Biparty legislation introduced to the Senate on July 21 would require federal agencies, government contractors, and owners and operators of critical infrastructure to report cyber intrusions within 24 hours of their discovery.
The Cyber Incident Notification Act of 2021 was introduced by Senator Mark Warner, D-Va. – joined by Sens. Marco Rubio, R-Fla., Susan Collins, R-Maine, and others – and comes in the wake of several high-profile cyber intrusions this year, including a supply chain-focused attack on the company from SolarWinds IT management, and a ransomware attack on Colonial Pipeline.
There is currently no general requirement for most businesses to disclose computer intrusions to the government.
The new legislation would require federal agencies, contractors and critical infrastructure operators to report violations to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). In return, the bill would grant limited immunity to companies that report breaches and require “CISA to implement data protection procedures to anonymize personally identifiable information and protect confidentiality.”
The text of the bill indicates that the measure would aim to “ensure timely awareness by the federal government of cyber intrusions that constitute a threat to national security, allow the development of a common operational picture of cyber threats at the national level and create an appropriate and actionable cyber threat. information available to relevant government and private entities, as well as to the public.
Former CISA Acting Director Brandon Wales called on Congress in May to take action to demand disclosure of cyber breaches to the federal government “so that we can share this information and raise the cybersecurity base.” .
“In order for the CISA to do its job and for the federal government to broadly carry out the mission that the American people want us to do, which is to protect critical infrastructure at large, we need information about victims of cyber incidents, ”said Wales.
“We should not rely on voluntary reporting to protect our critical infrastructure,” Senator Warner said in a statement. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, all federal government resources can be mobilized to respond and avoid its impact.”
Senators Dianne Feinstein, D-Calif., Richard Burr, RN.C., Martin Heinrich, DN.M., James Risch, R-Idaho, Angus join Senators Warner, Rubio and Collins in co-sponsoring this bill. King, I-Maine, Roy Blunt, R-Mo., Michael Bennet, D-Colo., Bob Casey, D-Penn., Ben Sasse, R-Neb., Kirsten Gillibrand, DN.Y., Joe Manchin, DW .V., And Jon Tester, D-Mont.
“Failure to put in place a strong cyber incident notification requirement will only give our adversaries more opportunities to gather intelligence about our government, steal intellectual property from our businesses and harm our critical infrastructure. Said Senator Collins.