Source: United States Senator for Missouri Roy Blunt
WASHINGTON – Today, U.S. Senator Roy Blunt (Mo.), a member of the U.S. Senate Select Committee on Intelligence, helped introduce bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery. The bill is led by U.S. Senator Mark Warner (Va.) and, in addition to Blunt, is cosponsored by U.S. Senators Marco Rubio (Fla.), Susan Collins (Maine), Richard Burr (N.C.), Martin Heinrich (N.M.), James Risch (Idaho), Dianne Feinstein (Calif.), Michael Bennet (Colo.), Angus King (Maine), Bob Casey (Pa.), Ben Sasse (Neb.), Kirsten Gillibrand (N.Y.), Joe Manchin (W.Va.), and Jon Tester (Mont.).
The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
“The sooner we know a cyberattack has occurred, the sooner we can evaluate the threat, repair the damage, and respond to a direct attack on our critical infrastructure,” said Blunt. “Missourians are rightfully concerned about the rapid rise in cyber intrusions, and it is past time for Congress to implement a routine federal standard for reporting these attacks. I’m proud to join my colleagues in introducing this bipartisan bill that will help protect Americans from cyberattacks and strengthen our nation’s efforts to hold perpetrators accountable.”
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion,” said Warner. “The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target. We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
“Cyberattacks against American businesses, infrastructure, and government institutions are out of control,” said Rubio. “The U.S. government must take decisive action against cybercriminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs. The longer an attack goes unreported, the more damage can be done. Ensuring prompt notification will help protect the health and safety of countless Americans and will help our government track down those responsible.”
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.”
“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action — the introduction of the bipartisan Cyber Incident Notification Act of 2021,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel. “We can’t track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem.”
“It’s encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,” said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.
“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.
A copy of the legislation can be found here.