Bipartisan legislation requiring critical infrastructure entities to report cyber incidents affecting their networks to the federal government was excluded from a final defense authorization bill.
Similar cyber incident reporting bills were introduced in the House and Senate this year and would have required owners and operators of critical infrastructures to report cyber incidents within 72 hours of an attack being discovered. Momentum for mandatory cyber incident reporting gathered steam in the wake of a ransomware attack in May against the information networks of Colonial Pipeline, which proceeded to temporarily shut down its pipeline operations to ensure the malware didn’t infect its operational networks.
The shutdown of pipeline operations led to brief fuel shortages along the East Coast and Mid-Atlantic states, previewing the potential crippling effects a successful cyber-attack could have against businesses and other entities that provide critical products and services to the nation’s economy.
Top cybersecurity officials in the Biden administration had advocated for the legislation, saying that mandatory reporting would provide awareness and insight into attacks and make it easier to quickly warn other organizations of new threats.
Proponents of the legislation had worked to get it included in the fiscal year 2022 National Defense Authorization Act (NDAA). The House previously passed its version of the NDAA with the cyber reporting provision.
“There were intensive efforts to get cyber incident reporting done but ultimately the clock rand out on getting it in the NDAA,” a Reps. Bennie Thompson (D-Miss.) and Yvette Clarke (D-N.Y.), the respective chairs of the House Homeland Security Committee and its Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation, said in a joint statement on Tuesday. “There was dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until mid-morning today, well past the NDAA deadline. This result is beyond disappointing and undermines national security.”
Thompson and Clarke said they will continue to work with Republicans and “with the Senate to find another path forward.” They also thanked Rep. John Katko (R-N.Y.), the ranking member on the committee for his support, and Sens. Gary Peters (D-Mich.) and Rob Portman (R-Ohio), the chairman and ranking member, respectively, of the Senate Homeland Security and Governmental Affairs Committee, who introduced a similar bill in the Senate.