Senate bill to require hack reports within 24 hours and punish violators

Eric Geller and Martin Matishak
·3 min read

A bipartisan Senate bill would require federal contractors, critical infrastructure operators and digital security firms to report cyberattacks to the government within 24 hours or face the loss of their contracts and financial penalties.

The legislation from Senate Intelligence Chair Mark Warner (D-Va.), ranking Republican Marco Rubio of Florida and panel member Susan Collins (R-Maine) would direct federal agencies and covered companies to report hacks to DHS’ Cybersecurity and Infrastructure Security Agency within 24 hours and continue sharing new information within 72 hours of discovering it, according to a draft of the bill obtained by POLITICO.

To address companies’ concerns about sharing potentially embarrassing breach data — concerns that have for years hampered voluntary sharing — the bill would immunize companies from lawsuits stemming from the submission of hack reports.

The senators plan to introduce the bill as soon as next week, with other members of the intelligence panel likely to sign on, according to a Warner aide. The current draft is still being circulated to stakeholders for feedback.

The development of the new legislation, first reported by POLITICO, comes as lawmakers debate how to stem a rising tide of cyberattacks, including increasingly destructive ransomware attacks on critical firms such as Colonial Pipeline and meat processing giant JBS.

Many lawmakers have criticized Colonial for failing to quickly share data with CISA, a relatively new and under-resourced agency responsible for defending federal networks and helping critical infrastructure companies fend off hackers.

CISA officials say they urgently need more visibility into cyberattacks on U.S. businesses in order to protect both the private sector and the government.

In May, President Joe Biden signed an executive order to boost the government’s visibility into its own networks and impose reporting requirements on certain federal contractors.

Under the new Senate bill, federal contractors that don't promptly report cyber incidents could lose their contracts, while other noncompliant companies could face “financial penalties equal to 0.5 percent per day of the entity’s gross revenue from the prior year,” according to the draft bill, first reported by CNN. Agencies that don't report their own breaches would face inspector general investigations.

Critical infrastructure operators are one focus of the legislation. But its applicability to “nongovernmental entities that provide cybersecurity incident response services” is equally important, given how much data these companies — including market leaders FireEye and CrowdStrike — collect when hacking victims hire them after a breach.

The draft bill would give CISA 180 days to establish a process for collecting hack reports. It would also require the agency, along with the Justice Department and the intelligence community, to issue rules for when agencies and companies must report breaches, what information they must report and how they must preserve data associated with breaches.

At a minimum, companies would have to report incidents involving a foreign government, an “advanced persistent threat cyber actor” or a transnational organized criminal group; ransomware attacks; incidents that endanger national or economy security, public health or public confidence; incidents affecting government networks; and incidents “likely to be of significant national consequence.”

CISA, the Justice Department and the intelligence community would also have to develop a process for promptly analyzing and acting on hack reports. And they would have to submit partially public reports at least once a month on “the current cyber threat picture.”

CISA would have to report to Congress annually on the number of reports received through the new program, the specific categories of companies that must report, the types of information they must provide and any activities undertaken to mitigate discovered threats.

In addition, the agency would have to develop criteria for sector-specific regulators such as the Energy Department to report incidents involving companies in their sectors.