Senate Intelligence Chairman Mark Warner is sharing draft bipartisan legislation that would require critical infrastructure owners, cybersecurity incident response firms and federal contractors to report cyber intrusions to the Homeland Security Department within 24 hours.
It’s one of the earliest bills to respond a spate of attacks that began with the SolarWinds breach and continued on through the Microsoft Exchange hack and ransomware incidents at Colonial Pipeline and meat supplier JBS. It won’t be the last, either in the House or Senate.
Warner has been pushing the idea for months. At a February hearing of Warner’s committee the Virginia Democrat, other senators and witnesses from SolarWinds, Microsoft and FireEye discussed the thought Warner had been floating. The fear was that if FireEye hadn’t voluntarily disclosed that it was a victim of the SolarWinds supply chain hack that compromised nine federal agencies and many technology companies, the damage would’ve been more severe.
“We ought to put in place, we’ve got bipartisan legislation to do this, to require that when companies get attacked, they notify the government,” Warner said on NBC’s “Meet the Press” on June 6. ” There is no requirement right now.”
The draft bill, co-sponsored by Republicans Marco Rubio of Florida and Susan Collins of Maine, would require breach notifications to DHS’s Cybersecurity and Infrastructure Agency. CISA would work with the director of national intelligence, the Office of Management and Budget, the Defense Department, and the Federal Chief Information Officer to write rules about who precisely would have to report what sorts of intrusions.
In addition to notification of intrusions, entities would have to provide regular updates. Both the original notification and the updates would have to include a range of information at minimum under those rules, like what networks were affected, tactics the hackers used and contact information for the victim.
Federal contractors that don’t comply with the law would face penalties up to and including no longer being eligible for future contracts. For every day they don’t comply beyond 24 hours, critical infrastructure owners or cyber incident response firms could face fines of up to 0.5% of their gross revenue from the year before.
Given the legislation’s focus on CISA, it’s likely a committee other than Warner’s would vet the bill, namely the Homeland Security and Governmental Affairs Committee. Sources familiar with the committee’s plans say the top Republican on that panel, Ohio’s Rob Portman, has been developing his own incident reporting legislation.
The House, too, has several committees working on the idea. The Cyberspace Solarium Commission also has been working on the subject. President Joe Biden’s executive order would put in place requirements for federal contractors to report incidents and the Transportation Security Administration has issued stringent reporting rules for pipeline operators, as well.
Individual states have their own breach notification laws, but they focus primarily on public disclosure of breaches that involve the compromise of sensitive personal information. Congressional efforts to write a national breach notification law have fallen short year after year.
CNN first reported on the draft of Warner’s legislation.