Congress Must Strengthen Cyberattack Reporting Requirements

Despite the increasing number in cyberattacks occurring in 2021, there is still no federal strategy to combat cybercrime and cyberattacks. These attacks occur faster and more frequently than ever before, threatening American consumers’ personal information and economic security. However, despite the growing problem, developing a federal strategy for combating cybercrime does not seem to be a priority for lawmakers.

Earlier this year, a bipartisan group of senators led by Mark Warner (D-VA) introduced the Cyber Incident Notification Act (CINA). The bill, if passed, would create a requirement for companies that have been victims of cyberattacks to report incidents within 24 hours. This allows federal authorities to take more effective and appropriate measures to fend off the attacks and prevent further damage. The goal is to make Americans safer and be a strong first step towards a more comprehensive federal strategy.

Congress should enshrine CINA in federal law.

CINA would be crucial in implementing a regulatory framework that would require entities to notify the Cybersecurity and Infrastructure Security Agency (“CISA”) of the Department of Homeland Security (“DHS”) within 24 hours of “confirmation” of a cybersecurity incident, and supplement such notification with any newly discovered information within 72 hours of discovery. Thus, when cyberattacks are reported quickly, federal agencies will be able to identify the cause of the breach and begin securing the impacted systems.

Unfortunately, CINA does not offer strong consumer protections at the moment since the proposal only covers critical infrastructure and federal agencies, albeit these agencies control important consumer data such as social security numbers and banking information. Still, if CINA advances through Congress, it could and should be expanded in scope to cover more consumer-facing industries.

The urgent need for cybersecurity protections cannot be overstated. It is estimated that a cyberattack occurs every 39 seconds in the US, which equates to 2000 cyberattacks a day. A notable recent example was when the Colonial Pipeline was attacked in May 2021 by the cybercriminal group called “The Darkside” leading to gas shortages and increased prices for consumers. That attack shut down a 5,500-mile pipeline responsible for 45% of fuel on the East Coast, leading to $4.4 million being paid out in ransom.

When explaining the need for the bill, Senate Select Committee on Intelligence Chairman Mark Warner emphasized that “Colonial Pipeline voluntarily reported. There was another pipeline company that was attacked about the same time, and they didn’t even bother to report until literally months later. That is not a sustainable system. And while this isn’t going to solve the whole problem of cyber, it is an important first step in trying to get this right.”

CINA will also require entities to state whether they believe the attack could be compromising to the “national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of people in the United States.” This provision means that CISA and DHS can more accurately determine the urgency of a given attack and determine the scope of its damage.

Faster reporting requirements also benefit consumers. If consumers are alerted that a cyberattack might compromise their personal data within 24 hours, they have a better chance of limiting the damage. For example, they can change their online banking passwords, close credit cards, or delete sensitive files.

Currently, there is a patchwork system in place for fighting cybercrime, where only certain industries are subject to a federal framework. Examples include the 1996 Health Insurance Portability and Accountability Act (HIPAA) which provides a framework for securing patients’ health information, and the 1999 Gramm-Leach-Bliley Act, which instructs financial institutions to explain to consumers what steps they are taking to secure data.

This industry-specific approach fails to protect all consumers, since it leaves some industries unregulated. Furthermore, these industry specific rules do not go far enough to protect Americans’ data or provide specific reporting requirements. While CINA is imperfect, it does address the need for better reporting and would be an important step in the right direction.

With bipartisan support and a growing cybersecurity threat in America, there is no reason why Congress should hesitate to pass CINA. In the meantime, thousands of cyberattacks will continue to impact Americans, and CISA and the DHS are left to face cyberattacks with one hand tied behind their backs.

Governments in Canada, the United Kingdom, and the European Union have implemented detailed strategies to combat cybercrime, demonstrating that unified national frameworks are feasible and favorable. While the U.S should move towards a comprehensive federal approach, strengthening reporting requirements is a necessary start.

Caroline Wang is a Policy Intern at the American Consumer Institute, a nonprofit educational and research organization. For more information about the Institute, visit www.TheAmericanConsumer.org or follow us on Twitter @ConsumerPal

FacebooktwitterredditlinkedinFacebooktwitterredditlinkedin