The Biden Administration is imminently expected to release an executive order that will require government contractors to notify the government in the event of a cybersecurity breach. Despite the relatively steady rise in cyberattacks and breaches over the years, and the enactment of consumer data breach disclosure laws in all 50 states, there is currently no standardized reporting requirement for government contractors. However, the Biden administration has promised executive action on the issue, largely in response to a cyberattack by a suspected nation-state against multiple software companies, including the SolarWinds software company.
SolarWinds gained national attention because the cyberattack inserted malicious code into SolarWinds’ IT performance monitoring system known as Orion. Beginning in March 2020, SolarWinds disseminated software updates for Orion containing the malicious code. The updates appear on their face to be legitimate patches but resulted in the attackers creating backdoors through which they could access and move within the networks of thousands of SolarWinds customers, which include Fortune 500 companies as well as high level government agencies. Undetected for months, the attack was only brought to light when FireEye, a private cybersecurity firm, disclosed the breach after realizing its own systems had been compromised. Had FireEye not come forward it is unclear how long the breach would have gone undetected.
The SolarWinds incident illustrated the government’s vulnerability to attack via outside contractors and showcased the importance of notification requirements. This attack, and in particular the way it came to light, has motivated government action. Several legislators in addition to the Biden administration have vowed to pursue new cybersecurity measures, and those promises appear to be gaining momentum.
On April 14, 2021, leaders from the nation’s intelligence community testified before the Senate Intelligence Committee on the need for a federal breach notification law that applies to private sector companies. FBI Director Christopher Wray testified that the U.S. infrastructure is an attractive target for cyber adversaries because “the private sector controls 90 percent of the infrastructure and an even higher percentage of personally identifiable information.” Director Wray also suggested that a breach notification law would improve the coordination and cooperation between the private sector, the intelligence community, and the rest of the federal government. However, the private sector faces several disincentives for making such disclosures.
General Paul Nakasone, Director of the National Security Agency and Commander of U.S. Cyber Command, recognized that private sector victims have a number of valid reasons to refrain from readily sharing this information.
One possible way for new legislation to thread the needle between the competing priorities and conflicting requirements for the breached entity and the national interest would be to create a safe harbor provision for private sector entities who disclose an actual or suspected data breach to an agency that does not have enforcement powers over the private sector. The receiving agency would then be responsible for removing information from the disclosure that identified the breached entity.
Although it is impossible to forecast exactly what form these new measures will take it is likely that breach notifications will become required contract provisions. Currently, only the Department of Defense has mandatory breach notifications. Section 202.101 of the Defense Federal Acquisition Supplement (DFARS) defines a “cyber incident” as “actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.” Section 204.7302 requires contractors and subcontractors “to rapidly report cyber incidents directly to DoD” and defines “rapidly report” to mean within 72 hours of discovery. Although Section 204.7302 only applies to certain information it may become a roadmap for more widely applicable breach reporting requirements.
Contractors should begin to develop internal systems for identifying and reporting cyber incidents as it is highly likely that this will be mandatory in the near future. Failure to do so could also have significant consequences, as one court recently held that failure to comply with certain cybersecurity controls was material and sufficient for a plausible pleading under the False Claims Act. See United States v. Aerojet Rocketdyne Holdings, Inc., 381 F.Supp.3d 1240 (2019). Therefore, it is especially important that contractors begin to plan for the implementation of mandatory breach notifications now.