Debate Heats Up as Senator Prepares to Introduce Incident-Reporting Legislation
Reviews are in on draft legislation Sen. Mark Warner’s office has circulated and plans to update for introduction after the holiday break.
On returning from the July 4 recess, Sen. Mark Warner, D-Va., plans to introduce an updated version of legislation he’s drafted requiring federal agencies, government contractors and certain other critical infrastructure providers to report on cyber intrusions they experience and to assist in their investigation.
Government contractors would risk losing their contracts and non-government contractors would risk fines for failure to comply with the legislation.
“We continue to have discussions with other members and committees as well as with industry and the White House, and expect to introduce an updated version of the legislation following the July 4 recess,” Warner’s spokesperson told Nextgov.
Warner, chair of the Senate Intelligence Committee, discussed the need for the legislation during a Feb. 23 hearing the committee held following the compromise of several federal agencies and scores more private organizations in connection to a trojanized update unwittingly distributed by the widely used IT management firm SolarWinds.
He said if it weren’t for the cybersecurity firm then known as FireEye publicly reporting the event, the government might still be unaware of it because there are no laws requiring federal contractors to disclose such cybersecurity incidents.
There are sector-specific federal laws requiring breach notification in cases where personally identifiable information is exposed. The SolarWinds campaign drew attention to incidents where that narrow category of information may not be involved but where there may be a threat to economic or national security. Subsequent high-profile incidents such as the ransomware attack on Colonial Pipeline have bolstered the push for some form of federal incident reporting law, but critics of the Warner draft say it risks overly broad collection of information and doesn’t set clear criteria for what should trigger an incident report.
“That was intentional,” the Warner spokesperson said in response to criticism about the draft being too vague. “We need to balance the compulsory reporting requirement with the burden on the reporting entities, which is why the legislation mandates the reporting requirement, but defers to the executive branch on the specific implementation details.”
Warner’s Cyber Incident Notification Act of 2021 gives primary responsibilities to the secretary of Homeland Security and the director of DHS’ Cybersecurity and Infrastructure Security Agency. It differs significantly from a proposal the congressionally mandated Cyberspace Solarium Commission shared with the Senate’s Homeland Security and Government Affairs Committee about a month ago.
The Solarium Commission’s incident reporting proposal, which was made available to Nextgov, also has a lot in common with the Warner proposal. They both offer a level of liability protection for organizations reporting information on cybersecurity incidents through a central federal capability. In the case of the Warner bill, that capability would be established at CISA.
Both proposals also leave a lot up to rulemaking processes, including what kind of information should be reported and when, but set out certain must-haves such as incidents involving ransomware.
The Solarium Commission’s proposal sets criteria around the exposure of a certain amount of sensitive information describing specific national security systems. It also directly addresses the SolarWinds event by saying reports should be made about “unauthorized access to a software build system, software development system, or any other such system that develops, manages, or distributes software updates to proprietary hardware or software.”
A Democratic aide familiar with efforts to craft incident response legislation in the House said that’s one important place where the Warner proposal is different.
“The Solarium approach has been to look at broad-based incident reporting but with a pretty narrow definition, with things like data breach, you know, ransomware, things that are quite easily defined, [there is] not a lot of fuzziness,” the aide said, noting a provision that requires incidents assessed to be related to a nation-state to be reported. “Who determines that?” the aide said.
In the case of SolarWinds, it was FireEye that made that determination and Warner has compared such firms to emergency first responders in saying they should be required to report such incidents affecting their customers.
But that creates another concern for Harley Geiger, senior director of public policy for the cybersecurity firm Rapid7. “The [Warner] draft seems to obligate third parties to report incidents they discover, but which actually happened to another entity,” he said.
During the Intelligence Committee hearing, FireEye CEO Kevin Mandia testified that firms like his responding to cybersecurity incidents could help address the liability concerns of organizations where cyber intrusions occur.
“If there's public attribution that said, ‘SolarWinds was compromised by a nation-state,’ good enough,” Mandia said. “It takes the wind out of the sails of all the plaintiffs' lawsuits that we all get when we get compromised, and we tell the world about it.”
But Geiger said, “As written, [the Warner draft] risks disincentivizing needed incident response services, and creating potential conflicts and confusion between cyber incident responders and affected organizations. The affected organization should be ultimately responsible for reporting their own incidents.”
Geiger was also concerned about what the democratic House aide referred to as the “signal to noise ratio” the Warner draft would create by being overly broad in outlining criteria that would trigger a report.
“The [Warner] draft includes reporting ‘potential’ cybersecurity incidents,” Geiger said. “This should be much more narrow to avoid clogging the incident reporting system with useless junk. Organizations face potential attacks frequently—some are false positives, are insignificant, or are easily defended. Reporting all this would be burdensome for organizations, as well as for government agencies tasked with doing something useful with the reports. CISA has limited resources—let’s focus those resources on the wheat and avoid the chaff.”