Democrats accuse GOP of scuttling incident reporting in massive defense bill
Congressional Democrats on Tuesday blamed Republicans for axing language in the annual defense policy bill that would have mandated reporting of cyberattacks and ransomware payments.
House and Senate negotiators today unveiled a compromise version of the National Defense Authorization Act. It excludes bipartisan legislation that would have required critical infrastructure operators and certain government contractors to report such incidents to the Cybersecurity and Infrastructure Security Agency (CISA) no sooner than 72 hours after they occurred.
The legislative push had earned the support of top Biden administration officials, who viewed it as a necessary step after a year marked by major hacks, including the sweeping SolarWinds breach and the ransomware attacks on the Colonial Pipeline and meat processing giant JBS.
“I am disappointed Senate Republican leaders blocked these commonsense provisions that have broad bipartisan support,” Senate Homeland Security Committee Chair Gary Peters (D-Mich.) said in a statement.
“We need urgent action to tackle the serious threat posed by cyberattacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk," he added. "I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.”
A Senate aide put the blame squarely on Senate Minority Leader Mitch McConnell (R-Ky.).
CyberScoop reported that Sen. Rick Scott (R-Fla.), a member of the Homeland Security Committee who had introduced an alternative measure that limited ransom payment reporting strictly to critical infrastructure owners, had asked McConnell to oppose the provision.
In a statement, Scott spokesman McKinley Lewis said it is "patently false" that the Florida Republican worked to remove the bipartisan proposal from the defense bill.
“After hearing last night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House today,” according to Lewis.
A spokesman for McConnell did not immediately respond to a request for comment.
House lawmakers also accused Senate Republicans of stripping the measure from the must-pass policy bill, which authorizes $768 billion for national defense programs.
“There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today — well past the NDAA deadline,” Homeland Security Committee Chair Bennie Thompson (D-Miss.) and Rep. Yvette Clarke (D-N.Y.), who leads the panel’s cyber subcommittee, said in a joint statement.
“We had hoped to mark the one-year anniversary of the discovery [of] the SolarWinds supply chain attack by sending cyber incident reporting legislation to the president’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA,” they added.
House lawmakers approved the legislation 363-70. The compromise bill now heads to the Senate, which could pass the measure as soon as this week and send it to the White House for President Joe Biden's signature.
Martin Matishak is a senior cybersecurity reporter for The Record. He spent the last five years at Politico, where he covered Congress, the Pentagon and the U.S. intelligence community and was a driving force behind the publication's cybersecurity newsletter.