Bill Would Require Federal Agencies and Contractors to Report Cyber Intrusions Within 24 Hours
The bill leaves it up to an interagency rulemaking process to determine whether entities would be required to report incidents they’re aware of but not directly involved in.
Senate Intelligence Committee Chairman Mark Warner, D-Va., has introduced legislation that would shield companies from liability associated with cybersecurity intrusions they experience in exchange for reports of such incidents that could be used to track perpetrators and mitigate the harm from major breaches across U.S. critical infrastructure.
“It seems like every day Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach demonstrated how broad the ripple effects of these attacks can be, affecting hundreds or even thousands of entities connected to the initial target,” Warner said in a press release of the legislation Wednesday. “We shouldn’t be relying on voluntary reporting to protect our critical infrastructure. We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
The bill is cosponsored by Senate Intelligence Ranking Member Marco Rubio, R-Fla., and Susan Collins, R-Maine, along with a number of other Republicans and Democrats. It also has support from Sen. Angus King, I-Maine, co-chair of the congressionally-mandated Cyberspace Solarium Commission.
It would give freshly minted Cybersecurity and Infrastructure Security Agency Director Jen Easterly 240 days from its enactment to establish a secure way for covered—and non-covered—entities to report cyber intrusions to CISA within 24 hours of their recognition. The bill refers to this as Cyber Intrusion Reporting Capabilities.
The capabilities should enable the receipt of classified reports, the bill says, and the information submitted would be exempt from the Freedom of Information Act. It also could not be used as evidence in any civil or criminal action brought by the victim of a cybersecurity incident, except in certain cases involving the federal government. Additionally, Congress would be the only entity able to subpoena the information and lawmakers would only be able to use it for oversight purposes.
In a significant change from a draft bill Warner’s office previously circulated, the legislation introduced Wednesday leaves it up to the CISA director, the director of National Intelligence, the director of the Office of Management and Budget, the secretary of Defense and the national cyber director to determine whether federal agencies and other covered entities should be required to report incidents they’re aware of but not involved in.
Warner had the idea of treating cyber incident response firms like FireEye as emergency responders that would report on their customers’ incidents after the company voluntarily reported that hackers had infiltrated SolarWinds, a government contractor that manages the information technology of tens of thousands of entities in the public and private sectors.
The bill calls for an interim final rule, within 270 days, that will take effect without prior public notice. The final rule can be informed by public comments, under the bill.
The rulemakers should also clarify what counts—within certain parameters, such as if ransomware is involved—as a cyber intrusion and must therefore trigger a notification.
But once triggered, the bill goes into detail about what kinds of information should be included in notifications. Covered entities, at a minimum, should disclose any information such as IP addresses that could help identify the perpetrators and describe the vulnerabilities exploited as well as tactics, techniques and procedures the adversary used to execute the intrusion, for example. They should also share any action they took to mitigate the intrusion, the bill says.
If for any reason an entity is found to be in violation of the reporting requirements, the bill allows the CISA director to assess “a civil penalty not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.” If the covered entity is a federal contractor, they could lose their business with the government.
The bill also instructs the Homeland Security secretary to provide Congress with annual reports summarizing the details of the incidents being reported and noting any changes compared to previous years. The heads of CISA and other agencies would also decide when information should be publicly disseminated, with CISA issuing monthly analyses based on what is reported.