After failing to get legislation passed into law last year requiring certain private sector entities to disclose that they've been a victim of a cyber incident, Democrats and Republicans on the House Homeland Security Committee plan to resurrect a bill on incident reporting and others are working on legislation for reporting on data breaches.
Interest in legislation around security incident reporting and data breach notifications picked up steam last week as industry officials said that the time has come for mandatory reporting requirements following a successful hack of at least dozens of federal and private sector networks using a third-party software vendor. The private sector in the past has discouraged such regulations.
"In recent days, I have been encouraged to learn of growing interest in enacting a cyber incident reporting law," Rep. Bennie Thompson (D-Miss.), chairman of the House Homeland Security Committee, said last Friday in his opening remarks on a hearing examining the private sector's role preventing and investigating the recent hack.
Thompson pointed to an amendment included in the House's version of the fiscal year 2021 National Defense Authorization Act that would have required "covered" critical infrastructure entities to report to the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on cyber incidents involving things like ransomware, social engineering and malware to occur in their networks. The amendment didn't have support in the Senate and was left out of the final defense bill.
Thompson said that the House will be "trying again this year and hope we can enact cyber incident notification legislation in short order."
Brad Smith, president of Microsoft [MSFT], told the Homeland Security, and Oversight and Reform Committees at their joint hearing that the government has to "encourage and I think even mandate that certain companies do this kind of reporting" instead of remaining silent about a hack. Industry needs to know who to report to in the government, and "CISA is a very strong candidate," he said, adding that additional components that need to be considered include the "process" for reporting and the "type of information that should be shared and when it should be shared and we need to be very careful that, in effect, we don't tell firefighters to stop fighting the fire so that they can fill out forms and meet with government officials instead."
Information sharing about threats and hacks will enable defenders to "connect the dots," Smith said, echoing earlier comments by Kevin Mandia, CEO of the cyber security firm FireEye [FEYE], who said hackers enjoy an asymmetrical advantage in that it only takes a few of them to cause dozens of defenders to sort out an incident. FireEye last December first disclosed the hack that affected it and the federal and private sector networks.
Rep. John Katko (R-N.Y.), the ranking member on the Homeland Security Committee, said, "It's not often that you hear the private sector saying that they need more government mandates. So, that I think highlights the importance and the magnitude of this problem."
Katko said he and Thompson and others will try to "make this a reality." In his prepared remarks, Katko said it remains to be seen whether the private sector should be made to report about threats or if a "hybrid" approach should be taken.
Rep. Michael McCaul (R-Texas), a member of the Homeland Security Committee, said he is working with co-member Rep. James Langevin (D-R.I.) on a bill to mandate notifications of cyber breaches.
McCaul said that companies who share information about breaches and cyber intrusions with the government don't have to risk their reputations and face liabilities. "Sources and methods and company names" can be left out of the notification and threat information could be shared with CISA, which in turn could share it across the private sector and the different levels of government.
Smith said it is "probably…an essential step" for this information to be shared and how it is tailored needs to be discussed between and among government and the private sector.
The legislation that McCaul referred to would build on an earlier bill submitted by Langevin in 2017 to establish a national data breach notification standard. That bill wasn't considered by the House.
Thompson also said that another area that needs addressing is federal contract law. He pointed out that language in federal contracts prevents contractors from discussing with Congress or even CISA when they know "about malicious activity occurring on an agency network because of restrictions agencies add in their contracts."
Microsoft's Smith agreed this is a problem.
Thompson said, "That unnecessarily complicates our oversight work, limits CISA's situational awareness, and slows recovery. I believe that is a problem we can fix quickly."