Congress to Speed up Efforts on Pushing out Hack Reporting Law Sen. Mark Warner, D-Va., left, and Sen. Marco Rubio, R-Fla. (Tom Williams-Pool/Getty Images)
By Nick Koutsobinas | Saturday, 15 May 2021 12:33 PM
In light of the recent cyberattack on the Colonial Pipeline, new efforts are being spurred in Congress to get companies to report to the government when they've experienced a cyberattack.
"The United States government is completely blind to what is happening. That just weakens our overall cyber posture across our entire country." said Brandon Wales, acting director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, according to Politico.
Lawmakers in both parties are drafting legislation that in response to the SolarWinds hacking campaign in December 2019 which saw nine federal agencies infiltrated along with 100 companies.
The Colonial Pipeline hack has only bolstered their efforts. Legislation is expected to be introduced within a matter of weeks by Senate Intelligence Chair Mark Warner, D-Va., and Ranking Member Sen. Marco Rubio, R-Fla., intended to provide a "public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse."
Securing a reporting mandate for companies like Colonial is the "tip of the iceberg of what we need to do," Rubio said.
But some companies choose not to share information with the government for fear that the leak-prone government won't protect their data which could lead to embarrassing or actionable revelations.
The bill would centralize data otherwise scattered, revealing the inner workings of hackers tradecraft. Rubio stressed, the bill is not meant to be "punitive."
The head of operations security and emergency response for the American Petroleum Institute, Suzanne Lemieux, said, "any discussion of regulation is premature until we have a full understanding of the details surrounding the Colonial attack."
There is currently no federal law requiring pipeline operators to report on cybersecurity attacks. As a guideline, the federal agency which oversees pipeline cybersecurity, the Transportation Security Administration, recommends companies tell local and federal authorities about a significant breach.
That guideline runs in stark contrast for companies who operate the electric grid, who are required to report cyberattacks or else face a $1.3 million penalty per day per violation.
President Joe Biden told reporters Thursday that the government may have to play a more significant role in boosting cybersecurity defenses in the private sector. "It's becoming clear to everyone that we have to do more than is being done now," Biden said.