WASHINGTON: Sen. Mark Warner, chair of the Senate Intelligence Committee, has released a draft of his long-awaited mandatory cyber incident reporting bill. It requires certain entities to report hacks within 24 hours of their discovery.
The bill is remarkable as one of the first attempts to create a federal law mandating cyber incident reporting by some entities to the government. Reporting has historically been largely voluntary, with a few exceptions. There’s currently a hodgepodge of data breach notification laws, mostly at the state level, that require reporting certain cyber incidents, but those tend to hinge on whether US citizens’ personally identifiable information (e.g., Social Security numbers) is stolen.
Warner’s bipartisan bill is co-sponsored by Sen. Marco Rubio, ranking member on the Intelligence Committee, and Sen. Susan Collins, who is a member of the Intelligence and Appropriations Committees.
Warner’s bill arrives as cyberattacks, especially ransomware, are increasingly viewed by the government as a national security threat.
The Cyber Incident Notification Act of 2021 applies to so-called “covered entities” to include federal agencies, government contractors, and critical infrastructure owners and operators. The bill defines federal agencies according to Title 44 Section 3502 of the US Code, which includes “executive departments, military departments,” and others.
The bill makes CISA, DHS’s lead on domestic cyber defense, the hub for receiving incident reports. The bill requires CISA to create “cyber incident reporting capabilities” so it can receive notifications from covered entities.
Notably, the bill makes cyber notifications exempt from Freedom of Information Act requests, as well as subpoenas, except for those issued by Congress for oversight purposes. It also prevents notifications from being used as evidence in criminal or civil actions. These measures are intended to provide reporting entities with a level of privacy and legal protection, which have long been a private sector concern around incident reporting to government.
Warner has many times expressed the need for better cyber incident reporting and has hinted throughout the spring at his work on the legislation.
“My hope is that we can create this structure… to get an early warning system,” Warner has said. “Voluntary sharing is no longer effective.”
The SolarWinds cyberespionage campaign — first discovered and disclosed in December by cybersecurity firm FireEye, which was a victim — seems to have prompted the legislative action. The concern of Warner, others in Congress, and the government is this: If FireEye had not voluntarily disclosed the SolarWinds incident, how much longer would the campaign have persisted and how much greater would its impact have been, considering how difficult it was to detect?
As Breaking Defense readers know, the SolarWinds campaign hit at least nine civilian federal agencies and no fewer than 100 companies. SolarWinds does not appear to have affected Defense Department networks. The US officially attributed the SolarWinds campaign to the Russian Foreign Intelligence Service (SVR) and responded with sanctions and other measures.
Recent high-profile cyber incidents such as SolarWinds, the Microsoft Exchange server hacks, and the Colonial Pipeline ransomware incident have spurred a flurry of new rules this spring.
President Biden’s cyber executive order emphasizes information sharing and imposes a mandatory reporting requirement on defense contractors, but those requirements don’t extend to non-government contractors that own and operate critical infrastructure, such as Colonial Pipeline. Warner’s bill appears to expand the types and number of entities that must report cyber incidents to CISA.
The Transportation Security Administration issued tougher requirements on pipeline owners and operators following the Colonial Pipeline ransomware incident, including a 12-hour incident reporting rule. Warner’s bill is written so as not to interfere with existing requirements, where they exist.
The Colonial Pipeline incident again revealed deficiencies in private-public information sharing after CISA Acting Director Brandon Wales told Congress his agency wasn’t getting the information it wanted from Colonial. In recent congressional testimony, Colonial’s CEO Richard Blount defended his company’s actions.
Sens. Gary Peters and Rob Portman, chair and ranking member of the Homeland Security and Government Affairs Committee, have hinted they are also working on legislation that would require cyber incident reporting, possibly by updating the Federal Information Security Management Act, commonly known as FISMA. (FISMA was originally passed in 2002 and amended as the Federal Information Security Modernization Act in 2014.) There are also several bills with similar requirements reportedly being drafted on the House side. Details on these efforts are sparse at the moment.
It’s unclear right now whether Warner’s Intelligence Committee or another, such as Homeland Security, will take up the bill. It’s also unclear whether Warner intends to review other draft bills and somehow work with lawmakers to merge them into one.
Breaking Defense reached out to Warner’s office with questions, but did not hear back before publication.
Why cloud modernization is critical to multi-domain operations
JADC2 is a forcing function, driving digital transformation of network infrastructure.
Questions hang over UK’s new, ambitious defense spending plan: Analysts
Such is the scale of British Army acquisition problems alone that they could not be resolved if the UK moved to a long term spending settlement of even 4 percent GDP, an expert told British lawmakers.
