Senator: Competing Cyber Incident Reporting Bills May Merge

Sen. Mark Warner, D-Va., said he may mix aspects of cybersecurity legislation he introduced over the summer—the Cyber Incident Notification Act—with related proposals in the House-passed National Defense Authorization Act.

The House legislation requires the Cybersecurity and Infrastructure Security Agency to develop rules for critical infrastructure owners to report cyber incidents, and would require those entities to report incidents. Industry has been more receptive to the House legislation, which allows companies more time to report incidents than Warner’s bill, which requires reporting within 24 hours of an incident.

In remarks made Tuesday at Amazon Web Services’ Public Sector Summit, Warner said he plans to merge his bill with the House legislation, though he expressed concerns over the reporting requirements.

“If you don’t report [an incident], there has to be some level of penalty,” Warner said. “One of my critiques of the House version is that there is a reporting requirement, but with no penalty at all, that is toothless.”

“I think we will come to a conclusion, and I have high hopes that this will be attached to the defense authorization bill,” Warner added.

Meanwhile, the Senate Homeland Security and Governmental Affairs Committee released additional cybersecurity legislation. The Cyber Incident Reporting Act, drafted by Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio, would require critical infrastructure operators to report cyberattacks within 72 hours to the Cybersecurity and Infrastructure Security Agency, or CISA. It would further require federal agencies and private sector organizations of more than 50 employees to report to the government any ransomware payments made within 24 hours of payment. 

The Peters and Portman legislation, which is designed to avoid scenarios that occurred during and after the Colonial Pipeline hack that impacted the East Coast energy supply line last spring, is similar to provisions in the House-passed National Defense Authorization Act, though the House legislation does not include a requirement to report ransomware payments. It similarly does not include fines for noncompliance, which top U.S. cyber officials recommend.