Communications Litigation Today was a Warren News publication.
A ‘Burning Imperative’

Congress Divided on Cyber Bills Even With Momentum

Congress has more momentum for passing mandatory cyber reporting requirements than ever, but the two chambers face an uphill climb in reconciling specifics, experts told us.

A bipartisan group of senators introduced an amendment to the National Defense Authorization Act earlier this month that would require critical infrastructure operators and agencies to report major cyber incidents to the federal government (see 2111050057). House Homeland Security Committee Chairman Bennie Thompson, D-Miss., said he’s optimistic the House will pass his bipartisan mandatory cyber reporting bill, whether attached to the NDAA or not (see 2111030063).

With recent breaches, from SolarWinds and Colonial Pipeline to Kaseya, the government has a “burning imperative to do something,” said Dentons’ Allison Bender, an adjunct law professor at Georgetown University. Legislation “seems to have bipartisan support in both houses,” she said. The “devil is always in the details. There are many things that could happen” with the NDAA, but passage is “more likely than it has ever been.”

There’s more momentum than ever, particularly for critical infrastructure reporting, said Davis Wright’s Michael Borgia: “There is some amount of consensus” from lawmakers, regulators and industry that “there needs to be stronger legal requirements around cybersecurity for critical infrastructure. Obviously, there are many debates on what that should be.”

Cybersecurity and Infrastructure Security Agency Director Jen Easterly and National Cyber Director Chris Inglis defended the value of industry reporting incidents to the federal government last week. They will testify again Tuesday before the House Oversight Committee, along with FBI Cyber Division Assistant Director Bryan Vorndran.

Industry representatives appeared to favor the House version over what was initially introduced in the Senate, said Borgia, but the two bills are getting closer. Both bills would give 72 hours for critical infrastructure entities and agencies to report incidents to CISA, like EU general data protection regulation’s rules. The Senate version also includes a requirement that entities report ransomware payments within 24 hours. That difference will need to be ironed out, as well as definitions for covered incidents and critical infrastructure operators. The Senate version directs the CISA director to define “covered cyber incident” with a rulemaking. Initial Senate language included reporting requirements for potential “cyber intrusions,” while the House includes requirements for confirmed incidents with loss of confidentiality, integrity or other serious business impacts. “That’s a really big difference,” said Borgia.

Likelihood of passing some form of mandatory reporting requirement is “greater than ever before, but that’s not saying much,” said Steptoe’s Michael Vatis. “I’ve watched Congress repeatedly fail to pass meaningful legislation” for 20 years, “so I’ve learned not to get too excited.” It’s encouraging to see Congress look beyond personal data and consider critical infrastructure attacks, he said. Mandatory reporting would be helpful, but “continued reluctance” to set minimum cyber requirements through regulation, other than for isolated industries, indicates Congress continues to “underestimate the scope of the problem and misapprehend what is necessary to make us less vulnerable to devastating attacks,” he said.

Stakeholders are following closely to see how Congress acts here, said Bender. That includes specifics about how critical infrastructure entities must report, penalties for self-reporting and appeals for penalties.

Legislation should allow the Department of Homeland Security the flexibility to adjust reporting levels, said James Lewis, of the Center for Strategic and International Studies. Conversations with senior U.S. officials suggest thresholds are the key issue, he said: “Too low and you get a lot of chaff, too high and you get nothing.” Lewis sees the time requirements as less important, though he said shorter windows are better.

GAO recommended Friday the Department of Education meet with CISA to figure out how to update sector-specific cyber plans for education. “The plan should assess and prioritize federal actions to assist K-12 schools in protecting themselves from cyberattacks,” GAO said. The department concurred with the recommendations.