A bipartisan group of senators introduced a new bill Thursday to require certain breach victims to notify the Cybersecurity and Infrastructure Security Agency in the event of a breach.
The Cyber Incident Notification Act, introduced by Sens. Mark Warner, D-Va., Marco Rubio, R-Fla. and Susan Collins, R-Maine, would give federal agencies, government contractors, and critical infrastructure owners and operators 24 hours to report breaches to CISA. Warner and Rubio chair the Senate Intelligence Committee, of which Collins is a member.
Several lawmakers have been pursuing bills on this front since February, when hearings around the SolarWinds espionage campaigns drilled home that the government and public only found out about the massive hacking enterprise because a company decided to be benevolent. FireEye, which first identified the campaign, was under no obligation to come forward. If they had not done so, lawmakers fear critical infrastructure and government facilities would still be vulnerable.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact,” said Warner, in a press release accompanying the bill.
The Cyber Incident Notification Act will provide limited legal protections for the companies that report breaches to CISA, and require data to be anonymized.
Warner has been one of the key flag bearers of this kind of policy since the SolarWinds hearings, but efforts to create some requirements for breached entities to contact the government date back several years before CISA was an agency. In 2012, Collins and Joe Lieberman, then an independent senator from Connecticut, tried several times to institute such a rule. With broader support than 2012, including more industry buy-in, and Warner's and Rubio's backing, the Cyber Incident Notification Act immediately becomes a frontrunner for post-SolarWinds policy.
There have been a number of considerations for such a bill. Critics have questioned whether CISA is the right agency, including questions of what CISA would need to do to handle the high-bandwidth flow of information that would come with a notification requirement. There have been questions of whether all companies, not just a subset, should be required to report to the government, whether it should just be a few sectors, and whether small companies could handle the burden. In February, FIreEye CEO Kevin Mandia told Congress that rather than require companies to report breaches, the duty should fall on all "first responders" who see a potential national security threat, including incident response firms or other contractors.
But, said Dmitri Aperovitch, co-founder of CrowdStrike who recently became Executive Chairman of the recently launched Silverado Policy Accelerator think tank, the new bill hits the most important point.
"Requiring timely - within 24 hours of confirmation - notification to CISA of these details will give us an opportunity to disseminate threat-related information widely to help protect other potential targets, as well as for the US government to take possible law enforcement or Cyber Command action to mitigate the attack," he said.
The bill comes the same day the House passed three cybersecurity bills, including a $500 million grant program for state and local governments to shore up security. Those bills all now head to the Senate.