Language requiring companies to report cyberattacks left out of defense bill

Legislation mandating cyber incident reporting for certain critical organizations was left out of the compromise version of the annual National Defense Authorization Act (NDAA) that the House is set to vote on Tuesday. 

A cyber incident reporting provision, which established a new Cyber Incident Review Office at the Cybersecurity and Infrastructure Security Agency (CISA) was included in the version of the NDAA passed by the House in September. It also would have required CISA to set requirements around cyber incident reporting, with CISA banned from requiring organizations to report incidents sooner than 72 hours after discovery. 

There was a similar effort in the Senate to include a cyber incident reporting clause in the NDAA. 


An amendment put forward in November by Senate Homeland Security and Governmental Affairs Committee Chairman Gary PetersGary PetersDemocrats ask for information on specialized Border Patrol teams Democrats make final plea for voting rights ahead of filibuster showdown Michigan Republican John James 'strongly considering' House run MORE (D-Mich.), ranking member Rob PortmanRobert (Rob) Jones PortmanSenators huddle on Russia sanctions as tensions escalate Bipartisan Senate group discusses changes to election law Democrats face scaled-back agenda after setbacks MORE (R-Ohio), Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerBipartisan Senate group discusses changes to election law CIA says 'Havana syndrome' unlikely a result of 'worldwide campaign' by foreign power Schumer opted for modest rules reform after pushback from moderates MORE (D-Va.) and Sen. Susan CollinsSusan Margaret CollinsBipartisan Senate group discusses changes to election law The Hill's Morning Report - US warns Kremlin, weighs more troops to Europe Democrats face scaled-back agenda after setbacks MORE (R-Maine) would have given certain critical groups 72 hours to report attacks, and 24 hours to report paying hackers as the result of a ransomware attack. 

But the language on cyber incident reporting was absent from the text of the bipartisan compromise 2021 NDAA released by the House and Senate Armed Services panels Tuesday.

A Senate aide told The Hill Tuesday that Senate Minority Leader Mitch McConnellAddison (Mitch) Mitchell McConnellSchumer requests Senate briefing on Ukraine amid Russia tensions Bipartisan Senate group discusses changes to election law There is a bipartisan path forward on election and voter protections MORE (R-Ky.) blocked the provision from inclusion in the NDAA compromise package during negotiations. The Hill has reached out to a spokesperson for McConnell for comment. 

CyberScoop reported that Sen. Rick Scott (R-Fla.), a member of the Senate Homeland Security Committee, had asked McConnell to oppose the provision due to Scott's effort to narrow the amount of organizations would be required to report cyber incidents.

“Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses," McKinley Lewis, the communications director for Scott, told The Hill Tuesday. "After hearing last night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House today.”


Peters criticized the exclusion of an incident reporting clause, telling The Hill in a statement that he was "disappointed Senate Republican leaders blocked these commonsense provisions that have broad bipartisan support — including from the bipartisan leaders of the Senate Homeland Security and Intelligence Committees."

"Cyber-attacks, including ransomware attacks, are one of the greatest threats to our national and economic security," Peters said. "We need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk. I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.” 

The legislation originally included in the House version of the NDAA was sponsored by the bipartisan leaders of the House Homeland Security Committee, and spearheaded by Rep. Yvette ClarkeYvette Diane ClarkeOvernight Energy & Environment — New York Democrats go after 'peaker' plants Three House Democrats ask watchdog to probe 'peaker' power plant pollution Officials point to Apache vulnerability in urging passage of cyber incident reporting bill MORE (D-N.Y.), chair of the committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation. 

House Homeland Security Committee Chairman Bennie ThompsonBennie Gordon ThompsonDemocrats ask for information on specialized Border Patrol teams The Hill's Morning Report - US warns Kremlin, weighs more troops to Europe Jan. 6 committee chair says panel spoke to William Barr MORE (D-Miss.) and Clarke jointly criticized Tuesday the lack of inclusion of a cyber incident reporting mandate in the NDAA compromise bill, accusing Senate Republicans of obstructing the process. 

"There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” Thompson and Clarke said in a joint statement. “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security.”


The passage of legislation on cyber incident reporting gained traction over the past year as Congress worked to respond to major attacks including the SolarWinds hack, which allowed Russian government-backed hackers to compromise at least nine federal agencies and 100 private sector groups for much of last year. The breach was discovered almost exactly a year ago.  

“We had hoped to mark the one-year anniversary of the discovery the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk,” Thompson and Clarke said. “Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”

Both Thompson and Clarke did not pin the blame on either Portman or House Homeland Security Committee ranking member John KatkoJohn Michael KatkoThe Hill's Morning Report - Presented by Facebook - Schumer tees up doomed election reform vote Democrats eye prime pickup chance in Katko retirement Clyburn says he's worried about losing House, 'losing this democracy' MORE (R-N.Y.), both of whom have been key sponsors of legislation on cyber incident reporting. 

They also noted that Speaker Nancy PelosiNancy PelosiSenators huddle on Russia sanctions as tensions escalate Schumer requests Senate briefing on Ukraine amid Russia tensions Biden rushes to pressure Russia as Ukraine fears intensify MORE (D-Calif.) is an ally in the cause of pushing through cyber incident reporting through another avenue. 

“We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward,” Thompson and Clarke said. “Also, Speaker Pelosi has been a steadfast partner throughout this effort and has already communicated her continued interest in working with us to get cyber incident reporting legislation to the President's desk.”

A spokesperson for Warner expressed similar sentiments. 

“We just didn’t reach an agreement on language in time to get it in the rule, still exploring other avenues for passage,” the spokesperson told The Hill Tuesday. 

While cyber incident reporting was left out, the NDAA will still be a vehicle for passage of several cybersecurity initiatives, with the compromise text including language to expand and empower CISA and funnel money into cybersecurity issues.

-Updated at 5:20 p.m.