Language requiring companies to report cyberattacks left out of defense bill

Legislation mandating cyber incident reporting for certain critical organizations was left out of the compromise version of the annual National Defense Authorization Act (NDAA) that the House is set to vote on Tuesday. 

A cyber incident reporting provision, which established a new Cyber Incident Review Office at the Cybersecurity and Infrastructure Security Agency (CISA) was included in the version of the NDAA passed by the House in September. It also would have required CISA to set requirements around cyber incident reporting, with CISA banned from requiring organizations to report incidents sooner than 72 hours after discovery. 

There was a similar effort in the Senate to include a cyber incident reporting clause in the NDAA. 

ADVERTISEMENT

An amendment put forward in November by Senate Homeland Security and Governmental Affairs Committee Chairman Gary PetersGary PetersDemocrats make final plea for voting rights ahead of filibuster showdown Michigan Republican John James 'strongly considering' House run Officials point to Apache vulnerability in urging passage of cyber incident reporting bill MORE (D-Mich.), ranking member Rob PortmanRobert (Rob) Jones PortmanBiden huddles with group of senators on Ukraine-Russia tensions Overnight Defense & National Security — Texas hostage situation rattles nation Senators to meet with Ukraine president to reaffirm US support MORE (R-Ohio), Senate Intelligence Committee Chairman Mark WarnerMark Robert WarnerBiden moves to boost security of sensitive national security systems We are America's independent contractors, and we are terrified Hillicon Valley: Amazon's Alabama union fight — take two MORE (D-Va.) and Sen. Susan CollinsSusan Margaret CollinsI'm furious about Democrats taking the blame — it's time to fight back 'All or nothing' won't bolster American democracy: Reform the filibuster and Electoral Count Act Voting rights, Trump's Big Lie, and Republicans' problem with minorities MORE (R-Maine) would have given certain critical groups 72 hours to report attacks, and 24 hours to report paying hackers as the result of a ransomware attack. 

But the language on cyber incident reporting was absent from the text of the bipartisan compromise 2021 NDAA released by the House and Senate Armed Services panels Tuesday.

A Senate aide told The Hill Tuesday that Senate Minority Leader Mitch McConnellAddison (Mitch) Mitchell McConnellDemocrats make final plea for voting rights ahead of filibuster showdown Mellman: Voting rights or the filibuster?  Budowsky: To Dems: Run against the do-nothing GOP, Senate MORE (R-Ky.) blocked the provision from inclusion in the NDAA compromise package during negotiations. The Hill has reached out to a spokesperson for McConnell for comment. 

CyberScoop reported that Sen. Rick Scott (R-Fla.), a member of the Senate Homeland Security Committee, had asked McConnell to oppose the provision due to Scott's effort to narrow the amount of organizations would be required to report cyber incidents.

“Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses," McKinley Lewis, the communications director for Scott, told The Hill Tuesday. "After hearing last night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House today.”

ADVERTISEMENT

Peters criticized the exclusion of an incident reporting clause, telling The Hill in a statement that he was "disappointed Senate Republican leaders blocked these commonsense provisions that have broad bipartisan support — including from the bipartisan leaders of the Senate Homeland Security and Intelligence Committees."

"Cyber-attacks, including ransomware attacks, are one of the greatest threats to our national and economic security," Peters said. "We need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk. I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.” 

The legislation originally included in the House version of the NDAA was sponsored by the bipartisan leaders of the House Homeland Security Committee, and spearheaded by Rep. Yvette ClarkeYvette Diane ClarkeOvernight Energy & Environment — New York Democrats go after 'peaker' plants Three House Democrats ask watchdog to probe 'peaker' power plant pollution Officials point to Apache vulnerability in urging passage of cyber incident reporting bill MORE (D-N.Y.), chair of the committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation. 

House Homeland Security Committee Chairman Bennie ThompsonBennie Gordon ThompsonJan. 6 panel subpoenas phone records associated with Eric Trump, Kimberly Guilfoyle: report Jan. 6 panel subpoenas Rudy Giuliani, Sidney Powell Trump lawyers to Supreme Court: Jan. 6 committee 'will not be harmed by delay' MORE (D-Miss.) and Clarke jointly criticized Tuesday the lack of inclusion of a cyber incident reporting mandate in the NDAA compromise bill, accusing Senate Republicans of obstructing the process. 

"There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” Thompson and Clarke said in a joint statement. “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security.”

ADVERTISEMENT

The passage of legislation on cyber incident reporting gained traction over the past year as Congress worked to respond to major attacks including the SolarWinds hack, which allowed Russian government-backed hackers to compromise at least nine federal agencies and 100 private sector groups for much of last year. The breach was discovered almost exactly a year ago.  

“We had hoped to mark the one-year anniversary of the discovery the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk,” Thompson and Clarke said. “Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”

Both Thompson and Clarke did not pin the blame on either Portman or House Homeland Security Committee ranking member John KatkoJohn Michael KatkoThe Hill's Morning Report - Presented by Facebook - Schumer tees up doomed election reform vote Democrats eye prime pickup chance in Katko retirement Clyburn says he's worried about losing House, 'losing this democracy' MORE (R-N.Y.), both of whom have been key sponsors of legislation on cyber incident reporting. 

They also noted that Speaker Nancy PelosiNancy PelosiJoining Pelosi, Hoyer says lawmakers should be free to trade stocks Budowsky: To Dems: Run against the do-nothing GOP, Senate Momentum builds to prohibit lawmakers from trading stocks MORE (D-Calif.) is an ally in the cause of pushing through cyber incident reporting through another avenue. 

“We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward,” Thompson and Clarke said. “Also, Speaker Pelosi has been a steadfast partner throughout this effort and has already communicated her continued interest in working with us to get cyber incident reporting legislation to the President's desk.”

A spokesperson for Warner expressed similar sentiments. 

“We just didn’t reach an agreement on language in time to get it in the rule, still exploring other avenues for passage,” the spokesperson told The Hill Tuesday. 

While cyber incident reporting was left out, the NDAA will still be a vehicle for passage of several cybersecurity initiatives, with the compromise text including language to expand and empower CISA and funnel money into cybersecurity issues.

-Updated at 5:20 p.m.