Warner, Collins, Cornyn Drafting Cyber Hack Reporting Bill

Senate Intelligence Committee Chairman Mark Warner, D-Va., is drafting a mandatory cyber breach reporting bill with Sens. Susan Collins, R-Maine, and John Cornyn, R-Texas, they told us this week. Ranking member Marco Rubio, R-Fla., also expressed interest. He said there’s a future for such legislation, after the Russia-linked SolarWinds hack (see 2102230064).

“People are starting to realize that when you have a breach of a certain size, one possibility is that it’s a nation state, and thus having to report to government and vice versa really makes sense,” said Collins. She introduced a similar bill in 2012 with then-Sen. Joe Lieberman, I-Conn., which failed in the Senate. Collins noted some elements of that bill have since become law but not the mandatory reporting requirement.

Cornyn confirmed the drafting of legislation with Collins and Warner. “If we’re going to protect our critical infrastructure and fend off cyberattacks, we have to know exactly what’s going on,” Cornyn said. “Right now, we’re flying blind.”

Microsoft President Brad Smith and FireEye CEO Kevin Mandia supported such requirements at last week’s SolarWinds hearings, urging support for confidentiality, saying many companies fear reputational harm. Confidentiality “makes sense,” Cornyn said Tuesday. “People don’t talk about it is because they don’t want to suffer reputational harm or competitive harm, and I think those are legitimate concerns. But there ought to be a process by which we can understand what’s going on and not fly blind and not subject them to the reputational harm that they’re worried about.” Asked if there could be a window for confidentiality before the public is notified, Cornyn said, “Yeah, I don’t think we’ve figured out what the mechanism is,” but that’s something that needs to be worked out.

“We are starting the process to get something together,” said Warner. “I’m not sure we’ve agreed on the full parameters yet.” Warner has “very specific” ideas about the legislation but hasn't pitched them to Collins and Cornyn, he said. There are questions about confidentiality, liability protections and public-private initiatives, he added.

“That we wouldn’t have known about it had it not been for FireEye catching it is a big concern,” said Rubio. “So I think there’s a future for that kind of legislation.” SolarWinds was a first-of-its-kind supply chain attack, Rubio said: “I don’t think it’ll be the last. It’s deeply concerning what it could mean systemically to all kinds of organizations, including the government.”

House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and ranking member John Katko, R-N.Y., said at a hearing last week that cyber notification requirements should be a legislative priority. Katko told us Wednesday he plans to revisit the issue with Thompson. “We’re in constant contact with each other. I definitely want to take a look at it, for sure.” Katko said he's unaware of the Senate efforts. Thompson said last week he will continue efforts from last year, when Democrats attached an amendment to the House-passed National Defense Authorization Act, which would have established cyber incident notification requirements but ultimately failed.

Roughly 75% of small and medium-sized businesses have experienced a cyber breach at least once, and 45% were hacked in the past year, reported USTelecom and CyberRx Thursday (see 2103040062). Splunk CEO Doug Merritt discussed the "magnitude" of the SolarWinds attack Wednesday (see 2103040004).