The Biden administration is throwing its support behind congressional legislation that would require companies to report major data breaches by hackers, including the ransomware attacks that are increasingly targeting U.S. critical infrastructure.
"The administration strongly supports congressional action to require victim companies to report significant breaches, including ransomware attacks," Richard Downing, a deputy assistant attorney general at the U.S. Department of Justice, told members of the Senate Judiciary Committee on Tuesday.
"In particular, such legislation should require covered entities to notify the federal government about ransomware attacks, cyber incidents that affect critical infrastructure entities, and other breaches that implicate heightened risks to the government, the public or third parties," Downing said.
The announcement came as members of Congress are advancing more than a dozen bills in response to a recent escalation in ransomware attacks, while the administration has taken a whole-of-government approach to respond to what it sees as a public safety, economic and national security threat.
Emphasizing that information sharing is critical between companies and the government, Judiciary Committee Chairman Dick Durbin said there is "general bipartisan support" for congressional action in response to the cybersecurity threat.
"And I hope it leads — I think it will — to specific legislation to deal with this," said Durbin, a Democrat.
Last week, a bipartisan group of senators introduced the Cyber Incident Notification Act of 2021, a bill that would require federal agencies and contractors as well as critical infrastructure operators to notify the government within 24 hours of a cyber breach that "poses a threat to national security." To encourage information sharing, the bill would grant limited immunity to companies that report a breach.
"We shouldn't be relying on voluntary reporting to protect our critical infrastructure," Democratic Senator Mark Warner, chairman of the Senate Intelligence Committee and one of the bill's co-sponsors, said in a statement last week. "We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact."
The bill's Republican co-sponsors include Senators Marco Rubio, vice chair of the Intelligence Committee, and Susan Collins, a senior member.
Once seen as a financial crime, ransomware attacks have grown in both number and severity over the past year and a half. Testifying before Senate Homeland Security and Governmental Affairs Committee, Homeland Security Secretary Alejandro Mayorkas said the attacks have surged by 300% over the past year. This year alone, Mayorkas said, ransomware attacks have resulted in economic losses of $300 million.
In May, a ransomware attack on Colonial Pipeline, the operator of the largest fuel pipeline in the country, disrupted its operations for several days, setting off fuel shortages and panic buying. In June, meat processor JBS USA said it paid $11 million to cybercriminals following a ransomware attack that disrupted its operations.
Legislative proposals such as the Warner bill seek to address what law enforcement officials have long identified as a major impediment to their ability to respond to a ransomware attack: a reluctance by businesses to notify law enforcement about cyber breaches.
Companies are not currently required to disclose when they have been attacked by ransomware criminals. Fearing loss of operations or reputational harm, most victims choose not to report. The FBI estimates that about 25% to 30% of such incidents get reported, according to Bryan Vorndran, assistant director of the FBI's cyber division.
The FBI has long encouraged victims of ransomware attacks to notify law enforcement, saying such information sharing can help it better understand and respond to the threat. Now, it wants notifications made mandatory.
"Because far too many ransomware incidents go unreported, and because silence benefits ransomware actors the most, we wholeheartedly believe a federal standard is needed to mandate the reporting of certain cyber incidents, including most ransomware incidents," Vorndran testified.
"The scope and severity of this threat has reached the point where we can no longer rely on voluntary reports alone to learn about incidents," Vorndran said.
In addition to ransomware attacks above a to-be-determined threshold, Downing said, the Justice Department wants mandatory notifications for two other types of breaches: supply chain attacks that could give outsiders access to critical U.S. infrastructure and government systems, and attacks involving high-value trade secrets related to critical infrastructure.
"Of particular significance, entities should be required to report any ransom demand; the date, time and amount of ransom payments; and addresses where payments were requested to be sent," Downing said.
While supporting mandatory breach notifications, Downing and other officials opposed calls to make ransom payments illegal. Jeremy Sheridan, an assistant director for the U.S. Secret Service, told lawmakers that banning ransomware payments "would further push any reporting to law enforcement into obscurity."
Jeff Seldin contributed to this report.