Cyber incident reporting bill hitches a ride on $1.5 trillion spending deal

Legislation that would require critical infrastructure companies to alert the government when they are hacked has been attached to a $1.5 trillion spending package that would fund the government into the fall.

The Strengthening American Cybersecurity Act, which passed the Senate last week in a package of cybersecurity bills, would mandate that critical infrastructure operators alert the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours of a breach and 24 hours if the organization made a ransomware payment.

Politico reported that the bipartisan legislation has fragmented the Biden administration. The White House, National Cyber Director Chris Inglis and CISA Director Jen Easterly have endorsed the bill; however the Justice Department and the FBI have come out against the proposal because the hack information would not be submitted jointly to the bureau — despite assurances from Easterly.

FBI Director Christopher Wray, appearing before the House Intelligence Committee on Tuesday for its annual worldwide threats hearing, was asked to explain his agency’s stance.

“No one believes more in the importance of private sector reporting of cyber threat information than I do. I’ve been testifying and calling for it for quite some time. It’s important however that information flow real time,” he said.

He also said that companies should be protected from potential legal liabilities and create a direct reporting path to the FBI, arguing that relying on CISA to share such reports would only delay his agency's work.

“We have agents out in the field who are responding — often within an hour or so — to a business that’s been hit and that’s happening thousands of times a year, so we need to make sure that information flow is protected,” according to Wray.

The omnibus spending bill, unveiled early Wednesday morning, incorporates none of the changes sought by the FBI and DOJ.

The $1.5 trillion government funding measure is set for a House vote later today. 

Lawmakers also plan to vote on another stopgap funding bill that would keep government funding at existing levels through March 15 in order to give the Senate time to take up the long-term spending bill.

If the bill passes both chambers of Congress, it will go to President Joe Biden’s desk for his signature.

In addition to the cyber incident bill, the $1.5 trillion omnibus includes $2.59 billion for CISA, a $300 million boost over the Biden administration’s budget request, for its latest digital efforts, such as the Joint Cyber Defense Collaborative and the recently-established Cyber Safety Review Board.

The agreement would also provide $185.8 million for the Energy Department’s Office of Cybersecurity, Energy Security, and Emergency Response.