Russia and China have the United States reeling from two devastating cyberattacks in under six months. The mammoth SolarWinds breach—attributed to Russia and affecting at least nine U.S. government agencies, 100 private companies, and further victims yet to be identified—and a sweeping compromise of Microsoft’s e-mail servers by a Chinese hacking group, have heightened attention on a glaring reality: the United States is woefully unprepared to counter cyberattacks that steal personal, corporate, and even government information. Subsequent revelations that a separate Chinese State hacking campaign compromised government, defense industry, and financial targets and stole intellectual property only highlights the ongoing open season on U.S. data. Last week’s cyber executive order will require federal contractors to report cyber incidents to affected agencies and the Cybersecurity and Infrastructure Security Agency (CISA) – a welcome step in the right direction. But federal contractors aren’t the only ones vulnerable to cyber threats, and foreign adversaries are surely watching with interest the impact of recent cybercriminal attacks on critical infrastructure, like the Colonial Pipeline.
The United States can’t address cyber threats from sophisticated nation State actors like Russia and China if it doesn’t know about them. But right now, the country is operating in the dark: There’s no broad requirement for private companies to report breaches to the federal government, but rather a patchwork of state regulations focused on personal data, with different disclosure requirements and timelines for reporting. With both national security and economic competitiveness at stake, it’s time for Congress to require companies to report to the federal government when they’ve been hacked.