Warner previews breach notification bill

The chairman of the Senate Select Committee on Intelligence said he will introduce legislation to mandate that companies notify the government to major cybersecurity breaches, a promise several lawmakers have made this year.

Mark Warner SSI hearing flickr

Sen. Mark Warner (D-Va.), chairman of the Senate Select Committee on Intelligence, on Monday reiterated calls for a bipartisan breach notification law and discussions about whether ransom payments should be legal.

At a live interview hosted by the Washington Post, Warner promised legislation that would require companies to notify the federal government whenever they suffer a major cybersecurity breach. The lawmaker also called for serious discussions about whether ransomware payments should be legal. That debate has been reignited after several high-profile companies admitted to making multi-million dollar payments to criminal groups.

During hearings with Colonial Pipeline CEO Joseph Blount, most lawmakers signaled they would favor stricter statutes outright prohibiting companies from paying, or at least penalizing those that do. But others, including Anne Neuberger, the deputy national security advisor, and Blount himself have argued the choice to pay is sometimes a necessary evil.

Chris Inglis, Biden's pick to be the first national cyber director, during his nomination hearing suggested companies should not be punished for paying a ransom, but for putting themselves in a position where it was necessary.

During the event on Monday, Warner was also asked about a proposal by Russian President Vladimir Putin made during the G7 summit in London over the weekend for the U.S. to effectively agree to an extradition treaty where the two countries would swap cyber criminals their nations may be harboring.

Warner expressed skepticism about Putin's intentions but the lawmaker also said he was open to any level of international collaboration that can be made. Biden is scheduled to meet directly with Putin on Wednesday in Vienna.

Cybersecurity experts in the U.S. took Putin's proposal as less than genuine.

"This is not a serious proposal. It is unconstitutional in Russia to extradite their citizens. And Biden would do well not to take it seriously," Dmitri Alperovitch, the former Crowdstrike executive, tweeted on Sunday. "But it is a good launching pad for a serious conversation about ransomware criminals and what should be done about them."

Following the weekend's events, the White House published the G7's statement on ransomware declaring it a "longstanding global challenge."

"The international community -- both governments and private sector actors -- must work together to ensure that critical infrastructure is resilient against this threat, that malicious cyber activity is investigated and prosecuted, that we bolster our collective cyber defenses, and that States address the criminal activity taking place within their borders," according to the statement.

A White House fact sheet on the summit also said the world leaders will endorse a new "Cyber Defense Policy" for NATO that provides political, military and technical guidance to counter cybersecurity threats.