Officials urge Congress to consider fining companies that fail to report cyber incidents

The nation’s top cybersecurity officials on Thursday urged Congress to consider passing legislation that would fine organizations if they failed to report cybersecurity incidents to the federal government, part of an effort to do more to confront a recent spree of attacks. 

Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA), testified in favor of taking the more hardline stance to encourage incident reporting during a hearing held by the Senate Homeland Security and Governmental Affairs Committee, which is considering bipartisan mandatory cyber reporting legislation. 

“I know some of the language talks about subpoena authority,” Easterly said, referring to the committee’s draft legislation. “My personal view is, that is not an agile enough mechanism to allow us to get the information that we need to share as rapidly as possible to prevent other potential victims from threat actors, so I think we should look at fines.”

Easterly stressed the need to receive threat information quickly in order to ensure that other organizations were not being attacked as part of the same operation. 

“We think that timely and relevant reporting of cyber incidents is absolutely critical to help us raise the baseline and protect the cyber ecosystem,” she said.

Both Federal Chief Information Security Officer Christopher DeRusha and National Cyber Director Chris Inglis testified alongside Easterly on Thursday, with both agreeing that further enforcement mechanisms were needed to encourage cyber incident reporting to the federal government.

“I support that view strongly,” Inglis said of Easterly’s comments. “I would observe that most of the 50 states have reporting requirements of a similar sort, and the vast majority of those have an enforcement mechanism, many of those use fines.”

“We of course don’t want to impose an unfair burden on the victims, but this information is essential for the welfare of the whole,” Inglis added. 

Their comments came in response to efforts by Committee Chairman Gary Peters (D-Mich.) around cyber incident reporting legislation he is working on alongside committee ranking member Rob Portman (R-Ohio).

“Ranking member Portman and I are currently working on legislation that we plan to introduce soon to require critical infrastructure companies that experience cyber incidents, and other entities that make ransomware payments, to report this information to CISA,” Peters said at the start of the hearing Thursday.

“This requirement will ensure CISA and other federal officials have better situational awareness of ongoing cybersecurity threats, who those targets are, how the adversary is operating, and how best to protect the nation,” Peters said.

The legislation comes after Senate Majority Leader Charles Schumer (D-N.Y.) in June called on Peters and the full Senate Homeland Security and Governmental Affairs Committee to conduct a “government-wide review” of recent massive cyberattacks on U.S. government agencies and businesses. 

These attacks included the SolarWinds hack, discovered in December, which involved Russian government-backed hackers compromising nine federal agencies and 100 private sector groups for much of 2020. 

Ransomware attacks have also become an increasing concern following separate attacks in May on Colonial Pipeline and meat producer JBS USA, along with a ransomware attack on IT group Kaseya in July that endangered up to 1,500 groups. 

After the attacks, Peters and Portman are not the only lawmakers that have proposed legislation to create mandatory cyber incident reporting, particularly as there is no federal requirement that companies report being breached by hackers. 

All but three members of the Senate Intelligence Committee introduced legislation in July that would require federal agencies, government contractors and groups considered critical to national security to report cyber incidents to CISA within 24 hours.

Bipartisan cybersecurity leaders on the House Homeland Security Committee are also considering draft legislation that would ban CISA from requiring that critical organizations report cybersecurity breaches earlier than 72 hours after such incidents occur. Key industry groups have supported this legislation, arguing that companies needed more than 24 hours to report. 

“There is a balance between getting information quickly, letting victims respond to an attack without imposing onerous requirements on them, and getting accurate information,” Portman said at the hearing Thursday. “We understand that balance, and we want to reach the right balance to be sure that we are actually doing what we intend to do, which is to both help the private sector and government agencies deal with cyberattacks.”