The Cyber Incident Notification Act of 2021 is a draft government breach notification bill circulated by a bipartisan group of senators last June. This bill requires all government agencies, contractors, and companies regarded as essential to U.S. national security to submit to the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) a report of data breaches and security occurrences within 24 hours of discovery. On July 21, there was an amended bill officially presented in the Senate.
Senators Mark Warner (D-VA), Susan Collins (R-ME), and Marco Rubio (R-FL) introduced the bill. Now, there are 12 more senators from both parties that have included their names in the bill.
The bill is going to deal with a few of the important concerns that have emerged in the aftermath of the latest cyberattacks that affected U.S. critical infrastructures, such as the SolarWinds Orion supply chain attack as well as the ransomware attacks on Colonial Pipeline and JBS.
The SolarWinds breach showed how extensive the domino effects of these attacks could be, impacting hundreds or actually thousands of organizations linked to the preliminary target, according to Sen. Warner. Depending on voluntary reporting is not enough to safeguard critical infrastructure. There should be a programmed federal standard so that any time essential sectors of the economy are impacted by a breach, the national government’s full resources may be used to respond to and hold off its effect.
The goal of the new law is to make sure of prompt federal government knowledge of cyber-attacks that present a risk to national security, as the bill allows the creation of a typical operating picture of cyber threats at the national level.
Security incidents that necessitate the issuance of notifications to CISA include those that:
- Involve or are presumed to involve a nation-state, an Advanced Persistent Threat (APT) actor, or a transnational organized crime group.
- Can hurt U.S. national security interests, international relations, or the American economy.
- Have important national consequences, such as affecting civil liberties, public confidence, or public health and safety of U.S. citizens.
- Has possibilities of affecting CISA systems.
- Have ransomware involvement
When reporting a security event or cyber threat, companies must include the following details: a description of the incident, the systems and networks impacted, an estimate of the date of occurrence of the incident, provide data regarding any exploited vulnerabilities, any tactics, techniques, and procedures (TTPs) identified. Actionable cyber threat data will be given to the government and private sector organizations and the public to enable taking immediate action to counter risks. The bill provides CISA 48 hours to take action on reports of an attack and request details regarding the security event.
To encourage companies to submit data breach reports, the bill consists of liability protections for breached entities to secure against possible lawsuits that may crop up from sharing security breaches and permits anonymized personal information to be used when submitting breach reports.
The bill calls for the Department of Homeland Security to operate with the help of other federal institutions to create a set of reporting requirements and to balance those criteria with the regulatory specifications in place during the date of enactment.
The inability to report a security event to CISA can be penalized, pending the decision of the Administrator of the General Services Administration. The highest financial penalty is going to be 0.5% of gross income for the prior fiscal year. Another likely sanction is the elimination from federal contracting itineraries.
According to Sen. Rubio, it is crucial that American companies act promptly as soon as an attack happens. The longer a cyberattack is not reported, the more problems it may cause. Making sure of immediate reporting will help safeguard the health and safety of many Americans and will enable the government to locate those accountable.