A bipartisan legislation was introduced Wednesday in an effort to make cyber intrusion reporting a federal requirement and, partly, in response to the hacking incidents that affected the Colonial Pipeline, information technology management firm SolarWinds and other public and private entities.

Sen. Mark Warner, chairman of the Senate Select Committee on Intelligence and three-time Wash100 Award winner; Sen. Marco Rubio, vice chairman of the committee; and Sen. Susan Collins, a senior committee member, presented the Cyber Incident Notification Act of 2021 that seeks to require federal agencies, government contractors and critical infrastructure owners and operators to inform the Cybersecurity and Infrastructure Security Agency (CISA) of cyber intrusions within 24 hours of their discovery.

The reports are expected to support the government's efforts in safeguarding critical industries. Currently, individual companies are not required to report when they have been subjected to hacking activities.

“We shouldn’t be relying on voluntary reporting to protect our critical infrastructure," said Sen. Warner. "We need a routine federal standard so that when vital sectors of our economy are affected by a breach, the full resources of the federal government can be mobilized to respond to and stave off its impact.”

Meanwhile, Sen. Rubio noted that more damage can be done to American businesses, infrastructure, and government institutions when an attack goes unreported for a longer period of time.

Sen. Collins added, "Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure."

The bill also seeks to incentivize information sharing by granting limited immunity to companies that reported a breach and by ensuring the protection of privacy and personally identifiable information.

Twelve other senators co-sponsored the legislation.

Sen. Angus King, I-Maine, and Tom Fanning, CEO of Southern Company, said the federal government and industry must collaborate to safeguard critical infrastructure from ransomware attacks and other cyber threats. 

“The federal government and private sector must arrive at a new ‘social contract’ of shared responsibility to secure our country's cyberspace where both parties have shared, mutual responsibilities,” King and Fanning wrote in an opinion piece published Monday on CNN Business.

They said Congress should advance proposals to address the gap between the government and critical infrastructure providers when it comes to dealing with cyberattacks and one of those measures is the "systemically important critical infrastructure (SICI)” concept.

Under a SICI measure, the Department of Homeland Security (DHS) would classify an asset as SICI if a possible breach of that infrastructure would pose a threat to national security, public health and economic security.

Fanning and King also discussed the three potential benefits of SICI legislation before and in the event of a breach and one of those is receiving threat intelligence data on foreign actors to prevent cyber incidents.

“SICI legislation would work hand-in-hand with America's critical infrastructure providers to establish mutual accountability and collaboration in a way not previously possible,” they noted.

Fanning is a commissioner and King is co-chair of the Cyberspace Solarium Commission.