House and Senate negotiators have excluded provisions from a must-pass defense bill that would have mandated many companies to report major cyberattacks and ransomware payments to federal officials.
A compromise version of the fiscal 2022 National Defense Authorization Act (NDAA) released Tuesday leaves out the language, which would set timeframes for when critical infrastructure owners and operators must report major incidents and some companies would have to report making ransomware payments. Supporters of the language ran out of time to reach an agreement on the final phrasing before NDAA sponsors moved ahead on their final compromise bill, a senior Senate aide said.
It’s a big setback for backers of the reporting mandates, as attaching provisions to the annual NDAA has been the path for a number of monumental cyber ideas to become law. Still, some key disputes over the reporting mandate provisions have been resolved, and backers might be able to soon advance the language separately, the aide said.
Bipartisan momentum has built in both chambers about the notion of forcing critical infrastructure owners and operators to report major cyberattacks to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, following the sweeping SolarWinds cyber-espionage campaign. That hack, in which suspected Russian spies breached nine federal agencies, only came to light after the security firm FireEye disclosed it voluntarily.
Senate sponsors of the proposal include the bipartisan leaders of the Senate Homeland Security and Governmental Affairs Committee, Senate Intelligence Committee and House Homeland Security Committee. The Senate Homeland Security Committee had advanced the proposal as standalone legislation in October.
Lawmakers say that with ample notification, incident responders could more quickly respond to attacks that have potentially devastating consequences, mitigating the fallout.
Other elements of the proposed language had remained unsettled, however.
A Republican-backed alternative amendment in the Senate, for instance, would’ve narrowed another element of the proposal, one requiring a broader set of companies to report within 24 hours when they made ransomware payments. Sen. Rick Scott, R-Fla.,had wanted the ransomware payment requirements to instead apply only to critical infrastructure owners, contending it was a potentially onerous burden to many businesses.
The senior Senate aide said that disagreement had been resolved, but didn’t provide the exact verbiage.
A second Senate aide blamed Senate Minority Leader Mitch McConnell, R-Ky. and Scott, saying Scott went around the usual process to press McConnell to hold up the original bipartisan proposal that emerged from the Senate Homeland panel.
“McConnell blocked these bipartisan provisions from being included in the final version of the NDAA during House and Senate negotiations,” the aide said. “We shouldn’t have needed a deal.”
A third congressional source familiar with the discussions said that Scott had wanted a vote on his proposal and as such didn’t want the Senate Homeland-approved version to be inserted into the NDAA. But a compromise offer between the two sides came at 11 p.m. on Monday. Not long after Scott signed off, NDAA sponsors announced the deal that excluded it. The source said they assumed the deal was left out because it happened late in the process.
Senate Homeland Chairman Gary Peters, D-Mich., said in a statement to CyberScoop that he would continue to press for passage of the reporting mandates.
“I am disappointed Senate Republican leaders blocked these commonsense provisions that have broad bipartisan support — including from the bipartisan leaders of the Senate Homeland Security and Intelligence Committees,” Peters said. “Cyber-attacks, including ransomware attacks, are one of the greatest threats to our national and economic security. We need urgent action to tackle the serious threat posed by cyber-attacks, and by blocking our bipartisan reforms, Senate Republican leaders are putting our national security at risk.”
Democrats on the House Homeland Security Committee likewise pointed the finger at Senate Republicans for the clock running out.
“There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today – well past the NDAA deadline,” said Chairman Bennie Thompson of Mississippi and New York’s Yvette Clarke, who leads the panel’s cybersecurity subcommittee. “We had hoped to mark the one-year anniversary of the discovery the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk. Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”
Spokespeople for Scott and McConnell did not immediately respond to requests for comment.
There were also some less significant hurdles that House and Senate negotiators had to rectify. For example, the Senate version of the proposal would require cyber incident reports for critical infrastructure companies within 72 hours. The House provision would direct CISA to determine a timeframe but restricting the agency’s ability to mandate anything swifter than 72 hours.
The aide said that with a compromise on the the incident reporting and ransomware payment proposal in hand, backers could try to advance the legislation via procedures in Congress allowing bills that are uncontroversial to advance quickly with a lesser vote threshold.
Like last year’s NDAA, this year’s final bill includes a dedicated section for cybersecurity provisions.
One such provision would require the Defense Department to develop a taxonomy for cyber capabilities.
“We are concerned with the inconsistent use of the term ‘cyber weapon’ within the Department of Defense,” reads a joint House-Senate explanation of the bill. Another provision would demand biennial updates of the cyber incident response plan, rather than the more current vague requirement for “regular” updates.
Updated, 12/7/21: Including a third congressional source, Peters’ response, and House Democrats’ response.