Lawmakers look to include cyber incident reporting measure in annual defense spending bill

Lawmakers look to include cyber incident reporting measure in annual defense spending bill
© Greg Nash

Bipartisan legislation intended to require certain organizations to report cybersecurity incidents to the federal government could be included as part of the must-pass annual defense legislation, Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerThe Hill's 12:30 Report - Presented by Altria - Biden holds meetings to resurrect his spending plan Democrats feel high anxiety in Biden spending conflict Biden meets with Jayapal to kick off week of pivotal meetings MORE (D-Va.) said Tuesday.

Warner, alongside all but three members of the Senate Intelligence Committee, introduced legislation in July that would require federal agencies, government contractors and groups critical to national security to report cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 24 hours. 

The legislation is one of several cybersecurity bills that have been introduced in the aftermath of several major cyberattacks in the past year, including ransomware attacks on Colonial Pipeline, meat producer JBS USA, and the Russian-government backed SolarWinds hack. 


“I think we will come to a conclusion, and I have high, high hopes that this will be attached to the defense authorization bill, so it will be a good first step, it’s not a full solution,” Warner said of the bill during remarks at the AWS Summit in Washington, D.C., on Tuesday. 

The House included a similar bipartisan bill spearheaded by leaders of the House Homeland Security Committee in its version of the 2022 National Defense Authorization Act (NDAA), passed last week. The Senate has not yet voted on its version of the 2022 NDAA. 

The House bill requires CISA to establish requirements for some critical infrastructure owners and operators to report cybersecurity incidents, and bans CISA from requiring these groups to report incidents earlier than 72 hours after they occurred.

Warner criticized the House’s cyber incident reporting legislation for lacking an enforcement mechanism. 

“If you don’t report there has to be some level of penalty,” Warner said. “One of my critiques of the House version is that there is a reporting requirement, but with no penalty at all, that is toothless.”

Members of Congress on both sides of the aisle along with industry have backed the idea of legislation creating a federal cybersecurity breach reporting law, but in recent weeks there has been disagreement over timelines for reporting. 

Leaders of the Senate Homeland Security and Governmental Affairs Committee said at a hearing last week that they were drafting similar legislation to the Senate Intelligence Committee bill. The bill was introduced Tuesday, and gives organizations 72 hours to report a cybersecurity incident. 

Warner said Tuesday that the two Senate efforts would likely “merge or collaborate.” 

CISA Director Jen Easterly also spoke at the event Tuesday, endorsing the idea of cyber incident reporting legislation, but pushed for a longer timeline than 24 hours to report. 

“It doesn’t make sense to say 24 hours from detection because you will flood us with noise,” Easterly said of the legislation. “We need signal, so we don’t want to be overburdened with noise, and we don’t want to overburden industry under duress trying to manage an incident, and so what we want is to work with industry through a rulemaking period to make sure we get this right.”

While the exact form the legislation is still under debate in Congress, both Easterly and Warner stressed Tuesday that action needed to be taken to give the federal government more insight into how malicious actors were targeting U.S. organizations. 

“The vast majority of Americans after SolarWinds and Colonial Pipeline have woken up that this is a real problem,” Warner said. “To me when you think about challenges we face in terms of national security, this ranks pretty close to right at the top.”