Congress is moving to compel companies that operate critical infrastructure to inform federal officials of cyberattacks after years of relying on a patchy — and voluntary — reporting system that often left U.S. agencies in the dark.
Some lawmakers want banks, oil and gas companies, tech providers, utilities and others to tell the top cybersecurity agency when an attack has occurred. A draft bill backed by New York Reps. Yvette D. Clarke and John Katko — a Democrat and a Republican, respectively — would give the Cybersecurity and Infrastructure Security Agency authority to require reporting from companies across various sectors within 72 hours of finding a breach.
A similar bill in the Senate, backed by Susan Collins, R-Maine, Angus King, I-Maine, Mark Warner, D-Va., and Marco Rubio, R-Fla., was introduced in July. The latter two are the heads of their chamber’s influential Intelligence Committee.
Both bills would also require the U.S. government to share information about attacks on federal networks that are likely to affect private companies.
“The voluntary model of reporting has clearly hit its limit,” said Ron Bushar, senior vice president of FireEye Mandiant, a security research firm. While the system has offered the federal government some idea of ongoing attacks, “it’s not enough anymore,” he added.
A mandatory reporting regimen that spells out how and what to report after a cyberattack, and whom to report it to, is essential to help U.S. agencies obtain uniform information, as well as plan a response, Bushar told CQ Roll Call.
He was one of five executives representing various industries who testified in favor of the draft House bill at a hearing last week chaired by Clarke, who heads the House Homeland Security subcommittee on Cybersecurity, Infrastructure Protection and Innovation.
The effort in Congress to mandate reporting on cyberattacks comes after two major incidents involving private companies in the past six months left the federal government scrambling to fully understand the scope and scale of attacks.
The strike by Russian spies on SolarWinds, a supplier of network management software, affected at least 10 U.S. agencies and several hundred companies. The ransomware attack on Colonial Pipeline, which supplies gasoline along the East Coast, led to a shutdown of supplies and days of shortages.
The current voluntary reporting requirement was signed into law as part of a broader appropriations measure by President Barack Obama in December 2015. A previous effort by Collins and Sen. Joe Lieberman, D-Conn., in 2012 to require voluntary reporting of cyberattacks failed to gain traction after the U.S. Chamber of Commerce opposed the measure.
‘A number of gaps’
Top tech executives, including Microsoft President Brad Smith, have told lawmakers in recent months that in the absence of a clear law, most companies don’t know whom to alert within the U.S. government after an attack.
The attack on SolarWinds was discovered only after FireEye publicly and voluntarily revealed it had been breached as part of the Russian attack on SolarWinds.
“Our oversight revealed a number of gaps in federal authorities, policies and capabilities that Congress must address to secure its own networks and better serve its private sector partners,” Clarke said at the hearing. “But what stood out to me was how lucky we were that FireEye disclosed that it had been compromised. Where we would be if they had chosen not to?”
In the case of the Colonial Pipeline attack, the company reported it to the FBI and assumed the information would be shared with CISA — but that wasn’t the case, leaving officials at the cyber agency complaining they didn’t learn details for days.
The House bill would give CISA about nine months after legislation passes to publish a rule specifying which critical infrastructure companies must report cyberattacks, what kinds of attacks must be reported and the format for reporting.
The law would create a Cyber Incident Review Office at CISA that would collect, aggregate and analyze reports of cyber incidents from companies and each quarter would publish a summary of findings that would help present a common picture of attacks.
At the Sept. 1 hearing led by Clarke, representatives of the American Gas Association, U.S. Telecom, the Bank Policy Institute and the Information Technology Industrial Council backed the proposal to mandate reporting of cyberattacks.
All sought assurances that the law would ensure that CISA keeps the information shared by companies confidential and also provide liability protection from being sued for revealing that a company was attacked. The draft bill already promises both.
The industry representatives also stressed the need to provide, at a minimum, a 72-hour window for a victim company to report to CISA.
Companies need the time “to not just identify but also to verify the validity of a cybersecurity incident before reporting,” Kimberly Denbow, managing director of security and operations at the American Gas Association, told lawmakers. “This minimizes the reporting of noncredible incidents, which can be excessive and resource-intensive.”