Companies are pushing to narrow legislation that would require them to report cyberattacks to the U.S. government, as a series of hacks has added momentum to a nearly decadelong effort in Congress to approve such a law.
Emerging proposals in the House and Senate offer competing visions for how businesses operating most U.S. critical infrastructure would feed information to the Cybersecurity and Infrastructure Security Agency, which could then share it across the public and private sectors. Several businesses and trade associations have called for tightly defining the kind of hacks covered by legislation as well as a 72-hour period for reporting incidents, instead of the 24-hour period a Senate bill proposes, according to people familiar with the matter.
“The last thing you want to be doing is providing incomplete information or incorrect information before you don’t really know what’s going on,” said John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a trade group supporting a reporting window of at least 72 hours.
The group, which represents tech companies including Alphabet Inc.’s Google, Amazon.com Inc. and Oracle Corp., also wants liability protections for companies that report incidents and exemptions from Freedom of Information Act requests about them.
House Homeland Security Committee staffers are drafting a bill, provisions of which they hope to include in next year’s defense spending package, an aide said. A hearing on the bill is slated for Sept. 1.
Industry groups previously opposed such proposals, fearing divulged information could help hackers plan future attacks and could invite lawsuits and regulatory scrutiny. But the breach of federal agencies through SolarWinds Corp. software last year prompted a change of heart among some businesses, as it exposed a lack of visibility into digital supply chains that provide hackers multiple ways into individual targets, lobbyists and trade groups said.
U.S. officials learned of the hack in December after cybersecurity firm FireEye, Inc. voluntarily reported its computer systems had been breached. Authorities have since called for companies to share more information as hackers this year disrupted software providers, hospitals and the largest gas pipeline on the East Coast.
“[SolarWinds] kind of really hammered home the notion of needing to work together,” said Mr. Miller.
A lobbying firm representing Microsoft Corp., Booz Allen Hamilton Holding Corp. and Accenture PLC has also spoken with congressional staffers, according to people familiar with the matter. Booz Allen and Microsoft, which has previously voiced support for mandatory reporting, declined to comment. Accenture didn’t respond to a request for comment.
Clearly defining incidents that need to be reported will be critical for U.S. officials processing the information, said Grant Geyer, chief product officer at industrial cybersecurity firm Claroty Ltd., which has held talks with House staffers working on a bill. Rules should apply to hacks posing “material risk to confidentiality, integrity, availability, safety or resiliency” of critical infrastructure, Mr. Geyer said.
“A tight definition of a cyber incident would be essential so that CISA is not chasing after a plethora of false positives,” he said.
A bill introduced in the Senate last month, the Cyber Incident Notification Act of 2021, would require federal agencies, designated critical infrastructure companies and cyber incident response firms to report hacks “not later than 24 hours after the confirmation of a cybersecurity intrusion or potential cybersecurity intrusion.” Hacks thought to be carried out by nation-state actors or transnational crime groups and attacks threatening national security would be included.
The bill in the Senate would protect companies from legal liability, shield incident reports from FOIA requests and require CISA to establish privacy protections for personal data. The bill would also allow CISA’s director, currently Jen Easterly, to fine firms up to 0.5% of their previous-year revenue for each day they break the rules. Representatives for Sen. Mark Warner, (D., Va.), who introduced the bipartisan bill with 14 other senators, didn’t respond to requests for comment.
House staffers drafting legislation envision a longer reporting window and would give CISA leeway to impose a time frame and flesh out incident thresholds, such as disruptions to company operations and attacks that compromise networks.
The House draft legislation would let CISA subpoena companies to obtain information and make referrals to regulators and the attorney general, but it doesn’t include fines, aides said. It also shields companies from legal liability and FOIA requests.
Either bill could pressure CISA to walk a fine line, House aides said, as it would become a regulator relying on voluntary participation in other security initiatives, such as a recently announced information-sharing group with cloud providers, telecom companies and cyber firms. Overly aggressive enforcement or vague rules could hinder such partnerships, the aides added.
President Biden told CISA in a May executive order to recommend language requiring vendors to the federal government report cyber incidents. Congressional staffers and lobbyists say that guidance could act as a blueprint for how the agency interprets a law encompassing critical infrastructure companies.
CISA has made the recommendations, said Eric Goldstein, the agency’s executive assistant director for cybersecurity. He didn’t offer additional details.