The Congressional Record is a unique source of public documentation. It started in 1873, documenting nearly all the major and minor policies being discussed and debated.
“CYBER INCIDENT NOTIFICATION ACT” mentioning Susan M. Collins was published in the Senate section on pages S5032-S5034 on July 22.
Of the 100 senators in 117th Congress, 24 percent were women, and 76 percent were men, according to the Biographical Directory of the United States Congress.
Senators' salaries are historically higher than the median US income.
The publication is reproduced in full below:
CYBER INCIDENT NOTIFICATION ACT
Mr. WARNER. Mr. President, I rise in support of the Cyber Incident Notification Act of 2021.
I am very grateful to be joined by my colleague and friend, the senior Senator from Maine, because on this topic I am about to describe, she was way ahead of the curve, as she is on so many issues. She was so far ahead of the curve as to what we are talking about now, that if the Congress of the United States had adopted her proposals back in 2012--back in 2012--we might not be dealing with, literally, the catastrophic effects of cyber security incidents. We didn't, and that is why we are putting forward the Cyber Incident Notification Act of 2021.
It seems like, every day, Americans wake up to the news of another ransomware attack or cyber intrusion. The SolarWinds breach, which we learned about last December, resulted in the compromise of hundreds of Federal Agencies and private companies. The truth was, as we discovered, the bad guys actually got into 18,000 companies in the SolarWinds hack. Similarly, the ransomware attack on the Colonial Pipeline this past May resulted in gasoline and fuel shortages and price spikes across the entire eastern seaboard, demonstrating how broad the ripple effects of these attacks can be.
The truth is these attacks can affect hundreds or even thousands of entities connected to the initial target. Earlier this week, the United States and allied governments publicly accused China's government of conducting an extensive hacking campaign on Microsoft's email systems, which again compromised tens of thousands of computers worldwide, including those used by some of the world's largest companies, contractors, and governments.
These events are finally the wake-up call that Senator Collins predicted a decade ago, a wake-up call for many of us in Washington, and even for those individuals who sit on these companies' boards that have to understand now the threats and capabilities possessed by our adversaries. These events also reveal major gaps in our Nation's effort to combat and contain cyber threats with insufficient communication between the private and public sectors.
These attacks and hacks demonstrate that our IT and critical infrastructure--much of it operated, appropriately, by the private sector--are under constant daily attack. They also demonstrate that we need to get better insight into cyber incidents as they happen--mid-
incident--so that the U.S. Government can bring to bear its most effective capabilities and respond rapidly to protect our critical infrastructure systems.
We saw that recently when the FBI and the Department of Justice were able to claw back some of the ransomware from the Colonial Pipeline attack. With the Colonial Pipeline, what happened was we had a responsible private sector company that notified the government, FireEye, but we cannot rely upon the good will of private entities to individually, case by case, decide whether they tell the government. We need quicker and more comprehensive notification. In a sense, when an entity is being attacked, if that sector is being attacked, we can then notify other companies in that sector in realtime.
The truth is we should have done this much earlier. In fact, SolarWinds showed us that, when it comes to wide-scale breaches of U.S. networks, nobody is responsible for collecting information on the scope and scale of these attacks. This is alarming because this information allows us to develop a full picture of what was targeted and taken, what was at risk, and the type of techniques and tactics used by our adversaries.
These are all issues of critical national security, but as Senator Collins knows, under current law, there is no Federal mandate that companies disclose when they have been breached, even if they operate critical infrastructure. Rather, there is the hodgepodge of guidelines, depending on the industry, which, as we have seen, at least some companies then use as an excuse not to report or literally to create a whole set of legal gymnastics to avoid any level of disclosure. Unfortunately, this leaves our Nation vulnerable to criminal and state-
sponsored hacking activity.
The bottom line is we cannot just rely on voluntary reporting to protect our critical infrastructure. We need a routine reporting requirement so that vital sectors of our economy that are affected by a cyber breach can have the full resources of the Federal Government and so that the private sector can be mobilized to respond to and fight off these attacks.
That is why I have been very proud to work not only with Senator Collins but also the vice chair of the Intelligence Committee, Senator Rubio, and, in total, 15 of our colleagues, bipartisan, mostly all from the Intel Committee but also the chairman of the Defense Appropriations Committee and the chairman--on SASC--of the Cyber Committee, to introduce legislation this week that would require Federal Agencies, government contractors, and the owners and operators of critical infrastructure to report cyber intrusions within 24 hours of their discovery.
The purpose of this legislation is to ensure that the Federal Government is aware of and can take immediate action to mitigate cyber intrusions that have the impact to affect our national security. Part of that notification will be not just to let the government know but to let others in the private sector know as well. Consequently, the bipartisan Cybersecurity Incident Notification Act of 2021 would require covered entities to notify the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, or CISA, when a breach is detected so that the U.S. Government can mobilize to protect critical industries across our country. These covered entities include healthcare, transportation, financial services, agriculture, energy, and information technology sectors
Now, the executive branch should have the flexibility to respond to shifting threats. The bill leaves some discretion for this and future administrations to determine whether other entities or classes of entities should be included at a later date.
To incentivize this information sharing to take place, the bill would grant limited immunity and confidentiality to companies that come forward to report a breach. It would also include data protection procedures to anonymize personally identifiable information and to, again, safeguard privacy.
These are not liability protections that would shield network operators, though, from negligence or misconduct. Rather, they would help prevent companies that come forward under this legislation from facing reputational risk just for reporting this vital information to the government.
Ultimately, I see this kind of notification as providing value, as I said, to the private sector as well so that we may have this common defense. There is no way we can solve this problem with government alone or with the private sector alone. There should not only be a rapid public notification but, in appropriate cases, swift government action.
Ultimately, we need to recognize that the threat landscape has fundamentally changed from even a few years ago. A few years ago, Senator Collins had this approach, and I think the private sector was concerned about undue mandates. The world has changed, and even many of the business organizations now agree that, as long as we grant that limited immunity and confidentiality, we need to put this reporting mechanism in place so that the public sector and the private sector can respond.
The truth is there are literally terabytes of sensitive data out there, including intellectual property, personal information, contract details, and others that could be exploited. For that matter, what if the SolarWinds attack had not been one of exploiting and taking out information but had actually been a denial-of-service attack, which we saw with Russia taking place against Ukraine a number of years back? That could have taken place with SolarWinds and completely shut down our economy, and we have all seen recently a dramatic upsurge in ransomware.
The truth is every company and virtually every part of government is under daily attack from these cyber criminals and, in some cases, from foreign intelligence services. The Federal Government must have the expertise and the willingness to share this information in realtime to make sure that we can counter this. I think this is a sensible first step in finally putting in place the kind of broad-based cyber strategy our country needs. So I urge my colleagues to join the 15 of us and pass the Cyber Incident Notification Act of 2021.
Again, I note my friend, the Senator from Maine, is here. We have been spending a lot of time together, but I really appreciate her lead sponsorship of this legislation.
I will say it on the floor of the Senate, as I have said in so many private settings over the last number of weeks on some other things, if we had just listened earlier to the Senator from Maine, we would have been in a lot better shape today in this country.
With that, I yield to my colleague, the Senator from Maine.
The PRESIDING OFFICER. The Senator from Maine.
Ms. COLLINS. Mr. President, first, let me thank my good friend and the leader of the Senate Intelligence Committee, Chairman Warner, for paving the way for this legislation. He cares deeply about our country's response to these terrible cyber attacks and intrusions, and I am so grateful for his leadership and for his working with me to produce the Cyber Incident Notification Act of 2021.
As the chairman has mentioned, this is a bipartisan bill that is broadly supported. It would strengthen our response to cyber attacks and, thus, help to prevent future cyber intrusions. It would require government Agencies, Federal contractors, and critical infrastructure entities, which are overwhelmingly owned and operated by the private sector and other important sectors, to notify the U.S. Government if they become the victims of a significant cyber attack or intrusion.
This effort is a direct outgrowth of our work on the Senate Intelligence Committee and reflects our longstanding concern regarding the lack of timely notification of cyber attacks that can lead to extremely serious consequences for our economy, for our national security, and for our individual privacy.
In September of 2019, for example, Russian hackers gained access to the SolarWinds' software. This resulted in a supply chain compromise that was downloaded by up to 18,000 of its customers. These hackers then conducted follow-on operations that compromised 9 Federal Agencies and 100 private-sector networks.
We did not become aware of this hack until more than a year later and only then because a cybersecurity firm called FireEye voluntarily notified the Federal Government and the public.
Just to reiterate that important point, FireEye was under no legal obligation whatsoever to tell us that the software had been compromised, even though it affected nine Federal Agencies. We are grateful that FireEye told us about this hack, but the fact that companies are not mandated to do so leaves our economy and national security vulnerable to future attacks and lessens our ability to respond effectively when such intrusions do occur.
Where would we be right now if FireEye had not voluntarily disclosed the intrusion? Would the Russians' operation still be ongoing? How much sooner would we have become aware of these Russian cyber operations if key sectors were required to report cyber incidents to the U.S. Government?
As the Senator from Virginia very kindly and generously noted, I have long been concerned about this problem and focused on it.
In 2012, when I was the ranking member of the Senate Homeland Security Committee, I joined with my chairman and dear friend former Senator Joe Lieberman of Connecticut in introducing a bill called the Cybersecurity Act of 2012. That bill would have, among other things, addressed this gap in cyber incident reporting. Unfortunately, our bill did not become law. How much more prepared we would be today if it had been enacted.
My 2012 bill would have led to improved information sharing between the private sector and the Federal Government that likely would have reduced the impact of cyber incidents on both the government and the private sector. Having a clear view of the dangers the Nation faces from cyber attacks is necessary to enable both the public and the private sector to mitigate and reduce the threat. We have just recently seen the impact of an attack on a major pipeline. Just think what the consequences would be of an attack that crippled our electric grid.
What we are proposing in the Cyber Incident Notification Act is common sense and long overdue. Our bill recognizes the additional burden that this reporting requirement places on parts of the private sector, and so it, therefore, provides additional liability protection for companies reporting cyber incidents and requires the government to harmonize these new mandates with any existing reporting requirements to help avoid duplication.
The bill also requires the government to produce analytic updates for the government and industry practitioners regularly so that they are aware of cyber incidents taking place and targeting their sectors. This should be a two-way street of the exchange of information.
Let us not delay any longer in passing a robust cyber incident notification requirement. Failure to pass this bill will only give our adversaries more opportunity to gather intelligence on our government, to steal intellectual property from our companies, to compromise our personal privacy, and, most of all, to harm our critical infrastructure.
Again, my thanks to the Senator from Virginia, the chairman of the Intelligence Committee, for his hard work on this bill. Let's get the job done.
I yield the floor.
I suggest the absence of a quorum.
The PRESIDING OFFICER. The clerk will call the roll.
The bill clerk proceeded to call the roll
Mr. BARRASSO. Mr. President, I ask unanimous consent that the order for the quorum call be rescinded.
The PRESIDING OFFICER (Mr. Schatz). Without objection, it is so ordered.
____________________
Alerts Sign-up