Cyber Incident Reporting Mandate Excluded From Final NDAADemocratic Lawmakers Criticize GOP Counterparts for Eleventh-Hour Negotiations
Congressional negotiators have scrapped a provision in the must-pass annual defense spending bill that would have required owners and operators of critical infrastructure to report cybersecurity incidents and ransom payments made to criminal gangs. The measure - which continues to carry bipartisan support - was removed from the package at the eleventh hour as lawmakers sought a compromise on requirements for private organizations.
See Also: Case Study: The Road to Zero Trust
A compromise version of the fiscal year 2022 National Defense Authorization Act, or NDAA, was issued Tuesday - leaving out the reporting mechanism that would have required critical infrastructure providers across 16 different sectors to report major security incidents, with some companies also obligated to report ransomware payments.
Federal cybersecurity leaders - including the Cybersecurity and Infrastructure Security Agency - supported the measure in an effort to improve visibility on attack trends. CISA leaders have previously estimated that only about one-quarter of all cyber incidents get reported to the agency, which is the U.S. government's operational lead for IT security (see: Senate Considering Several Cyber Measures in Annual NDAA).
Proponents of the requirement included bipartisan leaders of the Senate Homeland Security and Governmental Affairs Committee - which introduced the mandate in a stand-alone measure in October - and the Senate Intelligence and House Homeland Security committees. Negotiators reportedly ran out of time on the final verbiage before NDAA sponsors in respective armed services committees issued a compromise version, as first reported by CyberScoop.
'Untenable Status Quo'
Democrats say they had hoped to present an incident reporting mandate to President Joe Biden at the one-year anniversary of the SolarWinds attack, first detected in late 2020, in which threat actors allegedly backed by the Russian government pushed out a malicious software update and breached some 100 organizations globally, along with nine U.S. federal agencies. The attack was detected and voluntarily reported to U.S. officials by the security firm FireEye.
Some cybersecurity experts express the need to get these requirements codified into law.
"Without any type of federal legislation defining and requiring specific reporting, the strong incentive to keep corporate incident response methods and operations secretive will continue to thrive," says Frank Downs, a former offensive analyst for the National Security Agency and currently the director of proactive services for the security firm BlueVoyant. "Organizations will continue to file notifications and reporting after the fact, when they feel those notifications place them in the best light, whether that notification takes place a few days after the incident, or months later. … [It] remains in the hands of the brand protectors."
"Disappointing, indeed," said Christopher Painter, the former coordinator for cybersecurity issues at the Department of State in both the Obama and Trump administrations, via Twitter. "This is long overdue and I had hoped the conversation had changed given Colonial Pipeline & other incidents. An unfortunate triumph of an untenable status quo."
J. Michael Daniel, a former special assistant to President Obama and cybersecurity coordinator on the National Security Council staff, wrote on Twitter, "We're asking the federal government to fight half-blind."
And Peter Singer, a fellow at the U.S. think tank New America, tweeted: "This move by Senate Republicans is so undermining to long-term national security. Dems need to get their act together on messaging what being 'weak' on national security looks like in the 21st century."
The NDAA has been used, of late, as an effective vehicle to push previously stagnant cybersecurity legislation across the finish line. For instance, in the FY 2021 version, Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., co-chairs of the congressionally mandated Cyberspace Solarium Commission, said in early January that 27 provisions directly drew from more than two dozen recommendations put forward by the commission. That included, in part, the creation of the Office of the National Cyber Director, now occupied by Chris Inglis, who serves as the president's principal adviser on cybersecurity strategy.
Still, supporters of the provision say that since a deal was struck, it is likely that they can advance the reporting requirements separately.
Bipartisan leaders of the Senate Intelligence Committee initially introduced legislation supporting 24-hour notification in July, but Chairman Mark Warner, D-Va., later backed a 72-hour proposal, then an NDAA amendment, put forward by Senate Homeland Security Committee Chairman Gary Peters, D-Mich., and Rob Portman, R-Ohio, ranking member of the committee (see: Senators Introduce Federal Breach Notification Bill).
Last week, Sen. Rick Scott, R-Fla., introduced a competing amendment that tasked federal contractors and infrastructure owners/operators with reporting cyberattacks within 72 hours; the same parties would have been responsible for reporting ransom payments within 24 hours. It excluded small- and medium-sized businesses.
Senate aides reportedly say Scott requested that Senate Minority Leader Mitch McConnell, R-Ky., hold up the proposal from the Homeland Security panel. Another source says that Scott requested a vote on his proposal, though the two sides reconciled before midnight on Monday, reportedly too late for inclusion, according to CyberScoop.
McKinley Lewis, communications director for Scott, tells ISMG, however, that any claims suggesting Scott sought to remove the provision altogether are "patently false." Lewis says: "Sen. Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses. After hearing late on Monday night that a deal had been reached to change the amendment and make Sen. Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House."
In a statement provided to ISMG, Peters said he would continue to push for the reporting mandates and he was "disappointed" the "commonsense" provisions were blocked. He said, "Senate Republican leaders are putting our national security at risk," and that he would continue to pursue efforts to enact the reforms.
A spokesperson for McConnell did not immediately return ISMG's request for comment.
Rep. Bennie Thompson, D-Miss., chairman of the Committee on Homeland Security, and Rep. Yvette Clarke, D-N.Y., chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation, said in a joint statement: "There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until midmorning today [Tuesday] - well past the NDAA deadline. This result is beyond disappointing and undermines national security."