King: Mandatory breach disclosure bill coming soon

Sen. Angus King (I-Maine), a co-chair of the Cyberspace Solarium Commission, said he plans to propose new legislation in the coming weeks.

Sen. Angus King (I-Maine) speaks at the Naval War College in 2016. (U.S. Navy photo by Chief Mass Communication Specialist James E. Foehl/Released)

Sen. King speaks at the Naval War College in Newport, R.I. (U.S. Navy photo)

Sen. Angus King (I-Maine), one of the chairs of the Cyberspace Solarium Commission, told reporters on Wednesday he and other lawmakers are drafting legislation that would mandate private sector companies supporting critical infrastructure to notify the government if their network is breached.

"The commission will be recommending a breach notification law applying to critical infrastructure shortly, probably within the month," he said. "There are some tricky issues that have to be worked out, proprietary details, confidentiality, liability issues…We're pretty close. We have legislation drafted and we're continuing to refine it."

King added that the commission met two weeks ago to discuss the legislation.

Private sector reporting requirements for cybersecurity breaches have taken center stage in the wake of the breach involving SolarWinds Orion. Lawmakers have taken particular issue with the fact it was the cybersecurity firm FireEye -- not the intelligence community or law enforcement -- who ultimately detected the intrusion.

The momentum to enact such a law picked up again in February when Microsoft President Brad Smith publicly advocated for it during a Senate hearing.

"Yes, I do. I think the time has come to go in that direction. I think Senator [Susan] Collins was either ahead of her time or the rest of us were behind our time," Smith said in response to a question from Sen. John Cornyn (R-Texas) about whether he'd support a reporting requirement.

While speaking to reporters, King also expressed frustration with the fact the White House has not yet nominated anyone to fill the national cyber director position, a role created by the Fiscal Year 2021 National Defense Authorization Act and recommended by the commission.

King said he understood why it will take time to establish the new office but argued the White House could begin the nomination process and continue to set up the office simultaneously.

The senator praised Anne Neuberger, the deputy national security advisor who has taken point for the White House on responding to the breach, for her performance so far, but pointed out her position on the National Security Council could be eliminated at any moment.

King cited John Bolton's decision in 2018 to eliminate the cyber coordinator position, which was also the move that largely propelled lawmakers to create the national cyber director role.