US Considers Law Requiring Companies to Report All Cyberattacks

The Colonial Pipeline cyberattack has spurred new efforts in the U.S. Congress 'to require critical companies to tell the government when they've been hacked.' Politico reports:

Even leading Republicans are expressing support for regulations after this week's chaos — a sharp change from past high-profile efforts that failed due to GOP opposition. The swift reaction from lawmakers reflects the disruptive impact of the ransomware attack on Colonial...

The vast majority of private companies don't have to report cyberattacks to any government entity — not even those, like Colonial, whose disruptions can wreak havoc on U.S. economic and national security. And often, they choose to keep quiet. That information gap leaves the rest of the country in the dark about how frequently such attacks occur and how they're perpetrated. It also leaves federal authorities without crucial information that could help protect other companies from similar attacks. Without reporting from companies, 'the United States government is completely blind to what is happening,' Brandon Wales, the acting director of DHS' Cybersecurity and Infrastructure Security Agency, told reporters on Thursday. 'That just weakens our overall cyber posture across our entire country.'

Wales said the solution was for Congress to require companies to report cyber incidents. Lawmakers of both parties told POLITICO they are crafting legislation to mandate cyberattack reporting by critical infrastructure operators such as Colonial, along with major IT service providers and any other companies that do business with the government. The planned legislation predates the pipeline attack — lawmakers began drafting it soon after learning about last year's massive SolarWinds espionage campaign, in which suspected Russian hackers infiltrated nine federal agencies and roughly 100 companies. But the Colonial strike has added urgency to the effort. The group expects to introduce the legislation within weeks, a Senate aide said. 'You couldn't have a better reason' for such a mandate than seeing the economic impact of Colonial and SolarWinds, said Senate Intelligence Chair Mark Warner (D-Va.), one of the leaders of the legislation along with Republican Sen. Marco Rubio of Florida.

Warner said the intent is to provide a 'public-private forum where, with appropriate immunity and confidentiality, you can — mid-incident — report, so we can make sure that it doesn't spread worse...' In the case of Colonial, CISA's Wales said the company did not provide the administration with technical information about the breach until Wednesday night — five days after it was reported — and even then the data was not comprehensive... Companies typically choose not to voluntarily share data with the government for legal and reputational reasons. They fear that the notoriously leak-prone government won't protect their information, leading to embarrassing and potentially actionable revelations.

Politico adds that 'The incident reporting situation has become untenable, many cybersecurity experts say,'

'Nation-state hackers are using vulnerable companies as springboards into their customers and partners, and criminal groups are attacking hospitals, schools and energy companies in ways that, if reported, could be tracked and prevented elsewhere.'

Read more of this story at Slashdot.