[Congressional Record Volume 167, Number 129 (Thursday, July 22, 2021)]
[Senate]
[Pages S5032-S5034]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




                    CYBER INCIDENT NOTIFICATION ACT

  Mr. WARNER. Mr. President, I rise in support of the Cyber Incident 
Notification Act of 2021.
  I am very grateful to be joined by my colleague and friend, the 
senior Senator from Maine, because on this topic I am about to 
describe, she was way ahead of the curve, as she is on so many issues. 
She was so far ahead of the curve as to what we are talking about now, 
that if the Congress of the United States had adopted her proposals 
back in 2012--back in 2012--we might not be dealing with, literally, 
the catastrophic effects of cyber security incidents. We didn't, and 
that is why we are putting forward the Cyber Incident Notification Act 
of 2021.
  It seems like, every day, Americans wake up to the news of another 
ransomware attack or cyber intrusion. The SolarWinds breach, which we 
learned about last December, resulted in the compromise of hundreds of 
Federal Agencies and private companies. The truth was, as we 
discovered, the bad guys actually got into 18,000 companies in the 
SolarWinds hack. Similarly, the ransomware attack on the Colonial 
Pipeline this past May resulted in gasoline and fuel shortages and 
price spikes across the entire eastern seaboard, demonstrating how 
broad

[[Page S5033]]

the ripple effects of these attacks can be.
  The truth is these attacks can affect hundreds or even thousands of 
entities connected to the initial target. Earlier this week, the United 
States and allied governments publicly accused China's government of 
conducting an extensive hacking campaign on Microsoft's email systems, 
which again compromised tens of thousands of computers worldwide, 
including those used by some of the world's largest companies, 
contractors, and governments.
  These events are finally the wake-up call that Senator Collins 
predicted a decade ago, a wake-up call for many of us in Washington, 
and even for those individuals who sit on these companies' boards that 
have to understand now the threats and capabilities possessed by our 
adversaries. These events also reveal major gaps in our Nation's effort 
to combat and contain cyber threats with insufficient communication 
between the private and public sectors.
  These attacks and hacks demonstrate that our IT and critical 
infrastructure--much of it operated, appropriately, by the private 
sector--are under constant daily attack. They also demonstrate that we 
need to get better insight into cyber incidents as they happen--mid-
incident--so that the U.S. Government can bring to bear its most 
effective capabilities and respond rapidly to protect our critical 
infrastructure systems.
  We saw that recently when the FBI and the Department of Justice were 
able to claw back some of the ransomware from the Colonial Pipeline 
attack. With the Colonial Pipeline, what happened was we had a 
responsible private sector company that notified the government, 
FireEye, but we cannot rely upon the good will of private entities to 
individually, case by case, decide whether they tell the government. We 
need quicker and more comprehensive notification. In a sense, when an 
entity is being attacked, if that sector is being attacked, we can then 
notify other companies in that sector in realtime.
  The truth is we should have done this much earlier. In fact, 
SolarWinds showed us that, when it comes to wide-scale breaches of U.S. 
networks, nobody is responsible for collecting information on the scope 
and scale of these attacks. This is alarming because this information 
allows us to develop a full picture of what was targeted and taken, 
what was at risk, and the type of techniques and tactics used by our 
adversaries.
  These are all issues of critical national security, but as Senator 
Collins knows, under current law, there is no Federal mandate that 
companies disclose when they have been breached, even if they operate 
critical infrastructure. Rather, there is the hodgepodge of guidelines, 
depending on the industry, which, as we have seen, at least some 
companies then use as an excuse not to report or literally to create a 
whole set of legal gymnastics to avoid any level of disclosure. 
Unfortunately, this leaves our Nation vulnerable to criminal and state-
sponsored hacking activity.
  The bottom line is we cannot just rely on voluntary reporting to 
protect our critical infrastructure. We need a routine reporting 
requirement so that vital sectors of our economy that are affected by a 
cyber breach can have the full resources of the Federal Government and 
so that the private sector can be mobilized to respond to and fight off 
these attacks.
  That is why I have been very proud to work not only with Senator 
Collins but also the vice chair of the Intelligence Committee, Senator 
Rubio, and, in total, 15 of our colleagues, bipartisan, mostly all from 
the Intel Committee but also the chairman of the Defense Appropriations 
Committee and the chairman--on SASC--of the Cyber Committee, to 
introduce legislation this week that would require Federal Agencies, 
government contractors, and the owners and operators of critical 
infrastructure to report cyber intrusions within 24 hours of their 
discovery.
  The purpose of this legislation is to ensure that the Federal 
Government is aware of and can take immediate action to mitigate cyber 
intrusions that have the impact to affect our national security. Part 
of that notification will be not just to let the government know but to 
let others in the private sector know as well. Consequently, the 
bipartisan Cybersecurity Incident Notification Act of 2021 would 
require covered entities to notify the Department of Homeland 
Security's Cybersecurity and Infrastructure Security Agency, or CISA, 
when a breach is detected so that the U.S. Government can mobilize to 
protect critical industries across our country. These covered entities 
include healthcare, transportation, financial services, agriculture, 
energy, and information technology sectors
  Now, the executive branch should have the flexibility to respond to 
shifting threats. The bill leaves some discretion for this and future 
administrations to determine whether other entities or classes of 
entities should be included at a later date.
  To incentivize this information sharing to take place, the bill would 
grant limited immunity and confidentiality to companies that come 
forward to report a breach. It would also include data protection 
procedures to anonymize personally identifiable information and to, 
again, safeguard privacy.
  These are not liability protections that would shield network 
operators, though, from negligence or misconduct. Rather, they would 
help prevent companies that come forward under this legislation from 
facing reputational risk just for reporting this vital information to 
the government.
  Ultimately, I see this kind of notification as providing value, as I 
said, to the private sector as well so that we may have this common 
defense. There is no way we can solve this problem with government 
alone or with the private sector alone. There should not only be a 
rapid public notification but, in appropriate cases, swift government 
action.
  Ultimately, we need to recognize that the threat landscape has 
fundamentally changed from even a few years ago. A few years ago, 
Senator Collins had this approach, and I think the private sector was 
concerned about undue mandates. The world has changed, and even many of 
the business organizations now agree that, as long as we grant that 
limited immunity and confidentiality, we need to put this reporting 
mechanism in place so that the public sector and the private sector can 
respond.
  The truth is there are literally terabytes of sensitive data out 
there, including intellectual property, personal information, contract 
details, and others that could be exploited. For that matter, what if 
the SolarWinds attack had not been one of exploiting and taking out 
information but had actually been a denial-of-service attack, which we 
saw with Russia taking place against Ukraine a number of years back? 
That could have taken place with SolarWinds and completely shut down 
our economy, and we have all seen recently a dramatic upsurge in 
ransomware.
  The truth is every company and virtually every part of government is 
under daily attack from these cyber criminals and, in some cases, from 
foreign intelligence services. The Federal Government must have the 
expertise and the willingness to share this information in realtime to 
make sure that we can counter this. I think this is a sensible first 
step in finally putting in place the kind of broad-based cyber strategy 
our country needs. So I urge my colleagues to join the 15 of us and 
pass the Cyber Incident Notification Act of 2021.
  Again, I note my friend, the Senator from Maine, is here. We have 
been spending a lot of time together, but I really appreciate her lead 
sponsorship of this legislation.
  I will say it on the floor of the Senate, as I have said in so many 
private settings over the last number of weeks on some other things, if 
we had just listened earlier to the Senator from Maine, we would have 
been in a lot better shape today in this country.
  With that, I yield to my colleague, the Senator from Maine.
  The PRESIDING OFFICER. The Senator from Maine.
  Ms. COLLINS. Mr. President, first, let me thank my good friend and 
the leader of the Senate Intelligence Committee, Chairman Warner, for 
paving the way for this legislation. He cares deeply about our 
country's response to these terrible cyber attacks and intrusions, and 
I am so grateful for his leadership and for his working with me to

[[Page S5034]]

produce the Cyber Incident Notification Act of 2021.
  As the chairman has mentioned, this is a bipartisan bill that is 
broadly supported. It would strengthen our response to cyber attacks 
and, thus, help to prevent future cyber intrusions. It would require 
government Agencies, Federal contractors, and critical infrastructure 
entities, which are overwhelmingly owned and operated by the private 
sector and other important sectors, to notify the U.S. Government if 
they become the victims of a significant cyber attack or intrusion.
  This effort is a direct outgrowth of our work on the Senate 
Intelligence Committee and reflects our longstanding concern regarding 
the lack of timely notification of cyber attacks that can lead to 
extremely serious consequences for our economy, for our national 
security, and for our individual privacy.
  In September of 2019, for example, Russian hackers gained access to 
the SolarWinds' software. This resulted in a supply chain compromise 
that was downloaded by up to 18,000 of its customers. These hackers 
then conducted follow-on operations that compromised 9 Federal Agencies 
and 100 private-sector networks.
  We did not become aware of this hack until more than a year later and 
only then because a cybersecurity firm called FireEye voluntarily 
notified the Federal Government and the public.
  Just to reiterate that important point, FireEye was under no legal 
obligation whatsoever to tell us that the software had been 
compromised, even though it affected nine Federal Agencies. We are 
grateful that FireEye told us about this hack, but the fact that 
companies are not mandated to do so leaves our economy and national 
security vulnerable to future attacks and lessens our ability to 
respond effectively when such intrusions do occur.
  Where would we be right now if FireEye had not voluntarily disclosed 
the intrusion? Would the Russians' operation still be ongoing? How much 
sooner would we have become aware of these Russian cyber operations if 
key sectors were required to report cyber incidents to the U.S. 
Government?
  As the Senator from Virginia very kindly and generously noted, I have 
long been concerned about this problem and focused on it.
  In 2012, when I was the ranking member of the Senate Homeland 
Security Committee, I joined with my chairman and dear friend former 
Senator Joe Lieberman of Connecticut in introducing a bill called the 
Cybersecurity Act of 2012. That bill would have, among other things, 
addressed this gap in cyber incident reporting. Unfortunately, our bill 
did not become law. How much more prepared we would be today if it had 
been enacted.
  My 2012 bill would have led to improved information sharing between 
the private sector and the Federal Government that likely would have 
reduced the impact of cyber incidents on both the government and the 
private sector. Having a clear view of the dangers the Nation faces 
from cyber attacks is necessary to enable both the public and the 
private sector to mitigate and reduce the threat. We have just recently 
seen the impact of an attack on a major pipeline. Just think what the 
consequences would be of an attack that crippled our electric grid.
  What we are proposing in the Cyber Incident Notification Act is 
common sense and long overdue. Our bill recognizes the additional 
burden that this reporting requirement places on parts of the private 
sector, and so it, therefore, provides additional liability protection 
for companies reporting cyber incidents and requires the government to 
harmonize these new mandates with any existing reporting requirements 
to help avoid duplication.
  The bill also requires the government to produce analytic updates for 
the government and industry practitioners regularly so that they are 
aware of cyber incidents taking place and targeting their sectors. This 
should be a two-way street of the exchange of information.
  Let us not delay any longer in passing a robust cyber incident 
notification requirement. Failure to pass this bill will only give our 
adversaries more opportunity to gather intelligence on our government, 
to steal intellectual property from our companies, to compromise our 
personal privacy, and, most of all, to harm our critical 
infrastructure.
  Again, my thanks to the Senator from Virginia, the chairman of the 
Intelligence Committee, for his hard work on this bill. Let's get the 
job done.
  I yield the floor.
  I suggest the absence of a quorum.
  The PRESIDING OFFICER. The clerk will call the roll.
  The bill clerk proceeded to call the roll
  Mr. BARRASSO. Mr. President, I ask unanimous consent that the order 
for the quorum call be rescinded.
  The PRESIDING OFFICER (Mr. Schatz). Without objection, it is so 
ordered.

                          ____________________