A bipartisan group of 14 United States senators recently introduced proposed legislation that would require federal contractors and operators of critical infrastructure to disclose any cyber intrusion within 24 hours. A copy of the proposed legislation can be found here.
Currently, there is no federally mandated reporting requirement for cyberattacks on American infrastructure targets. The newly proposed legislation is designed to prevent these attacks from going unreported and uninvestigated.
This proposed legislation, titled the “Cyber Incident Notification Act of 2021,” is a clear response to recent attacks on Colonial Pipeline and Solar Winds and is designed “[t]o ensure timely Federal Government awareness of cyber intrusions that pose a threat to national security, enable the development of a common operating picture of national-level cyber threats, and to make appropriate, actionable cyber threat information available to the relevant government and private sector entities, as well as the public, and for other purposes.” Under the proposed legislation, federal contractors, agencies and critical infrastructure operators would be required to report cyber intrusions to the Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) within 24 hours of discovery.
While the 24-hour window for reporting is clear, the proposed legislation does not appear to clearly define what constitutes a cyber intrusion and, in particular, what constitutes a “potential” cyber intrusion. Instead, it appears the legislation would leave it to CISA and other agencies, such as the FBI, to define what events rise to the level of required notification. This could lead to confusing and inconsistent results.
Another significant consequence of the proposed legislation is that it positions CISA as the federal hub for intrusion notifications, instead of the FBI’s Internet Crime Complaint Center, which has been the de facto reporting agency to date. That said, the bill is unclear about which agency would take the lead on the actual investigation of any cyber intrusions and about how that process would work.
To incentivize federal agencies and contractors to report intrusions in a timely manner, the current version of the bill includes the following safeguards:
- Federal liability protection barring the notification from being used against the victim of the cyber security incident in court. This protection would not apply, however, if the lawsuit is brought by the federal government.
- The bill would exempt any pertinent information about the attack from inquiries brought under the Freedom of Information Act.
The proposed legislation also includes significant penalties for failure to make the required notifications within the specified time. First, CISA would be authorized to assess a civil penalty “not to exceed 0.5 percent of the entity’s gross revenue from the prior year for each day the violation continued or continues.” Additionally, government contractors that do not comply with this statute, if it’s passed, risk removal from the federal contracting schedules program run by the Government Services Administration.
The bill is still in its initial phases, and, as of now, there has been no substantive move on corresponding legislation in the House of Representatives. If the bill passes, however, it will greatly change the way cyberattack notification is conducted for federal contractors and operators of critical infrastructure.