Language requiring companies to report cyberattacks left out of defense bill

Legislation mandating cyber incident reporting for certain critical organizations was left out of the compromise version of the annual National Defense Authorization Act (NDAA) that the House is set to vote on Tuesday. 

A cyber incident reporting provision, which established a new Cyber Incident Review Office at the Cybersecurity and Infrastructure Security Agency (CISA) was included in the version of the NDAA passed by the House in September. It also would have required CISA to set requirements around cyber incident reporting, with CISA banned from requiring organizations to report incidents sooner than 72 hours after discovery. 

There was a similar effort in the Senate to include a cyber incident reporting clause in the NDAA. 

An amendment put forward in November by Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), ranking member Rob Portman (R-Ohio), Senate Intelligence Committee Chairman Mark Warner (D-Va.) and Sen. Susan Collins (R-Maine) would have given certain critical groups 72 hours to report attacks, and 24 hours to report paying hackers as the result of a ransomware attack. 

But the language on cyber incident reporting was absent from the text of the bipartisan compromise 2021 NDAA released by the House and Senate Armed Services panels Tuesday.

A Senate aide told The Hill Tuesday that Senate Minority Leader Mitch McConnell (R-Ky.) blocked the provision from inclusion in the NDAA compromise package during negotiations. The Hill has reached out to a spokesperson for McConnell for comment. 

CyberScoop reported that Sen. Rick Scott (R-Fla.), a member of the Senate Homeland Security Committee, had asked McConnell to oppose the provision due to Scott’s effort to narrow the amount of organizations would be required to report cyber incidents.

“Senator Scott fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses,” McKinley Lewis, the communications director for Scott, told The Hill Tuesday. “After hearing last night that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by CISA, we were surprised and disappointed to see it left out of the NDAA language released by the House today.”

Peters criticized the exclusion of an incident reporting clause, telling The Hill in a statement that he was “disappointed Senate Republican leaders blocked these commonsense provisions that have broad bipartisan support — including from the bipartisan leaders of the Senate Homeland Security and Intelligence Committees.”

“Cyber-attacks, including ransomware attacks, are one of the greatest threats to our national and economic security,” Peters said. “We need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk. I’ll continue leading efforts to enact these critical, commonsense reforms and ensure our nation has a comprehensive strategy to fight back against cybercriminals and foreign adversaries who continue targeting our networks.” 

The legislation originally included in the House version of the NDAA was sponsored by the bipartisan leaders of the House Homeland Security Committee, and spearheaded by Rep. Yvette Clarke (D-N.Y.), chair of the committee’s Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation. 

House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) and Clarke jointly criticized Tuesday the lack of inclusion of a cyber incident reporting mandate in the NDAA compromise bill, accusing Senate Republicans of obstructing the process. 

“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” Thompson and Clarke said in a joint statement. “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline. This result is beyond disappointing and undermines national security.”

The passage of legislation on cyber incident reporting gained traction over the past year as Congress worked to respond to major attacks including the SolarWinds hack, which allowed Russian government-backed hackers to compromise at least nine federal agencies and 100 private sector groups for much of last year. The breach was discovered almost exactly a year ago.  

“We had hoped to mark the one-year anniversary of the discovery the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk,” Thompson and Clarke said. “Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”

Both Thompson and Clarke did not pin the blame on either Portman or House Homeland Security Committee ranking member John Katko (R-N.Y.), both of whom have been key sponsors of legislation on cyber incident reporting. 

They also noted that Speaker Nancy Pelosi (D-Calif.) is an ally in the cause of pushing through cyber incident reporting through another avenue. 

“We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward,” Thompson and Clarke said. “Also, Speaker Pelosi has been a steadfast partner throughout this effort and has already communicated her continued interest in working with us to get cyber incident reporting legislation to the President’s desk.”

A spokesperson for Warner expressed similar sentiments. 

“We just didn’t reach an agreement on language in time to get it in the rule, still exploring other avenues for passage,” the spokesperson told The Hill Tuesday. 

While cyber incident reporting was left out, the NDAA will still be a vehicle for passage of several cybersecurity initiatives, with the compromise text including language to expand and empower CISA and funnel money into cybersecurity issues.

-Updated at 5:20 p.m.