Senate Intelligence panel working on legislation around mandatory cyber breach notification

The Senate Intelligence Committee is working on a bill to create some form of limited data breach mandatory reporting for the private sector, with the goal of preventing future major foreign cyberattacks on critical organizations. 

Committee Chairman Mark Warner (D-Va.) said Tuesday that the legislation had grown out of public and private hearings held by the committee following the SolarWinds breach, which was believed to be carried out by Russian hackers and compromised nine federal agencies. 

The federal government was made aware of the massive breach only when cybersecurity group FireEye, also compromised by the hackers, came forward in December to report the incident voluntarily, a move that wasn’t legally required. 

“This is what the committee is working on in a very bipartisan way,” Warner said during a virtual event hosted by the U.S. Chamber of Commerce. “Can we create a structure that would allow some limited mandatory reporting for government contractors and critical infrastructure that doesn’t get to the full data breach negotiations?”

Warner compared the potential structure for reporting breaches to the federal government to the National Transportation Safety Board, which investigates transportation-related accidents but with an emphasis on the need to catch a breach midincident.  

“Can we create legislation that would be broadly embraced by both parties, supported by the vast majority of the private sector … to make sure that, while we cannot give an absolute guarantee that SolarWinds-type supply chain attacks are fully prevented, that when they do take place, we’ve got in a sense an early warning system that can alert across industry sectors, private sector and public sector?” Warner said. 

He noted that the committee had been working with both the Biden administration and the intelligence community on developing the legislation. 

Warner also stressed the need for more transparency around breaches and to create clear “red lines” in cyberspace in order to push back against foreign cyberattacks, in particular those from Russia and China, and working with allied nations on both issues. 

“If we have this level of norm creation and something that goes beyond the United States in terms of incident notification, we can put our adversaries, their services particularly, on notice so that if our adversaries violate those norms and we can find appropriate attribution, there will be consequences for their actions,” Warner said. 

“Right now, our failure to have norms, our failure to have a more robust notification system in existence, candidly, that failure has allowed in many ways Russia and China to launch cyberattacks with virtual impunity,” he noted. 

While there was not clear timing for when the legislation might be introduced, Warner said he was “very optimistic that it will be broadly bipartisan with broad industry support.”

The discussion of legislation comes as cyber threats have ramped up during the first few months of the Biden administration. 

In addition to the SolarWinds hack, one of the worst cyber espionage incidents in U.S. history, Microsoft announced in March that at least one Chinese state-sponsored hacking group was exploiting newly uncovered vulnerabilities in its Exchange Server application, potentially compromising thousands of organizations. 

Last week, officials announced that multiple federal agencies had again been compromised as a result of hackers exploiting vulnerabilities in Ivanti’s Pulse Connect Secure products.  

Following the increased cyber activity amid the pandemic, lawmakers and other officials have increasingly pushed for breach notification standards, with multiple committees in the House and Senate exploring the idea. 

Industry has also called for breach notification, including the leaders of FireEye and Microsoft, along with leading intelligence officials.

Reps. Jim Langevin (D-R.I.) and Michael McCaul (R-Texas) are also working on breach notification legislation, with McCaul saying at a House hearing in February that the bill would send information on data breaches from the private sector to the Cybersecurity and Infrastructure Security Agency (CISA) in a quasi-anonymous way. 

“It would just simply send the threat information itself to CISA so they could deal both with industrywide and federal governmentwide and state the threat information they would need to address it on a larger scale,” McCaul said in February. 

Warner emphasized Tuesday the need to introduce legislation to address the ongoing threat of cyberattacks as soon as possible and that cyber threats were a global issue.

“I think we can rally the world to make sure that when our adversaries do take these actions they have to pay a meaningful price,” Warner said.