Debate Heats Up as Senator Prepares to Introduce Incident-Reporting Legislation

Sen. Mark Warner, D-Va., speaks with reporters upon returning to the Capitol after a meeting with President Joe Biden at the White House in Washington, Thursday, June 24, 2021. A bipartisan group of lawmakers have negotiated a plan to pay for an estimated $1 trillion compromise plan.

Sen. Mark Warner, D-Va., speaks with reporters upon returning to the Capitol after a meeting with President Joe Biden at the White House in Washington, Thursday, June 24, 2021. A bipartisan group of lawmakers have negotiated a plan to pay for an estimated $1 trillion compromise plan. (AP Photo/Alex Brandon)

Reviews are in on draft legislation Sen. Mark Warner’s office has circulated and plans to update for introduction after the holiday break.

On returning from the July 4 recess, Sen. Mark Warner, D-Va., plans to introduce an updated version of legislation he’s drafted requiring federal agencies, government contractors and certain other critical infrastructure providers to report on cyber intrusions they experience and to assist in their investigation.

Government contractors would risk losing their contracts and non-government contractors would risk fines for failure to comply with the legislation.

“We continue to have discussions with other members and committees as well as with industry and the White House, and expect to introduce an updated version of the legislation following the July 4 recess,” Warner’s spokesperson told Nextgov

Warner, chair of the Senate Intelligence Committee, discussed the need for the legislation during a Feb. 23 hearing the committee held following the compromise of several federal agencies and scores more private organizations in connection to a trojanized update unwittingly distributed by the widely used IT management firm SolarWinds.

He said if it weren’t for the cybersecurity firm then known as FireEye publicly reporting the event, the government might still be unaware of it because there are no laws requiring federal contractors to disclose such cybersecurity incidents. 

There are sector-specific federal laws requiring breach notification in cases where personally identifiable information is exposed. The SolarWinds campaign drew attention to incidents where that narrow category of information may not be involved but where there may be a threat to economic or national security. Subsequent high-profile incidents such as the ransomware attack on Colonial Pipeline have bolstered the push for some form of federal incident reporting law, but critics of the Warner draft say it risks overly broad collection of information and doesn’t set clear criteria for what should trigger an incident report.

“That was intentional,” the Warner spokesperson said in response to criticism about the draft being too vague. “We need to balance the compulsory reporting requirement with the burden on the reporting entities, which is why the legislation mandates the reporting requirement, but defers to the executive branch on the specific implementation details.” 

Warner’s Cyber Incident Notification Act of 2021 gives primary responsibilities to the secretary of Homeland Security and the director of DHS’ Cybersecurity and Infrastructure Security Agency. It differs significantly from a proposal the congressionally mandated Cyberspace Solarium Commission shared with the Senate’s Homeland Security and Government Affairs Committee about a month ago. 

The Solarium Commission’s incident reporting proposal, which was made available to Nextgov, also has a lot in common with the Warner proposal. They both offer a level of liability protection for organizations reporting information on cybersecurity incidents through a central federal capability. In the case of the Warner bill, that capability would be established at CISA. 

Both proposals also leave a lot up to rulemaking processes, including what kind of information should be reported and when, but set out certain must-haves such as incidents involving ransomware.

The Solarium Commission’s proposal sets criteria around the exposure of a certain amount of sensitive information describing specific national security systems. It also directly addresses the SolarWinds event by saying reports should be made about “unauthorized access to a software build system, software development system, or any other such system that develops, manages, or distributes software updates to proprietary hardware or software.”   

A Democratic aide familiar with efforts to craft incident response legislation in the House said that’s one important place where the Warner proposal is different. 

“The Solarium approach has been to look at broad-based incident reporting but with a pretty narrow definition, with things like data breach, you know, ransomware, things that are quite easily defined, [there is] not a lot of fuzziness,” the aide said, noting a provision that requires incidents assessed to be related to a nation-state to be reported. “Who determines that?” the aide said.

In the case of SolarWinds, it was FireEye that made that determination and Warner has compared such firms to emergency first responders in saying they should be required to report such incidents affecting their customers. 

But that creates another concern for Harley Geiger, senior director of public policy for the cybersecurity firm Rapid7. “The [Warner] draft seems to obligate third parties to report incidents they discover, but which actually happened to another entity,” he said. 

During the Intelligence Committee hearing, FireEye CEO Kevin Mandia testified that firms like his responding to cybersecurity incidents could help address the liability concerns of organizations where cyber intrusions occur.  

“If there's public attribution that said, ‘SolarWinds was compromised by a nation-state,’ good enough,” Mandia said. “It takes the wind out of the sails of all the plaintiffs' lawsuits that we all get when we get compromised, and we tell the world about it.”

But Geiger said, “As written, [the Warner draft] risks disincentivizing needed incident response services, and creating potential conflicts and confusion between cyber incident responders and affected organizations. The affected organization should be ultimately responsible for reporting their own incidents.”

Geiger was also concerned about what the democratic House aide referred to as the “signal to noise ratio” the Warner draft would create by being overly broad in outlining criteria that would trigger a report.

“The [Warner] draft includes reporting ‘potential’ cybersecurity incidents,” Geiger said. “This should be much more narrow to avoid clogging the incident reporting system with useless junk. Organizations face potential attacks frequently—some are false positives, are insignificant, or are easily defended. Reporting all this would be burdensome for organizations, as well as for government agencies tasked with doing something useful with the reports. CISA has limited resources—let’s focus those resources on the wheat and avoid the chaff.”  

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.