A bipartisan group of 15 senators is pushing legislation to force federal agencies, government contractors and critical infrastructure entities to disclose breaches of their cyber defenses.
Fed up with an onslaught of hacks and attacks hitting federal networks and disrupting businesses, the lawmakers are pursuing a more hands-on approach to private-sector cybersecurity via the “Cyber Incident Notification Act of 2021.”
The proposed law directs federal agencies and companies to disclose cyber intrusions to the Cybersecurity and Infrastructure Security Agency within 24 hours of confirmation of a breach or suspected breach.
Sen. Mark Warner, Virginia Democrat and chairman of the Senate Intelligence Committee, introduced the legislation with several other intelligence committee members, including the committee’s top-ranking Republican, Sen. Marco Rubio of Florida.
“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure,” Mr. Warner said in a statement. “We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond and stave off its impact.”
Mr. Warner cited the SolarWinds hack of computer network management software, which compromised nine federal agencies. The U.S. government has said the Russian Foreign Intelligence Service (SVR) was responsible for the attack.
The scale of hacks and attacks has grown since the SolarWinds breaches became public late last year. In recent months, cyberattackers have disrupted major U.S. fuel supplier Colonial Pipeline and major meat producer JBS among many other targets outside the government.
This week, the U.S. government blamed China for a series of malicious cyber hacks and attacks. On Tuesday, the Biden administration revealed that China started breaching oil and gas companies nearly a decade ago so that China could develop the capability it needed to disrupt U.S. pipeline operations.
Mr. Rubio said forcing prompt notifications of cyber breaches will help the government track down the attackers.
“Cyberattacks against American businesses, infrastructure and government institutions are out of control,” Mr. Rubio said in a statement. “The U.S. government must take decisive action against cyber criminals and the state actors who harbor them. It is also critical that American organizations act immediately once an attack occurs.”
The proposal has bipartisan support, but previous bills with similar goals have failed in years past. However, the new legislation has key co-sponsors outside of the intelligence committee who occupy other important positions in Congress, particularly Sen. Joe Manchin III, West Virginia Democrat who oversees cybersecurity within the Senate Armed Services Committee, and Sen. Jon Tester, Montana Democrat, who leads the Senate Appropriations Subcommittee on Defense.
Sen. Susan Collins, Maine Republican who co-sponsored the legislation, has advocated for laws aiming to increase communication between the federal government and private sector for several years. She introduced a proposal with former Sen. Joe Lieberman, Connecticut independent, in 2012 that hit a roadblock from Republicans worried about new regulations and the creation of new layers of bureaucracy.
Ms. Collins said Wednesday that she thought Congress cannot afford to wait any longer to address cyberattack information-sharing.
“My 2012 bill would have led to improved information sharing with the federal government that likely would have reduced the impact of cyber incidents on both the government and the private sector,” she said in a statement. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”
• Guy Taylor contributed to this report.