U.S. Senator Mark Warner, Democrat of Virginia and Chairman of the Senate Select Committee on Intelligence, holds a hearing about worldwide threats, on Capitol Hill in Washington, DC, April 14, 2021.
Saul Loeb | Pool | Reuters
A new bill unveiled Wednesday would make some companies tell the government when they’ve been hacked.
The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted American access to fuel across a large region. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated.
The problem is, under federal law, companies don’t have to report these incidents. That means some incidents may occur without the government knowing, which can have serious implications if the government’s own systems are potentially implicated in an attack.
The bill introduces a new disclosure requirement for federal agencies, federal contractors and critical infrastructure companies to notify the Department of Homeland Security when they identify a breach of their systems. It also gives those companies limited immunity when they report a breach — for instance, shareholders could not gain access to the disclosed information to use as evidence in a lawsuit — and requires DHS to anonymize personally identifiable information. That way, companies can report incidents quickly and allow the government to act efficiently where needed.
Bringing cyberattacks to light
Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., Vice Chairman Marco Rubio, R-Fla., and senior member Susan Collins, R-Maine, led the legislation, which responds to concerns they heard at an earlier hearing about the the SolarWinds attack.
At the hearing, Microsoft President Brad Smith testified that the only reason the government and public were aware of the incident is because cybersecurity firm FireEye reported what it believed to be a state-sponsored attack on its own systems in December. After that disclosure, Reuters reported on a potentially adversary-linked hack into U.S. agencies through SolarWinds software updates. Sources later told Reuters that attack was linked to the FireEye incident.
The incident showed lawmakers just how easily they could have been left in the dark on a major government hack. It also revealed the obstacles companies face when deciding whether to report a cyberattack.
FireEye CEO Kevin Mandia told CNBC’s Eamon Javers in an interview at the time of that hearing that disclosure is “a damn complex issue.”
“The reason it’s a complex issue is because of all the liabilities companies face when they go public about a disclosure,” Mandia said. “They have shareholder lawsuits, they have lots of considerations of business impact. You also don’t want to unnecessarily create a lot of fear, uncertainty and doubt.”
The new bill aims to ease that fear for businesses by introducing the limited liability protection. When Warner teased the legislation in June, he said he believed the business community would be receptive to it.
“When we had this debate six or seven years ago, the business community did not want any additional mandatory reporting,” he said at the time. “I think they now realize that they themselves are put in jeopardy if they don’t have mandatory reporting.”