Senators Introduce Bill to Require Reporting of Cyber Incidents Within 24 Hours
On July 21, 2021, U.S. Senator Mark Warner (D-Va.) and a group of bipartisan co-sponsors introduced the Cyber Incident Notification Act of 2021, which would establish a new set of breach disclosure requirements and a new reporting system with classified capabilities to support notification of cybersecurity incidents to the Cybersecurity and Information Security Agency (“CISA”) at the Department of Homeland Security.
The bill is a response to incidents like the SolarWinds and Colonial Pipeline hacks, which have put a spotlight on the security implications of cyber incidents and the need for information sharing. It expands on efforts by the President Biden, including the Executive Order on Improving the Nation’s Cybersecurity, to implement more expansive cyber breach notification requirements for entities that do business with the federal government. There is currently no federal law that requires cyber incident reporting to the federal government. Most states have data breach notification laws, but those laws’ requirements often revolve around the theft or misuse of consumer financial data or personal identifiable information, and the notifications are sent to affected consumers.
The bill applies to “covered entities,” defined as federal agencies, government contractors, and critical infrastructure owners and operators. “Critical infrastructure” has the same meaning as given in the Critical Infrastructure Protection Act of 2001 (42 U.S.C. 5195c(e)) – systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.
Under the scheme proposed by the legislation, these entities must report to CISA within 24 hours of detection of a “cybersecurity intrusion” or “potential cybersecurity intrusion.” Covered entities would also have to provide regular updates to CISA within 72 hours of discovering new information.
The bill directs CISA, in coordination with other national security agencies, to promulgate rules establishing guidelines and clear definitions for what constitutes a reportable “cybersecurity intrusion” within 270 days from the bill’s enactment. The bill directs that the definition of “cybersecurity intrusion” shall include, at a minimum, any incident that:
- Involves or is assessed to involve a nation-state;
- Involves or is assessed to involve an advanced persistent threat cyber actor;
- Involves or is assessed to involve a transnational organized crime group (as defined in section 36 of the State Department Basic Authorities Act of 1956 (22 U.S.C. § 2708));
- Results, or has the potential to result, in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States;
- Is or is likely to be of significant national consequence;
- Is identified by covered entities but affects, or has the potential to affect, agency systems; and/or
- Involves ransomware.
The bill also requires that any incident report must include, at a minimum, the following:
- A description of the cybersecurity intrusion, including identification of the affected systems and networks that were, or are reasonably believed to have been, accessed by a cyber actor, and the estimated dates of when such an intrusion is believed to have occurred;
- A description of the vulnerabilities leveraged, and tactics, techniques, and procedures used, by the cyber actors to conduct the intrusion;
- Any information that could reasonably help identify the cyber actor, such as Internet protocol addresses, domain name service information, or samples of malicious software;
- Contact information for the covered entity; and
- Actions taken by the reporting entity to mitigate the intrusion.
The bill has broad bipartisan and industry support and a strong chance of being enacted by Congress.