FBI wants in on cyber reporting legislation

A top FBI cyber official told lawmakers on Tuesday that the bureau could face significant challenges addressing cyberattacks and ransomware incidents if it was not included in breach disclosure requirements being considered in legislation.


The FBI is looking to make sure it has a place in incident disclosure legislation currently being considered by Congress. A Senate bill that is expected to be attached to must-pass defense legislation puts the Cybersecurity and Infrastructure Security Agency (CISA) front and center when it comes to reporting requirements.

Bryan Vorndran, assistant director of the FBI's Cyber Division, told the House Committee on Oversight and Reform "the FBI won't be able to fully support" federal cyber initiatives unless companies are simultaneously required to report incidents to the bureau, in addition to CISA.

"I know there are several cyber reporting bills currently being considered, and I can't stress enough the importance of the FBI receiving full and immediate access to cyber incidents so we can act on them as soon as possible and in unison with our federal partners at CISA," Vorndran said on Tuesday. "The faster we get this information, the faster we can deploy a local cyber threat expert to a victim's door, track, freeze and seize funds taken and ultimately hold cyber criminals accountable."

Sens. Mark Warner (D-Va.), Susan Collins (R-Maine), Gary Peters (D-Mich.) and Rob Portman (R-Ohio) are planning to propose an amendment to the 2022 National Defense Authorization Act that would require infrastructure providers, federal contractors and other key private sector entities to report cyberattacks within 72 hours of discovery to CISA. The measure also provides for the disclosure of ransomware payments by private and public entities to attackers within 24 hours.

CISA Director Jen Easterly previously told a Senate Homeland Security Committee in September the reporting requirements would allow her agency to quickly "conduct urgent analysis and share information to protect other potential victims."

While Vorndran said his division was in "constant communication" with CISA and the office of the National Cyber Director, Chris Inglis, who also testified on Tuesday, he said the bureau could face hurdles immediately addressing cyber threats unless it was included in the requirements.

Vorndran, who serves at the FBI's nearly 20-year-old cyber division, called on the oversight committee "to make sure legislation explicitly empowers the agencies at the front lines of incident response."

"Cyber is the team sport, and the Department of Justice and the FBI are key players," he added. "It is time for legislation to reflect this reality."