After a spate of cyberattacks and ransomware attacks on American companies and critical infrastructure providers since the start of the COVID-19 pandemic, lawmakers and members of the cybersecurity industry expressed shock and disappointment that mandatory cyber incident reporting was dropped from the conferenced version of the fiscal year (FY) 2022 National Defense Authorization Act (NDAA).
Disagreements over how the Senate should conduct its amendment process led to a stall of progress on the bill that picked back up with a conference agreement, reconciling the Senate-passed and House-passed versions of the bills. That bill passed the House Dec. 7 with no form of incident reporting included.
Observers saw the FY2022 NDAA – considered “must-pass” legislation by many in Congress – as the most likely vehicle for such legislation. The exclusion of the incident reporting policy, which has garnered bipartisan support in both chambers, as well as some support inside the industry, came as a disappointment to House Homeland Security Chair Rep. Bennie Thompson, D-Miss., and Rep. Yvette Clark, D-N.Y., who chairs the subcommittee on Cybersecurity, Infrastructure Protection, and Innovation.
“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” Reps. Thompson and Clarke said in a joint statement. “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning [Dec. 7] – well past the NDAA deadline. This result is beyond disappointing and undermines national security.”
The version of the NDAA that made it through the House in September had included some mandatory cyber incident reporting, added to the bill through an amendment offered by Rep. Clarke. The legislation would have required the Cybersecurity and Infrastructure Security Agency (CISA) to develop a process for critical infrastructure operators to report incidents to a Cyber Incident Review Office to be established at the agency.
“We had hoped to mark the one-year anniversary of the discovery of the SolarWinds supply chain attack by sending cyber incident reporting legislation to the President’s desk,” Reps. Thompson and Clarke said. “Instead, Senate Republican leaders delayed things so significantly that the window closed on getting cyber incident reporting included in the NDAA.”
Mixed Reaction From Industry
After it became clear that cyber incident reporting in the NDAA was a dead proposition, there were mixed reviews from the industry side.
John Cofrancesco, VP of Business Development at cybersecurity firm Fortress Information Security, said he and his partner on the delivery side of the operation have been briefing the House and Senate Armed Services committees, as well as the White House, about the need for cyber incident reporting legislation, and expressed extreme disappointment that such warnings weren’t heeded.
“We are absolutely stunned that this got pulled out of the NDAA,” Cofrancesco said in an interview with MeriTalk. “To say it’s absolutely baffling might be an understatement because it just, I cannot conceive of why anybody would do this, and frankly, what they were asking in terms of reporting was really pretty thin.”
“When you have a cyber breach, it is obviously a jolting situation,” he added. “It is a hard situation to deal with, and frankly, some members of the Senate … have taken a stance that this was somehow going to inhibit small business or inhibited business. … It is just shocking that this was allowed to slip in this way.”
Others in the industry see mandatory reporting as just another rule that would raise the cost of compliance for small businesses, already struggling to keep up with the regulations placed on Defense Industrial Base (DIB) contractors like the Cybersecurity Maturity Model Certification (CMMC) program.
Tony Monell, who just began working as the Public Sector VP at Black Kite after spending the prior eight years in the Office of the Secretary of Defense, including stops as a cyber and defense policy advisor, tends to fall in line with that train of thought.
“Mandatory incident reporting could wind up hurting small-to-mid-tier companies,” Monell told MeriTalk. “Within the defense industrial base, nearly all firms in the third and fourth tiers of the supply chain, or about 74 percent of them are … smaller, according to the department’s contracting data. The unfortunate part about it is most of them don’t have dedicated cybersecurity professionals on staff.”
Instead, Monell sees collaboration between industry and the Federal government as the best way to improve the nation’s cyber posture.
“The executive order that was signed by President Biden actually compels the public sector to work closely with the private sector, in order to increase the cybersecurity posture and resilience of companies that are in support of the Federal government,” Monell added. “So, it is incumbent upon all of us to begin collaborating more frequently.”
Potential Next Steps
While not including mandatory reporting in the NDAA is widely seen as a step back for the legislation, the issue is not set to go away any time soon.
Reps. Thompson and Clarke have committed to continuing to look for a pathway to passage for the legislation, and have the support of House Speaker Rep. Nancy Pelosi, D-Calif., as well as committee Ranking Member Rep. John Katko, D-N.Y., and their counterparts on the Senate Homeland Security and Governmental Affairs Committee.
“We are profoundly disappointed that the momentum we had coming into the NDAA did not yield success but are fully committed to working across the aisle and with the Senate to find another path forward,” the lawmakers said in their statement. “We thank Ranking Member Katko, Chairman Peters, and Ranking Member Portman for their continued support on this matter. Also, Speaker Pelosi has been a steadfast partner throughout this effort and has already communicated her continued interest in working with us to get cyber incident reporting legislation to the President’s desk.”
Cofrancesco is more pessimistic about the potential for future standalone legislation on the issue, now that attaching it to next year’s NDAA is out of the question.
On the 80th anniversary of the Pearl Harbor attack, Cofrancesco said that the next major conflict will likely start in cyberspace, rather than the physical domain that we are used to. He noted that the lack of incident reporting in the must-pass legislation sends the wrong message to industry and adversaries.
“There are really only two or three subjects on which everybody tends to agree, and one of those subjects is we cannot allow ourselves to be vulnerable to cyberattack,” Cofrancesco noted. “There’s only one bill that gets passed every year, it’s the NDAA, and all that sort of mandatory, ‘this is how we maintain our way of life’ stuff goes into that bill. So, it is just an unbelievably terrible message to the industry.”