U.S. Officials Call for Fines Against Companies That Don’t Report Hacks

Top U.S. cyber officials on Thursday urged Congress to add more teeth to any legislation forcing firms that operate critical infrastructure to disclose hacks, calling for a narrow reporting window after a breach and fines against companies that don’t comply.

Such mandates could help federal agencies and critical economic sectors to respond to incidents, security experts say. But many businesses and some lawmakers are wary of the tighter regulation and potential penalties for which the Biden administration is advocating.

Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency, on Thursday said quicker disclosures by hacking victims would allow U.S. officials to analyze the data and identify other potential targets.

“To that end, cyber incident reporting must be timely, ideally within 24 hours of detection,” Ms. Easterly said in written testimony at a hearing by the Senate Homeland Security and Governmental Affairs Committee to discuss security threats.

At the same hearing, Ms. Easterly, Federal Chief Information Security Officer Chris DeRusha and National Cyber Director Chris Inglis called for financial penalties against companies that break such rules.

National Cyber Director Chris Inglis

Photo: Kevin Dietsch/Getty Images

“We of course don’t want to impose an unfair burden on the victims,” Mr. Inglis said. “But this information is essential for the welfare of the whole.”

The statements suggest the Biden administration sees aggressive enforcement as key to a potential incident-reporting regime, which Congress has failed to create over the past decade amid pushback from the private sector. States require firms to disclose breaches that expose personal information. Regulated industries such as financial services have sector-specific rules requiring companies to report hacks, but there is no federal reporting standard for hacks of businesses deemed critical to the U.S. economy.

A spate of cyberattacks on federal agencies and critical infrastructure operators in recent months has breathed life into the idea, convincing certain companies and business-friendly lawmakers that some rules are needed. Lobbyists are pushing lawmakers for less-strict requirements, including a 72-hour reporting window, saying that a shorter period would complicate companies’ ability to respond to incidents and flood the government with data.

Congressional proposals in recent months, however, have diverged over the breadth of incident reporting requirements, and how to enforce them.

A Senate bill unveiled in July proposed a 24-hour reporting window for designated firms and would allow CISA to fine firms up to 0.5% of their previous-year revenue for each day they break the rules. A draft bill in the House would give CISA power to subpoena—but not fine—companies that withhold information after at least 72 hours. House lawmakers considered proposing fines, an aide said, but believe they would create tension with companies without improving CISA’s access to timely information.

While Ms. Easterly on Thursday said disclosures within 24 hours of a breach could help CISA track threats, she warned that too short of a reporting window could yield bad information.

“Erroneous noise is not what we need,” she said. “We need signal.”

Thursday’s hearing came a day after the government issued new guidance for how companies in critical infrastructure sectors such as energy and transportation should shore up their cyber defenses. The high-level recommendations include producing cyber risk assessments, conducting constant monitoring for threats, and cataloging all software and hardware within computer networks.

U.S. officials have signaled that more cyberattacks on critical infrastructure could necessitate mandatory regulations, such as the Transportation Security Administration rules unveiled after hackers disrupted the East Coast’s largest gas pipeline for six days in May. Those requirements compel pipeline operators to report hacks within 12 hours or face potential penalties of $7,000 a day, officials said.

Businesses are wary of such fines on critical infrastructure writ large.

John Miller, senior vice president of policy and general counsel at the Information Technology Industry Council, a Washington-based trade association of tech companies, said imposing penalties could push firms to structure compliance programs around avoiding fines rather than instituting best practices for cybersecurity.

“Punitive measures would be counterproductive to maintaining the existing partnership that currently exists between the private sector and government,” Mr. Miller said.

Write to David Uberti at david.uberti@wsj.com

Copyright ©2021 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8