July 22, 2021
Washington, D.C. – U.S. Senator Susan Collins (R-ME), a senior member of the Intelligence Committee, joined Senators Mark Warner (D-VA) and Marco Rubio (R-FL) in introducing bipartisan legislation that would require federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery. Senator Angus King (I-ME), a member of the Intelligence Committee and co-chair of the Cyberspace Solarium Commission, is a co-sponsor of the bill.
Senators Collins and Warner spoke on the Senate floor today to urge their colleagues to support the bill. The legislation builds on Senator Collins’ longstanding efforts to harden cybersecurity infrastructure. In 2012, she and then-Senator Joe Lieberman (I-CT) introduced the Cybersecurity Act, which would have encouraged companies that operate critical infrastructure — such as water plants, electric companies and transportation networks — to take steps to boost the security of their computer systems and networks. It also aimed to make it easier for industry to share information about cyber threats spotted on their networks with the government. Referencing Senator Collins’ 2012 bill, Senator Warner remarked, “if we just listened earlier to the Senator from Maine, we'd be in a lot better shape today in this country.”
“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” said Senator Collins. “My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure. I urge my colleagues to pass the Cyber Incident Notification Act of 2021, which is common sense and long overdue.”
“America is among the most wired nations on the planet – from the Internet of Things to wearables to smart devices – which both creates massive benefits and dangerous vulnerabilities,” said Senator King, co-chair of the Cyberspace Solarium Commission. “As cyberattacks on U.S. businesses continue to rise, it is clear that the problem cannot be solved by the public or private sector alone. In order to better prevent and respond to cyberattacks, we must work together to create a strong relationship between the government and individual businesses. This legislation is an important step in that direction, which will help us maintain shared real-time awareness of the threats we face, accelerate our response to dangerous cyber intrusions, and prevent additional damage from being done.”
“After years of talk about how our nation needs a real public-private partnership for better cybersecurity, we finally have concrete and critical action -- the introduction of the bipartisan Cyber Incident Notification Act of 2021,” said Glenn Gerstell, former National Security Agency (NSA) General Counsel. “We can't track, or have any hope of stopping, foreign or domestic sources of cyber maliciousness unless we can find out about cyber problems quickly. This bill goes a long way in starting to solve the problem.”
“It's encouraging to see continued bipartisan Congressional recognition of CISA’s critical role as the front door for industry to engage with the U.S. government on cybersecurity,” said Chris Krebs, former Director of the Cybersecurity and Infrastructure Security Agency.
“This bill significantly advances the discussion around the need for mandatory notification of significant cyber activity to provide greater common situational awareness, better defend networks, and deepen our understanding about the scale and scope of the threat,” said Suzanne Spaulding, former Department of Homeland Security Under Secretary for Cyber and Infrastructure Protection.
The bill is in part a response to the hack of IT management firm SolarWinds, which resulted in the compromise of hundreds of federal agencies and private companies, and the May 2021 ransomware attack on the Colonial Pipeline, which halted pipeline operations temporarily and resulted in fuel shortages along the Atlantic seaboard of the United States, as well as a recent onslaught of ransomware attacks affecting thousands of public and private entities.
Under existing federal law, there is currently no requirement that individual companies disclose when they have been breached, which experts have noted leaves the nation vulnerable to criminal and state-sponsored hacking activity. The Cyber Incident Notification Act of 2021 would require federal government agencies, federal contractors, and critical infrastructure operators to notify the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) when a breach is detected so that the U.S. government can mobilize to protect critical industries across the country. To incentivize this information sharing, the bill would grant limited immunity to companies that come forward to report a breach, and instruct CISA to implement data protection procedures to anonymize personally identifiable information and safeguard privacy.
The legislation is also co-sponsored by Senate Intelligence Committee members Dianne Feinstein (D-CA), Richard Burr (R-NC), Martin Heinrich (D-NM), James Risch (R-ID), Roy Blunt (R-MO), Michael Bennet (D-CO), Bob Casey (D-PA), Ben Sasse (R-NE), and Kirsten Gillibrand (D-NY), Joe Manchin (D-WV), and Jon Tester (D-MT).
Click HERE to read the bill text.