Lawmakers are scrambling to find another avenue to pass a key bipartisan cybersecurity proposal, touted as the centerpiece of Congress’s response to a series of major cyberattacks over the past year, after an eleventh-hour deal scuttled its inclusion in the annual defense policy bill.
The plan to include a clause in the National Defense Authorization Act (NDAA) mandating that critical infrastructure groups and other key organizations report major cyberattacks to the federal government in a set time frame saw widespread support in both the House and Senate.
But after last-minute objections from a set of key Senate Republicans slowed down negotiations, the language slipped out of the defense package, leaving members of Congress on both sides of the aisle deeply frustrated and mulling next steps.
“I think it’s a shame and I don’t really understand it. Everybody has told us how important this is; this was an opportunity. Apparently one or two senators blocked it for reasons that aren’t clear to me. It’s a compromise of national security,” Sen. Angus King (I-Maine), the co-chair of the Cyberspace Solarium Commission and a member of the Senate Intelligence Committee, told The Hill Wednesday.
“Now we’re going to have to just figure out how to do it another way,” King said.
Senate Intelligence Committee Chairman Mark Warner (D-Va.) told reporters that FBI Director Christopher Wray had been among those pushing for incident reporting to become law.
“We just had Director Wray yesterday, him constantly stressing, ‘guys, we need this reporting right away.’ It’s frustrating … but hope springs eternal,” Warner said Wednesday. “It would have been overwhelmingly approved, but I’m going to give you a newsflash. … The sausage-making here is sometimes kind of ugly.”
Legislation to create a federal cyber incident notification mandate has been the main focus of bipartisan efforts on Capitol Hill to take action to strengthen the nation’s cybersecurity following a bruising year of cyber incidents. These included ransomware attacks on Colonial Pipeline and meat producer JBS USA, and the compromise of almost a dozen federal agencies as part of the Russian-backed SolarWinds hack.
The SolarWinds hack, ongoing for much of 2020, was discovered late last year when cybersecurity company Mandiant, formerly FireEye, announced its systems had been compromised. The full scope of the incident, one of the largest in U.S. history, was discovered in the weeks following the disclosure.
Mandiant was not required by law to tell the federal government that it had been hacked, an issue lawmakers and federal officials have zeroed in on this year, arguing that with greater transparency into attacks, more could be done to protect critical infrastructure.
As a result, the House included bipartisan legislation sponsored by the leaders of the House Homeland Security Committee in its version of the 2022 NDAA passed in September. The original defense funding package would have required the Cybersecurity and Infrastructure Security Agency to set requirements around reporting cyber incidents, with companies not required to report attacks until at least 72 hours after discovery.
In the Senate, a bipartisan group including the leaders of the Senate Homeland Security and Intelligence panels sponsored an amendment to the NDAA that would have given certain critical groups 72 hours to report attacks, and 24 hours to report paying hackers as the result of a ransomware attack.
“I am very disappointed it was not included in the NDAA. It clearly affects our national security; a lot of these attacks are state-sponsored,” Senate Homeland Security and Governmental Affairs Committee ranking member Sen. Rob Portman (R-Ohio), one of the amendment’s sponsors, told reporters Wednesday.
He said that industry stakeholders were also not happy, noting they “would have liked certainty” around passage. Stacy O’Mara, the director of government affairs at Mandiant, expressed a similar sentiment Wednesday, telling The Hill in a statement that the company was “looking forward” to passage next year.
“Enacting this measure would be a positive step forward in achieving long-term goals of enabling early detection of malicious cyberattacks and enhancing the federal government’s situational awareness to better partner with and assist private sector entities that become cyberattack victims,” O’Mara said. “This ‘whole of community’ approach is critical to increasing capacity to prevent and deter future cyberattacks.”
The late exclusion of the language was due to concerns by Sen. Rick Scott (R-Fla.) that the mandate was too broad and applied to too many businesses. CyberScoop reported Tuesday that Scott had asked Senate Minority Leader Mitch McConnell (R-Ky.) to block the legislation during NDAA negotiations.
Scott had objected to a version of the language about cyber incident reporting during its approval process in the Senate Homeland Security Committee, saying at the time that while he supported “the intent of this bill … another onerous government mandate on our small businesses is not the answer.”
Scott told reporters Wednesday that his concerns had been addressed and the language in the bill changed, but would not immediately commit to supporting the effort if it were to get a stand-alone vote in the Senate.
“What I’ve said all along is that I don’t believe we ought to be telling businesses that are not critical infrastructure that they need to be reporting something to some agency they’ve never heard of, but it’s my understanding they agreed to take that out,” Scott told reporters.
Warner noted that House lawmakers had to get the new NDAA text “to the printer at some point,” with the final exclusion coming down to the clock running out before the House rolled out and passed the compromise NDAA Tuesday. The Senate is expected to vote on the bill before the end of the year.
Now, lawmakers are seeking another avenue for passage, though it was clear Wednesday there is no set game plan.
“We have language that it seems like everybody is comfortable with, so we will have to find a way to get it in by unanimous consent or try to get it into some other package,” Senate Intelligence Committee Vice Chairman Marco Rubio (R-Fla.) told The Hill.
“We absolutely have to get those provisions in. The cyber threat is real, it’s growing, and we have to deal with it in a strong fashion,” Senate Homeland Security Committee Chairman Gary Peters (D-Mich.) told reporters. “They’ll be other avenues for us to move this; we have other opportunities to move this legislation forward.”
When asked what specific packages Peters might be eying, an aide for the senator told The Hill that “All options are on the table. These are very important reforms and we need to get this done.”
Even if specific next steps are not set in stone, lawmakers were clear this week that there is bipartisan support for getting cyber incident notification legislation over the finish line.
House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and Rep. Yvette Clarke (D-N.Y.), chair of the committee’s cybersecurity subcommittee, said in a joint statement Tuesday that they were working to “find another path forward,” noting Speaker Nancy Pelosi (D-Calif.) was supportive of this effort.
King expressed optimism for passage in the new year, making it clear that lawmakers were not giving up the fight.
“Absolutely, we’ll get it done,” he said.