Senate Considering Several Cyber Measures in Annual NDAALawmakers Debate Incident-Reporting Mandate, Update to Federal Cyber Rules
Following the holiday recess, U.S. lawmakers are picking up several legislative priorities, including progress on the annual defense spending bill, which in recent years has become a vehicle to advance previously stagnant cybersecurity bills.
The National Defense Authorization Act, or NDAA, for Fiscal Year 2022, which passed the House in September, is currently being debated in the Senate, with amendments that would impose a federal incident-reporting measure, along with codifying interagency cyber rules via an update to the Federal Information Security Management Act, or FISMA, last amended in 2014.
For some security experts, the spending bill is a viable tool to advance key legislation. James A. Lewis, senior vice president at the Center for Strategic and International Studies, says, "Since NDAA is one of the few bills that has a chance of passing, tagging cybersecurity to it is better than doing nothing."
Other experts, however, remain concerned over key provisions being passed as part of the package.
"[Cyber] policies legislated through NDAA amendments are certainly not subject to the same diligence and review that would be present in stand-alone legislation," says Jake Williams, a former member of the National Security Agency's elite hacking team. "Some of these policies are likely to have unseen second- or third-order impacts."
Earlier this month, Sens. Gary Peters, D-Mich.; Rob Portman, R-Ohio; Mark Warner, D-Va.; and Susan Collins, R-Maine; introduced a bipartisan amendment to the NDAA that would require critical infrastructure owners and operators and civilian federal agencies to report to the Cybersecurity and Infrastructure Security Agency if they experience a cyberattack, and most entities to report if they make a ransomware payment. The amendment, which has met some Republican pushback, is based on legislation previously authored by Peters and Portman.
The amendment would require critical infrastructure owners and operators to report to CISA within 72 hours if they are experiencing a substantial cyberattack. Other organizations - including businesses, nonprofits, and state and local governments, would also be required to report to the federal government within 24 hours if they make a ransom payment. The requirement excludes only individuals and some small businesses.
"This bipartisan amendment will take significant steps to strengthen cybersecurity protections," Peters said earlier this month. "[It will] ensure that CISA is at the forefront of our nation’s response to serious breaches, and most importantly, requires timely reporting of these attacks to the federal government so that we can better prevent future incidents and hold attackers accountable for their crimes."
Proponents of an incident-reporting mandate say it will allow CISA and federal cybersecurity leaders to gain much-needed visibility into attack trends, particularly around ransomware - which has seen a meteoric surge throughout 2021.
A competing amendment on incident reporting has been put forward by Sen. Rick Scott, R-Fla. Under this proposal, federal contractors and infrastructure owners/operators would be subject to a 72-hour incident-reporting requirement to CISA, and the same parties would also be required to report ransom payments within 24 hours. Its payment requirement excludes small- and medium-sized businesses.
Scott's amendment, which limits the scope of other versions, was not adopted when considered in October within the Homeland Security and Governmental Affairs Committee, chaired by Peters. Several Republican lawmakers have voiced concern around broader reporting mandates for certain industries.
Counter to National Interests?
Williams, who is the co-founder and CTO of the security firm BreachQuest, says limiting reporting requirements could have serious downstream effects.
"While it may seem like excluding SMEs from cybersecurity reporting requirements is the right thing to do, we've observed numerous examples of these same SMEs being used in supply chain attacks to target larger organizations," he says. "The lack of debate and public review [here] is likely to run counter to our nation's ultimate cybersecurity interests."
And Lewis, who directs CSIS' Strategic Technologies Program, says of the notification windows: "I would have skipped a shorter deadline for ransomware - that's the flavor du jour - and made it 24 hours for attacks on critical infrastructure. That's where quick notice is needed."
Leaders at CISA and the FBI have been vocal in recent months on their collective inability to draw conclusions on cyberattack frequency, with only about one-quarter of incidents being reported, they say (see: CISA Leader Backs 24-Hour Timeline for Incident Reporting).
FISMA Update, Other Measures
Last week, an update to FISMA backed by Sens. Peters and Portman was removed from an NDAA amendment, though the senators continue to push for its inclusion.
The lawmakers aim to modernize FISMA to address cybersecurity developments - including the formation of CISA and the Office of the National Cyber Director, now filled by Chris Inglis.
Their intended reforms to FISMA would solidify CISA as the federal civilian agency security lead; tie Inglis' office together with the Office of Management and Budget, or OMB, on policy issues; ensure the timely delivery of cyberattack information to key congressional committees; codify portions of President Joe Biden's May executive order on cybersecurity; and advance penetration testing for federal civilian networks.
An NDAA amendment from Sen. Angus King, I-Maine, based on recently introduced legislation, would set a five-year term limit for the director of CISA and codify hiring authorities for Inglis' Office of the National Cyber Director. It would also create a cloud-based information-sharing initiative called the "cyberthreat information collaboration environment" - established by the director of CISA, the director of national intelligence, the secretary of defense, and the attorney general.
Other amendments being considered include, in part:
- A proposal from Sen. Maggie Hassan, D-N.H., to allow the secretary of defense to create public-private partnerships on the advancement of quantum technology;
- Another Hassan-authored amendment, which would allow CISA to provide support services to critical infrastructure providers;
- A measure from Sen. Bob Menendez, D-N.J., to create a registry of state sponsors of cybercrime and the imposition of sanctions in the wake of attacks.
Last year, Sen. King and Rep. Mike Gallagher, R-Wis., who co-chair the Cyberspace Solarium Commission, said 25 recommendations from the commission landed in more than two dozen provisions of the 2021 NDAA.
Millions of dollars in additional funding for CISA is also tied up in the Build Back Better package, which was passed by the House and is up for debate in the Senate.
The physical infrastructure bill signed into law earlier this month also contains nearly $2 billion in new cybersecurity funding for the federal government, including a $1 billion grant program and $100 million for a Cyber Response and Recovery Fund, among other features (see: Infrastructure Bill Features $1.9 Billion in Cyber Funding).
This article has been updated to include additional commentary.