Lawmakers propose mandatory incident reporting bill for critical infrastructure, cyber firms
A bipartisan group of senators on Wednesday introduced legislation that would require critical infrastructure operators, federal contractors and agencies and private cybersecurity firms to report to the government if their networks were targeted or successfully broken into by hackers.
Under the Cyber Incident Notification Act those entities would have 24 hours to report the hacks to the Cybersecurity and Infrastructure Security Agency. Companies would have to submit any updates or new information about the incidents within 72 hours.
The bill is sponsored by Senate Intelligence Committee leaders Mark Warner (D-Va.) and Marco Rubio (R-Fla.) and panel member Susan Collins (R-Maine). The proposed measure is backed by most of the members on the Intelligence panel as well as Sen. Joe Manchin (D-W.Va.), the chair of the Senate Armed Services Cybersecurity subcommittee and Jon Tester (D-Mont.), who chairs the Senate Appropriations Defense subpanel.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” Warner said in a statement. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
The bipartisan legislation marks one of the biggest attempts yet by policymakers to respond to the unprecedented intrusions of software vendors SolarWinds and Kaseya and ransomware attacks against the Colonial Pipeline and meat processing giant JBS.
Lawmakers on both sides of the aisle chastised Colonial especially for not sharing data with CISA more quickly.
The new bill — like a draft of which circulated among stakeholders last month — would immunize companies from lawsuits stemming from the submission of hacks, addressing concerns about sharing potentially embarrassing or sensitive data. Cyber incident response firms, such as FireEye, would be covered by the protection.
Lawmakers inserted a provision granting CISA two business days to respond to entities that report incidents and decide whether agency officials require additional information. They also added language directing the DHS cyber wing to “consult with appropriate private stakeholders” before issuing the federal rules that will guide the overall reporting effort.
CISA would be allowed to penalize all noncompliant companies with daily penalties up to 0.5 percent of their prior-year revenue. That is a change from the draft version, which described that punishment for non-contractors but left how to discipline federal contractors up to the General Services Administration.
The latest bill also ditches a previous requirement that firms report any ransomware incidents, tailoring it to any that harms national security or involves a foreign government.
Collins, who tried to pass similar legislation back in 2012 only to face strong industry objections, called the bill “common sense and long overdue.”
“Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure,” she said in a statement.