In Response to a Growing Number of Cyberattacks, Bipartisan Legislation Would Require Federal Contractors, Operators of Critical Infrastructure to Disclose Cyber Intrusions Within 24 Hours
Washington, D.C. — Colorado U.S. Senator Michael Bennet, a member of the U.S. Senate Select Committee on Intelligence, introduced bipartisan legislation requiring federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of discovery. This legislation follows a series of recent cyber breaches, from the hack of IT management firm SolarWinds, which compromised hundreds of federal agencies and private companies, to the May 2021 ransomware attack on the Colonial Pipeline, which temporarily halted pipeline operations and resulted in fuel shortages across the Eastern seaboard, to the recent onslaught of ransomware attacks affecting thousands of public and private entities.
“Cyber-attacks like SolarWinds and the Colonial Pipeline serve as sobering reminders of the national security threats we face in the 21st century,” said Bennet. "Malicious hackers can reach across continents to target federal agencies, government contractors, or other entities. Our bipartisan legislation will make sure breaches are reported as soon as they happen, helping to quickly combat the attack and protect our critical infrastructure.”
There is currently no federal requirement that individual companies disclose cyber breaches, leaving the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure owners and operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incent this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
In addition to Bennet, the legislation is co-sponsored by U.S. Senators Mark Warner (D-Va.), Marco Rubio (R-Fla.), Susan Collins (R-Maine), Dianne Feinstein (D-Calif.), Richard Burr (R-N.C.), Martin Heinrich (D-N.M.), James Risch (R-Idaho), Angus King (I-Maine), Roy Blunt (R-Mo.), Bob Casey (D-Pa.), Ben Sasse (R-Neb.), Kirsten Gillibrand (D-N.Y.), Joe Manchin (D-W.Va.), and Jon Tester (D-Mont.).
“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action -- the introduction of the bipartisan Cyber Incident Notification Act of 2021. We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel.
“It's encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,” said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.
“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.
The bill text is available HERE.