[Congressional Record Volume 167, Number 129 (Thursday, July 22, 2021)]
[Senate]
[Pages S5032-S5034]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]
CYBER INCIDENT NOTIFICATION ACT
Mr. WARNER. Mr. President, I rise in support of the Cyber Incident
Notification Act of 2021.
I am very grateful to be joined by my colleague and friend, the
senior Senator from Maine, because on this topic I am about to
describe, she was way ahead of the curve, as she is on so many issues.
She was so far ahead of the curve as to what we are talking about now,
that if the Congress of the United States had adopted her proposals
back in 2012--back in 2012--we might not be dealing with, literally,
the catastrophic effects of cyber security incidents. We didn't, and
that is why we are putting forward the Cyber Incident Notification Act
of 2021.
It seems like, every day, Americans wake up to the news of another
ransomware attack or cyber intrusion. The SolarWinds breach, which we
learned about last December, resulted in the compromise of hundreds of
Federal Agencies and private companies. The truth was, as we
discovered, the bad guys actually got into 18,000 companies in the
SolarWinds hack. Similarly, the ransomware attack on the Colonial
Pipeline this past May resulted in gasoline and fuel shortages and
price spikes across the entire eastern seaboard, demonstrating how
broad
[[Page S5033]]
the ripple effects of these attacks can be.
The truth is these attacks can affect hundreds or even thousands of
entities connected to the initial target. Earlier this week, the United
States and allied governments publicly accused China's government of
conducting an extensive hacking campaign on Microsoft's email systems,
which again compromised tens of thousands of computers worldwide,
including those used by some of the world's largest companies,
contractors, and governments.
These events are finally the wake-up call that Senator Collins
predicted a decade ago, a wake-up call for many of us in Washington,
and even for those individuals who sit on these companies' boards that
have to understand now the threats and capabilities possessed by our
adversaries. These events also reveal major gaps in our Nation's effort
to combat and contain cyber threats with insufficient communication
between the private and public sectors.
These attacks and hacks demonstrate that our IT and critical
infrastructure--much of it operated, appropriately, by the private
sector--are under constant daily attack. They also demonstrate that we
need to get better insight into cyber incidents as they happen--mid-
incident--so that the U.S. Government can bring to bear its most
effective capabilities and respond rapidly to protect our critical
infrastructure systems.
We saw that recently when the FBI and the Department of Justice were
able to claw back some of the ransomware from the Colonial Pipeline
attack. With the Colonial Pipeline, what happened was we had a
responsible private sector company that notified the government,
FireEye, but we cannot rely upon the good will of private entities to
individually, case by case, decide whether they tell the government. We
need quicker and more comprehensive notification. In a sense, when an
entity is being attacked, if that sector is being attacked, we can then
notify other companies in that sector in realtime.
The truth is we should have done this much earlier. In fact,
SolarWinds showed us that, when it comes to wide-scale breaches of U.S.
networks, nobody is responsible for collecting information on the scope
and scale of these attacks. This is alarming because this information
allows us to develop a full picture of what was targeted and taken,
what was at risk, and the type of techniques and tactics used by our
adversaries.
These are all issues of critical national security, but as Senator
Collins knows, under current law, there is no Federal mandate that
companies disclose when they have been breached, even if they operate
critical infrastructure. Rather, there is the hodgepodge of guidelines,
depending on the industry, which, as we have seen, at least some
companies then use as an excuse not to report or literally to create a
whole set of legal gymnastics to avoid any level of disclosure.
Unfortunately, this leaves our Nation vulnerable to criminal and state-
sponsored hacking activity.
The bottom line is we cannot just rely on voluntary reporting to
protect our critical infrastructure. We need a routine reporting
requirement so that vital sectors of our economy that are affected by a
cyber breach can have the full resources of the Federal Government and
so that the private sector can be mobilized to respond to and fight off
these attacks.
That is why I have been very proud to work not only with Senator
Collins but also the vice chair of the Intelligence Committee, Senator
Rubio, and, in total, 15 of our colleagues, bipartisan, mostly all from
the Intel Committee but also the chairman of the Defense Appropriations
Committee and the chairman--on SASC--of the Cyber Committee, to
introduce legislation this week that would require Federal Agencies,
government contractors, and the owners and operators of critical
infrastructure to report cyber intrusions within 24 hours of their
discovery.
The purpose of this legislation is to ensure that the Federal
Government is aware of and can take immediate action to mitigate cyber
intrusions that have the impact to affect our national security. Part
of that notification will be not just to let the government know but to
let others in the private sector know as well. Consequently, the
bipartisan Cybersecurity Incident Notification Act of 2021 would
require covered entities to notify the Department of Homeland
Security's Cybersecurity and Infrastructure Security Agency, or CISA,
when a breach is detected so that the U.S. Government can mobilize to
protect critical industries across our country. These covered entities
include healthcare, transportation, financial services, agriculture,
energy, and information technology sectors
Now, the executive branch should have the flexibility to respond to
shifting threats. The bill leaves some discretion for this and future
administrations to determine whether other entities or classes of
entities should be included at a later date.
To incentivize this information sharing to take place, the bill would
grant limited immunity and confidentiality to companies that come
forward to report a breach. It would also include data protection
procedures to anonymize personally identifiable information and to,
again, safeguard privacy.
These are not liability protections that would shield network
operators, though, from negligence or misconduct. Rather, they would
help prevent companies that come forward under this legislation from
facing reputational risk just for reporting this vital information to
the government.
Ultimately, I see this kind of notification as providing value, as I
said, to the private sector as well so that we may have this common
defense. There is no way we can solve this problem with government
alone or with the private sector alone. There should not only be a
rapid public notification but, in appropriate cases, swift government
action.
Ultimately, we need to recognize that the threat landscape has
fundamentally changed from even a few years ago. A few years ago,
Senator Collins had this approach, and I think the private sector was
concerned about undue mandates. The world has changed, and even many of
the business organizations now agree that, as long as we grant that
limited immunity and confidentiality, we need to put this reporting
mechanism in place so that the public sector and the private sector can
respond.
The truth is there are literally terabytes of sensitive data out
there, including intellectual property, personal information, contract
details, and others that could be exploited. For that matter, what if
the SolarWinds attack had not been one of exploiting and taking out
information but had actually been a denial-of-service attack, which we
saw with Russia taking place against Ukraine a number of years back?
That could have taken place with SolarWinds and completely shut down
our economy, and we have all seen recently a dramatic upsurge in
ransomware.
The truth is every company and virtually every part of government is
under daily attack from these cyber criminals and, in some cases, from
foreign intelligence services. The Federal Government must have the
expertise and the willingness to share this information in realtime to
make sure that we can counter this. I think this is a sensible first
step in finally putting in place the kind of broad-based cyber strategy
our country needs. So I urge my colleagues to join the 15 of us and
pass the Cyber Incident Notification Act of 2021.
Again, I note my friend, the Senator from Maine, is here. We have
been spending a lot of time together, but I really appreciate her lead
sponsorship of this legislation.
I will say it on the floor of the Senate, as I have said in so many
private settings over the last number of weeks on some other things, if
we had just listened earlier to the Senator from Maine, we would have
been in a lot better shape today in this country.
With that, I yield to my colleague, the Senator from Maine.
The PRESIDING OFFICER. The Senator from Maine.
Ms. COLLINS. Mr. President, first, let me thank my good friend and
the leader of the Senate Intelligence Committee, Chairman Warner, for
paving the way for this legislation. He cares deeply about our
country's response to these terrible cyber attacks and intrusions, and
I am so grateful for his leadership and for his working with me to
[[Page S5034]]
produce the Cyber Incident Notification Act of 2021.
As the chairman has mentioned, this is a bipartisan bill that is
broadly supported. It would strengthen our response to cyber attacks
and, thus, help to prevent future cyber intrusions. It would require
government Agencies, Federal contractors, and critical infrastructure
entities, which are overwhelmingly owned and operated by the private
sector and other important sectors, to notify the U.S. Government if
they become the victims of a significant cyber attack or intrusion.
This effort is a direct outgrowth of our work on the Senate
Intelligence Committee and reflects our longstanding concern regarding
the lack of timely notification of cyber attacks that can lead to
extremely serious consequences for our economy, for our national
security, and for our individual privacy.
In September of 2019, for example, Russian hackers gained access to
the SolarWinds' software. This resulted in a supply chain compromise
that was downloaded by up to 18,000 of its customers. These hackers
then conducted follow-on operations that compromised 9 Federal Agencies
and 100 private-sector networks.
We did not become aware of this hack until more than a year later and
only then because a cybersecurity firm called FireEye voluntarily
notified the Federal Government and the public.
Just to reiterate that important point, FireEye was under no legal
obligation whatsoever to tell us that the software had been
compromised, even though it affected nine Federal Agencies. We are
grateful that FireEye told us about this hack, but the fact that
companies are not mandated to do so leaves our economy and national
security vulnerable to future attacks and lessens our ability to
respond effectively when such intrusions do occur.
Where would we be right now if FireEye had not voluntarily disclosed
the intrusion? Would the Russians' operation still be ongoing? How much
sooner would we have become aware of these Russian cyber operations if
key sectors were required to report cyber incidents to the U.S.
Government?
As the Senator from Virginia very kindly and generously noted, I have
long been concerned about this problem and focused on it.
In 2012, when I was the ranking member of the Senate Homeland
Security Committee, I joined with my chairman and dear friend former
Senator Joe Lieberman of Connecticut in introducing a bill called the
Cybersecurity Act of 2012. That bill would have, among other things,
addressed this gap in cyber incident reporting. Unfortunately, our bill
did not become law. How much more prepared we would be today if it had
been enacted.
My 2012 bill would have led to improved information sharing between
the private sector and the Federal Government that likely would have
reduced the impact of cyber incidents on both the government and the
private sector. Having a clear view of the dangers the Nation faces
from cyber attacks is necessary to enable both the public and the
private sector to mitigate and reduce the threat. We have just recently
seen the impact of an attack on a major pipeline. Just think what the
consequences would be of an attack that crippled our electric grid.
What we are proposing in the Cyber Incident Notification Act is
common sense and long overdue. Our bill recognizes the additional
burden that this reporting requirement places on parts of the private
sector, and so it, therefore, provides additional liability protection
for companies reporting cyber incidents and requires the government to
harmonize these new mandates with any existing reporting requirements
to help avoid duplication.
The bill also requires the government to produce analytic updates for
the government and industry practitioners regularly so that they are
aware of cyber incidents taking place and targeting their sectors. This
should be a two-way street of the exchange of information.
Let us not delay any longer in passing a robust cyber incident
notification requirement. Failure to pass this bill will only give our
adversaries more opportunity to gather intelligence on our government,
to steal intellectual property from our companies, to compromise our
personal privacy, and, most of all, to harm our critical
infrastructure.
Again, my thanks to the Senator from Virginia, the chairman of the
Intelligence Committee, for his hard work on this bill. Let's get the
job done.
I yield the floor.
I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The bill clerk proceeded to call the roll
Mr. BARRASSO. Mr. President, I ask unanimous consent that the order
for the quorum call be rescinded.
The PRESIDING OFFICER (Mr. Schatz). Without objection, it is so
ordered.
____________________