Leaders of the Senate Intelligence Committee and other bipartisan lawmakers have formally introduced legislation requiring federal contractors and critical infrastructure groups to report attempted breaches following months of escalating cyberattacks.
Under existing law, there is currently no federal requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The bipartisan Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country.
To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
The legislation is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
John Hellickson, Cyber Executive Advisor, Coalfire, says, "If passed, a covered entity that will be subject to these requirements will need to establish a formal and structured program that is above and beyond most incident response procedures that an organization has. Considering a violation of these requirements could result in 'a civil penalty not to exceed 0.5 percent of the entity's gross revenue from the prior year for each day the violation continued or continues', such a formal program will also require close coordination with an organization's legal department. An impacted organization will also need enact procedures similar to legal eDiscovery processes in order to preserve the data tied to such a reportable incident."
Hellickson adds, "The positive side of the bill includes provisions that participating organizations shall receive 'recommended actions to mitigate the impact of the breach or intrusion; and provide information on methods of securing the system or systems against future breaches or intrusions.' However, the usefulness of this collaboration will be if the information is provided back to the organization in a timely fashion in order to minimize the overall impact of such attacks."