Warner Contemplates Mandatory Cyberattack Reporting Bill
WASHINGTON — The rise in profit-driven cyberattacks has prompted Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., to contemplate a mandatory reporting bill so law enforcement can promptly take action on urgent threats.
Warner told Axios recently that he anticipates broad support for such upcoming legislation in light of recent events and since “our cyber vulnerabilities are now being felt by everyday Americans.”
“The Biden administration has moved aggressively, but they can only do a certain amount of things. Congress needs to act,” he said.
The government has long been concerned about cyberattacks, like those on the Colonial Pipeline, Solar Winds, and on meat supplier JBS. But Warner suggests that now may be the time to take action since the pervasiveness of ransomware — and strikes increasing in number and scope — is starting to impact things consumers can feel.
“As these ransomware attacks’ ramp-up in volume and seriousness, it’s hitting home finally,” he said. And while people may have read about information being stolen in the past, when it impacts them directly, like with higher prices and supply chain delays, “it gets more personal.”
Warner has proposed to put forward a bill to require mandatory reporting of cyberattacks on critical infrastructure companies, federal contractors, and government agencies.
“When we had this debate six or seven years ago, the business community did not want any additional mandatory reporting,” Warner said. “I think they now realize that they themselves are put in jeopardy if we don’t have mandatory reporting.”
The bill could include limited immunity for businesses and methods to keep information confidential between the government and its private sector partners.
Warner believes that mandatory reporting, both of cyber attacks and ransomware payments, could help law enforcement to take faster and better action when vulnerabilities are leveraged.
“We’ve got to know mid-attack,” he said. “And we’ve got to set a level of international norms. This is not just a tax against American companies, the whole Irish healthcare system was shut down recently [by an attack].
“We need to make clear that if entities in [Russia and China] are attacking our critical infrastructure they will pay the penalty.”
Warner said he fears that cyber threats are transitioning from simply stealing information to potentially “extraordinary destructive actions.” If instead of merely exfiltrating information, cybercriminals move to shut down systems and cripple economies, “that, to me, would be close to an act of war,” Warner said, “and we need to up our game.”
According to Warner, it won’t solve the whole problem, but “we will have a strong bipartisan incident report legislation out within the next couple of weeks.”