Will MSSPs Be Required to Disclose Cyber Incidents?
Virginia Senator Mark Warner (D) is advocating for new legislation that would require private companies — including MSSPs and their customers — to report cyber attacks to the federal government.
Warner, who chairs the Senate Intelligence Committee and serves as vice chair of the Senate Democratic Caucus, told CNBC that the nation has regarded cybersecurity as an “after thought” for too long. His remarks come on the heels of the Colonial Pipeline ransomware cyberattack that forced the energy supplier to temporarily shutter its fuel distribution operation. The company reportedly has paid upwards of $5 million to Eastern European hackers.
“We have no actual system in place to make, whether it’s Colonial Pipeline or SolarWinds, or any other company, actually mandatorily report that information to the government in real time so that we can have a full-fledged response,” the former Virginia governor told CNBC. Warner adds another powerful voice to U.S Intelligence leaders who last month pressed Congressional lawmakers to require private industry to report security breaches and other threat information to the federal government. He has previously said his Committee is working on legislation that would mandate reporting of cyber threats.
“We need to put in place an entity that would include the government, the FBI, CISA [and] some of the web services–Amazon, Microsoft, the security firms out there. We need a real time reaction team, and unfortunately, we don’t have that right now,” he said. “Cyber is always kind of a boring item until it hits home.”
Directors of the National Security Agency (NSA), National Intelligence and the Federal Bureau of Investigation (FBI) told bipartisan members of the Committee in a recent hearing that a law requiring the private sector to report a breach can help stitch together the nation’s cyber defenses against attacks on critical industry. Many enterprises back away from disclosing security lapses for competitive reasons, electing not to admit cyber vulnerabilities for fear of additional attacks and also to quell unease among shareholders and customers about a cyber breach.
Mandatory reporting, Warner said, could be modeled on a regulation set by the National Transportation Safety Board (NTSB) requiring an operator of an aircraft to provide notification of “certain incidents” immediately. Early warning systems, such as mechanisms in place to assist financial institutions to detect and prevent fraud, might also serve as a reporting template, he said.