U.S. Senator Mark Warner, Democrat of Virginia and Chairman of the Special Senate Intelligence Committee, holds a hearing on Global Threats at Capitol Hill in Washington, DC on April 14, 2021.
Saul Loeb | Swimming pool | Reuters
A new bill unveiled on Wednesday would require some companies to tell the government when they were hacked.
The bipartisan Cyber Incident Notification Act is a response to recent attacks on SolarWinds, which affected government agencies, and Colonial Pipeline, which disrupted US access to fuel in a large region. Since then, ransomware attacks – where hackers encrypt files until a victim pays a ransom – have escalated.
The problem is, under federal law, companies do not have to report these incidents. This means that some incidents can occur without the knowledge of the government, which can have serious consequences if the government’s own systems are potentially involved in an attack.
The bill introduces a new disclosure requirement for federal agencies, federal contractors, and critical infrastructure companies to notify the Department of Homeland Security when they identify a breach in their systems. It also grants these companies limited immunity when they report a violation – for example, shareholders cannot access leaked information for use as evidence in a lawsuit – and requires DHS to anonymize personally identifiable information. This way, companies can report incidents quickly and allow the government to act effectively when needed.
Shine a light on cyber attacks
Special Senate Committee on Intelligence Chairman Mark Warner, D-Va., Vice-Chairman Marco Rubio, R-Fla., And Susan Collins, R-Maine, have spearheaded the legislation, which addresses concerns they heard at an earlier hearing about the SolarWinds attack.
During the hearing, Microsoft President Brad Smith said the only reason the government and the public knew about the incident was because cybersecurity firm FireEye reported what it believed to be a state-sponsored attack on its own systems in December. After this disclosure, Reuters reported a potentially adversary-related hack in US agencies via SolarWinds software updates. Sources later told Reuters that the attack was linked to the FireEye incident.
The incident showed lawmakers how easily they could have been left in the dark during a major government hack. He also revealed the hurdles businesses face when deciding whether or not to report a cyber attack.
FireEye CEO Kevin Mandia told CNBC’s Eamon Javers in an interview at the time of this hearing that disclosure is “a pretty darn complex issue.”
“The reason this is such a complex issue is because of all the responsibilities that companies face when making a disclosure public,” Mandia said. “They have shareholder lawsuits, they have a lot of business impact considerations. You don’t want to create a lot of fear and uncertainty and doubt unnecessarily either.”
The new bill aims to alleviate this fear for businesses by introducing limited liability protection. When Warner teased the legislation in June, he said he believed the business world would be receptive to it.
“When we had this debate six or seven years ago, the business world did not want additional mandatory reporting,” he said at the time. “I think they now realize that they themselves are at risk if they don’t have mandatory reporting.”
Subscribe to CNBC on YouTube.
WATCH: How the massive SolarWinds hack unfolded