Senators look to defense bill to move cybersecurity measures

The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.  

The efforts are markedly bipartisan, a rarity for a Senate that is struggling to accomplish a long legislative to-do list before the holidays. 

“It’s a national security issue, really,” Senate Homeland Security and Governmental Affairs Committee ranking member Rob PortmanRobert (Rob) Jones PortmanBipartisan success in the Senate signals room for more compromise Overnight Defense & National Security — Presented by Boeing — US mulls Afghan evacuees' future Hillicon Valley — Presented by Ericsson — DOJ unveils new election hacking charges MORE (R-Ohio) told reporters Tuesday in regards to the inclusion of cybersecurity priorities in the 2022 National Defense Authorization Act (NDAA). 

ADVERTISEMENT

Language around requiring critical organizations to report cyber incidents to the federal government, and timelines for doing so, has been a key issue hotly debated in recent months.

The push to give the Biden administration and Congress more visibility into the nation’s cybersecurity comes after a particularly difficult year that saw major disruptive attacks on companies including Colonial Pipeline and meat producer JBS USA.

Portman, along with Senate Homeland Security and Governmental Affairs Committee Chairman Gary PetersGary PetersFive ways Senate could change Biden's spending plan Overnight Defense & National Security — Presented by Boeing — US mulls Afghan evacuees' future Senators look to defense bill to move cybersecurity measures MORE (D-Mich.), Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerFive Senate Democrats reportedly opposed to Biden banking nominee The Hill's Morning Report - Presented by ExxonMobil - House to vote on Biden social spending bill after McCarthy delay Overnight Defense & National Security — Presented by Boeing — US mulls Afghan evacuees' future MORE (D-Va.) and Sen. Susan CollinsSusan Margaret CollinsGraham emerges as go-to ally for Biden's judicial picks On The Money — Biden sticks with Powell despite pressure Senators call for Smithsonian Latino, women's museums to be built on National Mall MORE (R-Maine), introduced an amendment to the NDAA earlier this month that would give critical infrastructure groups 72 hours to report cyber incidents. 

The amendment would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority. 

“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”

The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.

ADVERTISEMENT

These included a bipartisan measure that would require the Cybersecurity and Infrastructure Security Agency (CISA) to determine requirements for critical infrastructure owners and operators to report incidents, with CISA required to give these groups no less than 72 hours to report.

Other language included was a provision to authorize a program at CISA to enhance industrial control systems’ cybersecurity and improve vulnerability reporting, among others.

Many of these measures were sponsored by Rep. Yvette ClarkeYvette Diane ClarkeSenators look to defense bill to move cybersecurity measures State and local officials celebrate passage of infrastructure bill with billion in cyber funds The developed world should help countries on the frontlines of the climate crisis MORE (D-N.Y.), the chairwoman of the House Homeland Security Committee’s cybersecurity subcommittee, who stressed at a subcommittee hearing Wednesday her commitment to advancing the effort on mandatory reporting. 

“After many years of debate in Congress, I am confident that we will finally enact mandatory cyber incident reporting legislation as part of the National Defense Authorization Act,” Clarke testified. “It is my hope that greater information sharing in support of the administration’s whole of government approach to combating ransomware will help improve our visibility into the ransomware epidemic and enhance our ability to respond appropriately.” 

House Oversight and Reform Committee Chairwoman Carolyn MaloneyCarolyn MaloneyOversight panel eyes excessive bail, jail overcrowding in New York City Senators call for Smithsonian Latino, women's museums to be built on National Mall GOP seeks oversight hearing with Kerry on climate diplomacy  MORE (D-N.Y.), whose committee held a hearing on ransomware attacks this week, stressed to The Hill that it was essential to include a cyber incident reporting clause.

“No one is tracking the data of how many attacks there are. That is the first step to try to get some hold on it,” Maloney said Wednesday. 

Beyond cyber incident reporting, there is also support in the Senate to include legislation to enhance crackdown measures against malicious hackers.  

Sen. Sheldon WhitehouseSheldon WhitehouseThe Hill's Morning Report - Ins and outs: Powell renominated at Fed, Parnell drops Senate bid On The Money — Biden sticks with Powell despite pressure Senators call for Smithsonian Latino, women's museums to be built on National Mall MORE (D-R.I.) announced at a Senate Judiciary Committee meeting on Tuesday that the International Cybercrime Prevention Act, which he sponsors alongside Sens. Lindsey GrahamLindsey Olin GrahamGraham emerges as go-to ally for Biden's judicial picks This Thanksgiving, skip the political food fights and talk UFOs instead Biden move to tap oil reserves draws GOP pushback MORE (R-S.C.) and Richard Blumenthal (D-Conn.), was likely to be added to the NDAA.

The bill would enhance criminal violations for hackers attacking critical infrastructure, such as power plants and hospitals, along with expanding the Justice Department’s ability to go after botnet groups that pose a violation of the Computer Fraud and Abuse Act.  

“I think it makes a lot of sense to include it, and I am a member of the Armed Services Committee, and I will be talking to colleagues on the committee about it,” Blumenthal told The Hill this week. “I think there will be strong bipartisan support.”

The inclusion of cybersecurity measures in the NDAA is nothing new, but the level of interest and amount of critical measures included is something that has turned a corner beginning last year, when more than two dozen recommendations from the bipartisan Cyberspace Solarium Commission (CSC) were included in the defense package. 

These included a provision establishing a national cyber director at the White House, a role that has since been filled by former National Security Agency Deputy Director Chris Inglis, and giving CISA the ability to subpoena internet service providers to release information on vulnerabilities in critical infrastructure organization networks.

ADVERTISEMENT

“They are all getting bipartisan support. There are several important ones — incident reporting, joint collaborative environment — and then there are a number of others, but those are very important,” Sen. Angus KingAngus KingAmazon, Facebook, other large firms would pay more under proposed minimum tax, Warren's office says Senators look to defense bill to move cybersecurity measures Energy information chief blames market for high fuel prices MORE (I-Maine), a CSC co-chair, told The Hill of the new NDAA efforts Wednesday. “This is a very complex process. We’ve had to have clearances from multiple committees, both sides of the aisle, but I am cautiously optimistic.”

Despite the urgency of the moment in confronting cyberattacks — which have targeted schools, hospitals and the federal government over the past year — the NDAA is only inching forward in the Senate. 

That’s due at least in part to the kind of partisan fights that have been typical outside the world of cybersecurity.

The Senate was scheduled to vote on allowing debate on the defense package Wednesday, but the vote was canceled after Republicans threatened to block the bill due to the decision by Senate Majority Leader Charles SchumerChuck SchumerDemocratic frustration growing over stagnating voting rights bills Schumer mourns death of 'amazing' father Feehery: The honest contrarian MORE (D-N.Y.) to include the U.S. Innovation and Competition Act in the NDAA. 

The Senate has a grueling schedule, with only a few weeks left to pass the NDAA in addition to addressing other items, including President BidenJoe BidenBiden to provide update Monday on US response to omicron variant Restless progressives eye 2024 Emhoff lights first candle in National Menorah-lighting ceremony MORE’s climate and social spending plan, the annual appropriations package, the debt ceiling and an election reform bill.  

Despite the time crunch, Peters expressed optimism around quickly pushing through the NDAA. 

“I expect we are going to be able to move on the NDAA in a hopefully expeditious way, that’s our goal, I have no reason to think it won’t move out of the Senate,” he said.