A new bill unveiled Wednesday would make some companies tell the government when they’ve been hacked. The bipartisan Cyber Incident Notification Act is a response to the recent attacks on SolarWinds, which impacted government agencies, and Colonial Pipeline, which disrupted American access to fuel across a large region. Since then, ransomware attacks — where hackers encrypt files until a victim pays a ransom — have proliferated. The problem is, under federal law, companies don’t have to report these incidents. That means some incidents may occur without the government knowing, which can have serious implications if the government’s own systems are potentially implicated in an attack. The bill introduces a new disclosure requirement for federal agencies, federal contractors and critical infrastructure companies to notify the Department of Homeland Security when they identify a breach of their systems. It also gives those companies limited immunity when they report a breach — for instance, shareholders could not gain access to the disclosed information to use as evidence in a lawsuit — and requires DHS to anonymize personally identifiable information. That way, companies can report incidents quickly and allow the government to act efficiently where needed.

Bringing cyberattacks to light

Senate Select Committee on Intelligence Chairman Mark Warner, D-Va., Vice Chairman Marco Rubio, R-Fla., and senior member Susan Collins, R-Maine, led the legislation, which responds to concerns they heard at an earlier hearing about the the SolarWinds attack. At the hearing, Microsoft President Brad Smith testified that the only reason the government and public were aware of the incident is because cybersecurity firm FireEye reported what it believed to be a state-sponsored attack on its own systems in December. After that disclosure, Reuters reported on a potentially adversary-linked hack into U.S. agencies through SolarWinds software updates. Sources later told Reuters that attack was linked to the FireEye incident.