be able to move quicker because it’s got such broad bipartisan support with so many members of the Intel committee,” he said.
The legislation includes several incentives for industry, including liability protections barring the notification from being used against the victim of the cybersecurity incident in court, unless the lawsuit is brought by the federal government. It also exempts the information from the Freedom of Information Act.
But the bill also includes penalties for those who don’t report in time. It would authorize CISA to assess a civil penalty “not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.”
Government contractors who don’t report incidents risk removal from the Federal Contracting Schedule under the bill. And agencies who fail to report incidents would be referred to the Inspector General for investigation.
“We’re not trying to create a ‘gotcha’ regime,” Warner said. “We’re trying to make sure that we do a better job of protecting public sector and private sector entities from not only espionage, but also from the very real threats around ransomware. And even worse, the ability for a malicious actor to come in and actually shut down systems through a denial-of-service.”
The bill would give CISA 240 days from its enactment to set up the cyber incident reporting system. CISA and other agencies would also have 270 days to come up with interim final rules for the reporting requirements.