Lawmakers line up behind potential cyber breach notification legislation

House lawmakers on both sides of the aisle expressed strong support Friday for legislation to put in place national breach notification requirements in the wake of a massive foreign cyber espionage attack.

Both House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and ranking member John Katko (R-N.Y.) threw their weight behind pursuing cyber breach notification legislation during a joint hearing with the House Oversight and Reform Committee.

“In recent days, I have been encouraged to learn of growing interest in enacting a cyber incident reporting law,” Thompson said. “We look forward to trying again this year and hope we can enact cyber incident notification legislation in short order.”

Katko described the lack of a national breach reporting law as a “gap.”

“Our federal agencies are often operating in the dark, instead of having access to the aggregate data regarding the tactics, techniques, and procedures of bad actors,” he said. “As we move forward, we must consider approaches to close this gap.”

The concerns come after what were likely Russian hackers compromised at least nine federal agencies and 100 private companies through infiltrating software updates at IT group SolarWinds and through other methods of attack.

The hack, which took place early last year, was not discovered until FireEye stepped forward in December to report they had been breached, spurring federal and congressional investigations that are ongoing. Agencies including the Commerce, Defense, Homeland Security, Justice and State departments were breached. 

FireEye CEO Kevin Mandia confirmed to the Senate Intelligence Committee earlier this week that FireEye was not legally required to reveal the cyber incident, and that many companies impacted as part of the Russian cyberattack had not come forward. 

Concerns that the federal government would still be unaware of the hack, one of the largest in U.S. history, have spurred efforts on Capitol Hill this week to address cyber incident reporting with legislation, an effort that has been ongoing for decades. 

“It was the private sector that uncovered this attack — not our own government,” Oversight and Reform Chairwoman Carolyn Maloney (D-N.Y.) said during the Friday hearing. “Specifically, FireEye discovered it, reported its findings, and shared it with the world. Had FireEye not taken that action, the attack could very well be fully up-and-running today.”

Legislation is already in the pipeline. House Foreign Affairs Committee ranking member Michael McCaul (R-Texas) announced Friday that he and Rep. Jim Langevin (D-R.I.), the chair of the House Armed Services Committee’s cybersecurity subcommittee, are working on a bill to create “mandatory breach notification.”

McCaul noted that the bill would involve removing “sources and methods and names” out of notifications and sending them to the Cybersecurity and Infrastructure Security Agency (CISA).

“It would just simply send the threat information itself to CISA so they could deal both with industrywide and federal governmentwide and state the threat information they would need to address it on a larger scale,” McCaul said during the hearing.

A spokesperson for Langevin told The Hill that the legislation would be based on legislation he originally introduced in 2017 to establish a national breach notification law. 

The new bill will incorporate input from the Cyberspace Solarium Commission, a group established by Congress made up of lawmakers and other officials that released a report on ways to defend the nation in cyberspace last year, including the idea of breach notification. 

Both Mandia and Microsoft President Brad Smith testified in favor of a breach notification rule to the Senate Intelligence Committee earlier this week, with both hammering on this commitment to the House committees on Friday.

“I think that would be an important step, I think the time has come to recognize that it is probably an essential step, and I think the precise tailoring, something along the lines of what you just described, is exactly the type of conversation we need to have,” Smith testified in response to McCaul and Langevin’s potential legislation.

Other key members of the House also expressed support for the idea of legislation in this space. 

Rep. Yvette Clarke (D-N.Y.), the chair of the House Homeland Security Committee’s cybersecurity panel, pointed out that breach notification was an issue that “fell out” of the 2021 National Defense Authorization Act during negotiations with the Senate.

“I intend to take a close look at this issue again and I am heartened to see that there is so much momentum behind it,” Clarke said during the hearing. “As anyone who has been working on this issue for a while knows, the devil’s in the details.”

SolarWinds President and CEO Sudhakar Ramakrishna testified at the joint House hearing on Friday and urged Congress to consider designating or creating a federal group to take on compiling breach notification reports, with Clarke suggesting CISA.

“Having a single entity for which all of us can report to will solve the fundamental purpose of speed and agility in this process,” Ramakrishna said. “Information is very fragmented, and oftentimes the dots are not connected because they are separate.”

“You really cannot oftentimes determine exactly what is going on until you connect all of those dots, and today this information is in separate silos,” Smith added. “I would say, let’s solve the problem that needs to be solved, which is the cybersecurity protection for the country.”