The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted access to fuel across a large region of the country. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated.
The problem is, under federal law, companies don’t have to report these attacks. That means some attacks may occur without the government knowing, which can have serious implications if the government’s own systems are affected by the hack.
The proposed bill would introduce a new disclosure requirement for federal agencies, federal contractors and critical infrastructure companies to notify the Department of Homeland Security when they identify a breach of their systems. It also gives those companies limited immunity when they report a breach — for instance, shareholders could not gain access to the disclosed information to use as evidence in a lawsuit. It also would require DHS to anonymize personally identifiable information. That way, companies can report incidents quickly and allow the government to act efficiently where needed.
Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., Vice Chairman Marco Rubio, R-Fla., and senior member Susan Collins, R-Maine, led the legislation, which responds to concerns they heard at an earlier hearing about the SolarWinds attack.
At the hearing, Microsoft President Brad Smith testified that the only reason the government and public were aware of the hack was because cybersecurity firm FireEye reported what it believed to be a state-sponsored attack on its own systems in December. After that disclosure, Reuters reported on a potentially adversary-linked hack into U.S. agencies through SolarWinds software updates. Sources later told Reuters that attack was linked to the FireEye intrusion.
The attack showed lawmakers just how easily they could have been left in the dark on a major government hack. It also revealed the obstacles companies face when deciding whether to report a cyberattack.
FireEye CEO Kevin Mandia told CNBC’s Eamon Javers in an interview at the time of that hearing that disclosure is “a damn complex issue.”
“The reason it’s a complex issue is because of all the liabilities companies face when they go public about a disclosure,” Mandia said. “They have shareholder lawsuits, they have lots of considerations of business impact. You also don’t want to unnecessarily create a lot of fear, uncertainty and doubt.”
The new bill aims to ease that fear for businesses by introducing the limited liability protection. When Warner teased the legislation in June, he said he believed the business community would be receptive to it.
“When we had this debate six or seven years ago, the business community did not want any additional mandatory reporting,” he said at the time. “I think they now realize that they themselves are put in jeopardy if they don’t have mandatory reporting.”