U.S. Senator Mark Warner, Democrat of Virginia and Chairman of the Senate Select Committee on Intelligence, holds a hearing about worldwide threats, on Capitol Hill in Washington, DC, April 14, 2021.
Saul Loeb | Pool | Reuters
Sen. Mark Warner, D-Va., is readying a bipartisan bill that would require some businesses to report cyber incidents to the government so law enforcement can quickly get involved.
Warner previewed the bill during an Axios event about cybersecurity, saying he expects it to be introduced in the next couple of weeks and thinks the broad support can help it pass quickly. Recent cyberattacks against Colonial Pipeline, SolarWinds and meat supplier JBS have added a sense of urgency in dealing with such threats, which seem to be connected to people in adversarial countries like China and Russia.
The bill would require critical infrastructure businesses, federal contractors and agencies to report cyber incidents to the government, Warner said, giving law enforcement and private sector partners the chance to get involved as soon as possible during an attack.
Warner expects the business community to be receptive to the legislation.
“When we had this debate six or seven years ago, the business community did not want any additional mandatory reporting,” he said. “I think they now realize that they themselves are put in jeopardy if they don’t have mandatory reporting.”
That threat was clear in the SolarWinds attack, which was brought to the public’s attention after cybersecurity firm FireEye voluntarily disclosed a hack by what it believed to be a state-sponsored actor. Soon after, Reuters reported that hackers had accessed government agency systems through SolarWinds software updates, saying it was related to the FireEye incident. SolarWinds later disclosed 18,000 customers were impacted by the hack.
Warner said his bill would include limited immunity for businesses in connection with the reports, which would be kept confidential between the government and private sector partners.
In addition to the legislation, Warner said the U.S. needs to reset international norms by showing that adversaries who commit cyberattacks, even when the attackers aren’t government actors themselves, will pay a price.
He also said there needs to be a discussion about how ransomware, or efforts to hack and hamper systems until a ransom is paid, should be handled. As it stands, companies and other entities that are victims of such hacks often pay ransoms to get their systems back online quickly, which Warner noted could at times amount to payments to sanctioned countries. At the very least, he said, companies should perhaps be made to disclose when they do pay such ransoms.
Warner noted that some of the recent attacks could have been even worse if the attackers decided to shut down systems entirely.
“What I’ve urged people to think about is if when the Russians went in in the SolarWinds attack and got 18,000 companies they penetrated, if instead of simply exfiltrating information, they had decided to shut down all those systems,” Warner said. “That, to me, would be close to an act of war and it would have completely crippled our economy. And my fear is cyber is moving from more and more sophistication, it’s moving from simply exfiltrating information to potentially extraordinarily destructive actions and we need to up our game.”