A bipartisan legislation was introduced Wednesday in an effort to make cyber intrusion reporting a federal requirement and, partly, in response to the hacking incidents that affected the Colonial Pipeline, information technology management firm SolarWinds and other public and private entities.
Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence and three-time Wash100 Award winner; Sen. Marco Rubio, vice chairman of the committee; and Sen. Susan Collins, a senior committee member, presented the Cyber Incident Notification Act of 2021 that seeks to require federal agencies, government contractors and critical infrastructure owners and operators to inform the Cybersecurity and Infrastructure Security Agency (CISA) of cyber intrusions within 24 hours of their discovery.
The reports are expected to support the government's efforts in safeguarding critical industries. Currently, individual companies are not required to report when they have been subjected to hacking activities.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure," said Sen. Warner. "We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”
Meanwhile, Sen. Rubio noted that more damage can be done to American businesses, infrastructure, and government institutions when an attack goes unreported for a longer period of time.
Sen. Collins added, "Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure."
The bill also seeks to incentivize information sharing by granting limited immunity to companies that reported a breach and by ensuring the protection of privacy and personally identifiable information.
Twelve other senators co-sponsored the legislation.