Defense bill mandates cyberattack reporting

House and Senate negotiators agreed to retain language in the Defense authorization bill that would enhance cyberattack reporting requirements for large defense contractors.

The House will take up the latest iteration of the bill Wednesday afternoon.

{mosads}The draft being considered is a compromise between the House and Senate versions of the National Defense Authorization Act (NDAA). The House passed its version in May, and the Senate has been working to integrate its language with the House bill since.

Notably, the Senate added a section directing the Defense Department (DOD) to identify defense contractors that are “operationally critical.” Those contractors would then have to report to DOD “on each cyber incident with respect to any network or information systems of such contractor,” a potentially broad category.

Over the past year, industry groups and government officials have been debating exactly when a company needs to report a cyber intrusion and what information it must reveal in that report.

If passed, the Defense bill would require considerable disclosures.

According the draft language released Tuesday night, each cyber incident would merit a report indicating which techniques were used in the cyberattack, a sample of any malicious software used in the hack and a summary of any compromised information.

While industry groups strongly support the concept of sharing cyberattack information with the government, they have expressed liability concerns about sharing such information.

Companies are worried the government might disclose these vulnerabilities, opening them up to lawsuits.

Congress has considered legislation that would provide liability protection for industry partners sharing cyber threat information, but it’s not expected to move before 2015.