Is there a path forward in Congress for mandatory cyber incident reporting?

Rep. Yvette Clarke (D-N.Y.) at a protest in New York City in Jan. 2020.

Rep. Yvette Clarke (D-N.Y.) at a protest in New York City in Jan. 2020. Erik McGregor/LightRocket via Getty Images

A group of lawmakers is seeking legislation that would require private companies to report cyber incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency, despite their efforts being derailed late last year.

A group of lawmakers are pushing to get cybersecurity incident reporting requirements signed into law as a top priority for Congress in 2022 after it was left out of the latest National Defense Authorization Act. 

Rep. Yvette Clarke (D-N.Y.), chairwoman of the Subcommittee on Cybersecurity, Infrastructure Protection and Innovation, told FCW on Wednesday that she and her House colleagues are hoping to include mandatory reporting requirements in the "next available vehicle" and said she is confident a compromise can be made with Senate counterparts in a debate which has persisted for over a year. 

That debate, Rep. Clarke suggested, is now boiling down to a single question: Should Congress use a carrot or a stick when it comes to incentivizing private companies to report incidents and ransomware attacks to the Cybersecurity and Infrastructure Security Agency? 

"Some members on the Senate side believed that we need to have more of a stick," Clarke said. "We believe on the House side that we need to have more of a carrot to get real cooperation and engagement around incident reporting."

CISA chief Jen Easterly told a Senate panel in September that she supported fines as a compliance measure for companies that fail to notify in a timely fashion.

The 2022 NDAA includes several measures aimed at improving federal cyber posture and the ability to respond to cyber incidents, but the legislation did not include a mandatory reporting requirement sought in separate House and Senate bills. 

"I think there are good provisions in there, but it's just not enough," said Laura Brent, senior fellow at the Center for a New American Security. "It's good that so much made it into the NDAA, but we can't wait for the NDAA to pass all necessary cyber legislation, so I do hope there is effective standalone work on cyber incident reporting going forward."

The mandatory reporting requirements were left out of the NDAA following "dysfunction and disagreement stemming from Senate Republican leadership," House Homeland Security Committee Chairman Bennie Thompson (D-Miss) and Clarke said at the time. 

Senate Minority Leader Mitch McConnell (R-Ky.) had blocked the provision after Sen. Rick Scott (R-Fla.) reportedly sought to limit the scope of incident reporting requirements to only include critical infrastructure entities. 

Sen. Scott's office did not respond to a request for comment. 

The FBI also seemed to push back against the reporting requirements as lawmakers debated the bill, saying the bureau could not "fully support" federal cyber efforts unless it was included in the mandatory reporting structure along with CISA. 

Bryan Vorndran, assistant director of the FBI's Cyber Division, said on Thursday at a Silverado Policy Accelerator event that he was hoping for legislation that provides the FBI with "real-time and unfiltered access to incident information that is reported to CISA."

"That could likely be accomplished in a few words or a sentence in proposed legislation," he added.

With recently-discovered major cyber risks like Log4j threatening an expanding scope of industries and private institutions, CISA has also been pushing for Congress to pass mandatory incident reporting legislation. 

A CISA spokesperson said in a statement that, while the agency is not currently tracking any confirmed incidents impacting critical infrastructure entities directly related to Log4j, "the federal government simply does not have the level of information it needs to definitively understand the breadth or nature of intrusions occurring across the country, including as a result of this severe vulnerability." 

"A cybersecurity incident reporting law would ensure CISA and our partners receive timely information about successful exploitation of critical infrastructure networks quickly after they are discovered," the statement continued, "enabling us to help victims mitigate the effects, stop the spread to additional victims, and better track the size, scope, and scale of adversary campaigns to exploit widespread vulnerabilities like Log4j."

It remains unclear what vehicle lawmakers intend to use to pass mandatory reporting requirements. Rep. John Katko (R-N.Y.), who also spoke at the Silverado event on Thursday, suggested the reporting requirements could be added to any number of bills, including a full fiscal year 2022 spending bill, if one is ever brought up for a vote.

An aide to Sen. Gary Peters, who introduced the bipartisan Cyber Incident Reporting Act in September of last year, said on Wednesday: "All options are on the table. We need to get this done."