WASHINGTON — U.S. Senator Martin Heinrich (D-N.M.), a member of the Senate Select Committee on Intelligence, joined several of his colleagues in introducing bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery.
The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
“The scale and complexity of recent cyber and ransomware attacks should have us all alarmed,” said Heinrich. “We will continue to be vulnerable to these attacks until we do better at sharing information. This legislation would help create common awareness of malicious cyber activity and enable the private and public sectors to work together to make the country’s cyber infrastructure more resilient and secure.”
Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
In addition to Senator Heinrich, the legislation, led by U.S. Senators Mark Warner (D-Va.), Marco Rubio (R-Fla.), and Susan Collins (R-Maine), is co-sponsored U.S. Senators Dianne Feinstein (D-Calif.), Richard Burr (R-N.C.), James Risch (R-Idaho), Angus King (I-Maine), Roy Blunt (R-Mo.), Michael Bennet (D-Colo.), Bob Casey (D-Penn.), Ben Sasse (R-Neb.), Kirsten Gillibrand (D-N.Y), Joe Manchin (D-W. Va.), and Jon Tester (D-Mont.).
“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action -- the introduction of the bipartisan Cyber Incident Notification Act of 2021. We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel.
“It's encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,” said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.
“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.
A copy of the legislation is available here.