Senators introduce bill requiring some critical groups to report cybersecurity incidents

Leaders of the Senate Intelligence Committee and other bipartisan lawmakers on Wednesday formally introduced legislation requiring federal contractors and critical infrastructure groups to report attempted breaches following months of escalating cyberattacks. 

The Cyber Incident Notification Act would require federal agencies, government contractors and groups considered critical to national security — such as hospitals, utilities, financial services and information technology groups — to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours.

The bill would grant liability protections to groups that report breaches, along with anonymizing personal information of the companies involved in the incidents in order to encourage reporting. 

The bill is primarily sponsored by Senate Intelligence Committee Chairman Mark Warner (D-Va.), Vice Chairman Marco Rubio (R-Fla.) and committee member Susan Collins (R-Maine), with the measure circulating in the Senate and among stakeholders in draft format over the last month.

The issue of mandatory reporting is something that officials and industry alike have pushed for in recent months as cybersecurity threats have increased, since currently there is no federal law requiring companies to notify the federal government that they have been breached. 

“We are troubled in terms of being able to understand the depth and breadth of an intrusion based upon the fact that, for a number of good reasons, some of them obviously legal, that much of the private sector does not share this information readily,” Gen. Paul Nakasone, director of the National Security Agency and commander of U.S. Cyber Command, testified to the Senate Intelligence Committee earlier this year.

The new legislation has strong bipartisan backing, with all but three members of the Senate Intelligence Committee signing on as co-sponsors. Sen. Joe Manchin (D-W.Va.), chairman of the Senate Armed Services Cybersecurity Subcommittee, along with Sen. Jon Tester (D-Mont.), chairman of the Senate Appropriations Defense Subcommittee, are also sponsors. 

The bill is being rolled out as part of the Senate’s response to the multiple major cyberattacks in recent months including the SolarWinds hack, which allowed Russian government-linked hackers to breach nine federal agencies for most of last year, and the ransomware attacks by Russian cyber criminals on Colonial Pipeline and meat producer JBS USA in May. 

“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” Warner said in a statement Wednesday. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target.”

“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” he stressed. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

Rubio separately described cyberattacks against critical U.S. groups as “out of control.” 

“The U.S. government must take decisive action against cybercriminals and the state actors who harbor them,” Rubio said in a statement Wednesday. “It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”

Cybersecurity group FireEye was credited for helping shine a light on the SolarWinds hack by disclosing it had been breached as part of the massive attack in December. FireEye officials testified to the Senate Intelligence Committee that they were not legally required to do so.  

In light of the legal limitations, Collins said the bill was “common sense and long overdue.”

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” Collins stressed in a statement Wednesday. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”