Senators move to include 72 hour timeline for cyber incident reporting in defense bill

A bipartisan group of senators are moving to insert a provision into the upcoming annual National Defense Authorization Act (NDAA) that would give certain critical infrastructure groups 72 hours to report major cyber incidents to the government. 

The amendment, announced Thursday night, would also give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report payments made to hackers due to a ransomware attack. 

The reports on the incidents and payments would both go to the Cybersecurity and Infrastructure Security Agency (CISA) as part of an effort to give the government greater transparency into the state of the nation’s cybersecurity following a year of escalating attacks. 

The amendment is sponsored by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), ranking member Rob Portman (R-Ohio), Senate Intelligence Committee Chairman Mark Warner (D-Va.) and Sen. Susan Collins (R-Maine). 

“Cyber-attacks and ransomware attacks are a serious national security threat that have affected everything from our energy sector to the federal government and Americans’ own sensitive personal information,” Peters said in a statement. 

The amendment is the result of negotiations between the senators: Peters and Portman introduced legislation in September proposing the 72-hour timeline, while Warner, Collins and all but three other members of the Senate Intelligence Committee introduced a separate bill in July laying out a 24-hour timeline.

Industry groups have pushed back against the 24-hour reporting requirement, arguing that this did not give them enough time to assess incidents and limit reporting less major incidents. 

“I’m grateful to my colleagues for working together to introduce this bipartisan amendment that will take significant steps to strengthen cybersecurity protections, ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes,” Peters said. 

Calling for more action to confront the threats, Warner pointed to escalating cyber incidents, which have included ransomware attacks earlier this year on Colonial Pipeline and meat producer JBS USA, as well with the SolarWinds hack last year.

“It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents,” Warner said in a statement. “We can’t rely on voluntary reporting to protect our critical infrastructure — we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact.”

“I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents,” he added.

The amendment also includes language updating the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, which is based on a separate piece of legislation introduced by Peters and Portman last month.

“This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Portman said in a statement. 

The must-pass NDAA is often used to push through other measures that might not otherwise get a vote. Last year’s NDAA included over two dozen major cyber recommendations, including the establishment of the national cyber director position at the White House. 

Collins stressed Thursday that a reporting requirement and other measures in the amendment were necessary to heighten the nation’s security. 

“Having a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat,” Collins said. “Failure to enact a robust cyber incident notification requirement will only give our adversaries more opportunity to gather intelligence on our government, steal intellectual property from our companies, and harm our critical infrastructure.”

“I urge my colleagues to pass our amendment, which is common sense and long overdue,” she said.