Cyber incident reporting backers pledge to resume push

Proponents of legislation that would mandate certain companies report major cyberattacks vowed on Thursday that they would try to again this year, though they were short on specifics about how such a measure would ultimately be enacted into law.

Bipartisan legislation to establish cyber incident reporting standards was primed to be included in the compromise version of the annual defense policy bill but was scrapped at the last minute due to Republican concerns over the measure's scope. The worries were addressed but not in time for the provision to be incorporated in the final defense bill — infuriating its sponsors.

“I'm committed to getting the cyber incident reporting across the finish line,” Rep. Yvette Clarke (D-N.Y.), the chair of the House Homeland Security Committee’s cybersecurity subpanel, said during a virtual event hosted by the Silverado Policy Accelerator. 

“This legislation is a top priority for Congress, the administration and even many in industry. With so much momentum on our side, I'm confident that we'll find a vehicle to move this legislation and get it to the president's desk this year,” she added.

Rep. John Katko (N.Y.), the top Republican on the Homeland Security Committee, echoed her remarks.

“We will find the vehicle to attach this too. Even if it doesn't pass on its own as part of a bigger broader bill. I think we will get it done,” he said.

The cyber incident reporting legislation was considered to be the central congressional response to the sweeping SolarWinds hack that impacted nine federal agencies and roughly 100 private sector organizations and the wave of historic ransomware attacks that occurred last year.

It would have mandated critical infrastructure companies to report a cyberattack to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of discovery and report any ransomware payments made within 24 hours. 

The pledge to take the legislation back up again was applauded by executive branch officials. 

"Cyber incident reporting legislation is our top legislative priority in cybersecurity for 2022," said Rob Silvers, under secretary for policy at the Homeland Security Department, at the Thursday event. "It's hard to overestimate what a game changer it will be in terms of giving the government visibility into the threat landscape. You cannot defend what you cannot see.”

Bryan Vorndran, the assistant director of the FBI’s Cyber Division, said there had been a “misunderstanding” last year that the agency wants a “dual seal program” in the legislation, meaning companies would have to report to both CISA and the FBI.

“That isn't true,” he said. 

Instead, the Justice Department and the FBI would like to see a bill that includes language about the bureau “having real-time and unfiltered access to incident information” provided to CISA, which “can likely be accomplished by a few words or a sentence in proposed legislation,” according to Vorndran.

However, despite their assurances, neither Clarke nor Katko could single out a specific piece of legislation that a cyber incident reporting bill could be hitched to this year.

“Where we can find a nexus, we're going to attach this legislation. It's just really critical,” Clarke said.

“Whatever vehicle we can find to get it, we're going to get it and I think that's the goal of everybody,” according to Katko, who suggested the Senate would probably end up taking the lead on the process.

“Any bill we can find, whether it be the budget, whether it be whatever, we're gonna throw it into it and keep trying to get it done because I think everyone realizes that was a miss last year. We need to get it done,” he added.