Senators look to defense bill to move cybersecurity measures

The Senate is eyeing the annual defense bill as a vehicle to attach critical provisions to improve the nation’s cybersecurity following a devastating year in which major attacks left the government flat-footed.  

The efforts are markedly bipartisan, a rarity for a Senate that is struggling to accomplish a long legislative to-do list before the holidays. 

“It’s a national security issue, really,” Senate Homeland Security and Governmental Affairs Committee ranking member Rob Portman (R-Ohio) told reporters Tuesday in regards to the inclusion of cybersecurity priorities in the 2022 National Defense Authorization Act (NDAA). 

Language around requiring critical organizations to report cyber incidents to the federal government, and timelines for doing so, has been a key issue hotly debated in recent months.

The push to give the Biden administration and Congress more visibility into the nation’s cybersecurity comes after a particularly difficult year that saw major disruptive attacks on companies including Colonial Pipeline and meat producer JBS USA.

Portman, along with Senate Homeland Security and Governmental Affairs Committee Chairman Gary Peters (D-Mich.), Senate Intelligence Committee Chairman Mark Warner (D-Va.) and Sen. Susan Collins (R-Maine), introduced an amendment to the NDAA earlier this month that would give critical infrastructure groups 72 hours to report cyber incidents. 

The amendment would give critical infrastructure groups, nonprofit organizations, state and local governments, and certain businesses 24 hours to report ransomware attack payments. It also includes language to update the Federal Information Security Modernization Act (FISMA) to clarify the roles of key agencies in responding to cyber incidents, another key bipartisan priority. 

“It’s got broad bipartisan support, and we are hoping to get it in this package,” Peters told The Hill Wednesday. “Of course, we’ve got negotiations and then the House, and we’ve been working with our House counterparts too.”

The House already approved its version of the 2022 NDAA in September, including a raft of measures in the defense package intended to strengthen the nation’s cybersecurity.

These included a bipartisan measure that would require the Cybersecurity and Infrastructure Security Agency (CISA) to determine requirements for critical infrastructure owners and operators to report incidents, with CISA required to give these groups no less than 72 hours to report.

Other language included was a provision to authorize a program at CISA to enhance industrial control systems’ cybersecurity and improve vulnerability reporting, among others.

Many of these measures were sponsored by Rep. Yvette Clarke (D-N.Y.), the chairwoman of the House Homeland Security Committee’s cybersecurity subcommittee, who stressed at a subcommittee hearing Wednesday her commitment to advancing the effort on mandatory reporting. 

“After many years of debate in Congress, I am confident that we will finally enact mandatory cyber incident reporting legislation as part of the National Defense Authorization Act,” Clarke testified. “It is my hope that greater information sharing in support of the administration’s whole of government approach to combating ransomware will help improve our visibility into the ransomware epidemic and enhance our ability to respond appropriately.” 

House Oversight and Reform Committee Chairwoman Carolyn Maloney (D-N.Y.), whose committee held a hearing on ransomware attacks this week, stressed to The Hill that it was essential to include a cyber incident reporting clause.

“No one is tracking the data of how many attacks there are. That is the first step to try to get some hold on it,” Maloney said Wednesday. 

Beyond cyber incident reporting, there is also support in the Senate to include legislation to enhance crackdown measures against malicious hackers.  

Sen. Sheldon Whitehouse (D-R.I.) announced at a Senate Judiciary Committee meeting on Tuesday that the International Cybercrime Prevention Act, which he sponsors alongside Sens. Lindsey Graham (R-S.C.) and Richard Blumenthal (D-Conn.), was likely to be added to the NDAA.

The bill would enhance criminal violations for hackers attacking critical infrastructure, such as power plants and hospitals, along with expanding the Justice Department’s ability to go after botnet groups that pose a violation of the Computer Fraud and Abuse Act.  

“I think it makes a lot of sense to include it, and I am a member of the Armed Services Committee, and I will be talking to colleagues on the committee about it,” Blumenthal told The Hill this week. “I think there will be strong bipartisan support.”

The inclusion of cybersecurity measures in the NDAA is nothing new, but the level of interest and amount of critical measures included is something that has turned a corner beginning last year, when more than two dozen recommendations from the bipartisan Cyberspace Solarium Commission (CSC) were included in the defense package. 

These included a provision establishing a national cyber director at the White House, a role that has since been filled by former National Security Agency Deputy Director Chris Inglis, and giving CISA the ability to subpoena internet service providers to release information on vulnerabilities in critical infrastructure organization networks.

“They are all getting bipartisan support. There are several important ones — incident reporting, joint collaborative environment — and then there are a number of others, but those are very important,” Sen. Angus King (I-Maine), a CSC co-chair, told The Hill of the new NDAA efforts Wednesday. “This is a very complex process. We’ve had to have clearances from multiple committees, both sides of the aisle, but I am cautiously optimistic.”

Despite the urgency of the moment in confronting cyberattacks — which have targeted schools, hospitals and the federal government over the past year — the NDAA is only inching forward in the Senate. 

That’s due at least in part to the kind of partisan fights that have been typical outside the world of cybersecurity.

The Senate was scheduled to vote on allowing debate on the defense package Wednesday, but the vote was canceled after Republicans threatened to block the bill due to the decision by Senate Majority Leader Charles Schumer (D-N.Y.) to include the U.S. Innovation and Competition Act in the NDAA. 

The Senate has a grueling schedule, with only a few weeks left to pass the NDAA in addition to addressing other items, including President Biden’s climate and social spending plan, the annual appropriations package, the debt ceiling and an election reform bill.  

Despite the time crunch, Peters expressed optimism around quickly pushing through the NDAA. 

“I expect we are going to be able to move on the NDAA in a hopefully expeditious way, that’s our goal, I have no reason to think it won’t move out of the Senate,” he said.