Senate Homeland Security Cyber Reporting Backing Sought
Senate Intelligence Committee leaders are negotiating with the Homeland Security and Governmental Affairs Committee (HSGAC) over a cyber legislative package in response to the recent flurry of high-profile attacks on U.S. businesses and government, leaders from both committees said in recent interviews. They are discussing potential inclusion of a bill that would require agencies, contractors and critical infrastructure operators to report cyberhacks within 24 hours of discovery (see 2107210023), said lead sponsor and Intelligence Committee Chairman Mark Warner, D-Va. He’s in conversation with HSGAC Chairman Gary Peters, D-Mich., and ranking member Rob Portman, R-Ohio, “in support” of their cyber work, he told us.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
The Cyber Incident Notification Act, from Warner, Vice Chairman Marco Rubio, R-Fla., and Sen. Susan Collins, R-Maine, is under HSGAC jurisdiction. Warner said legislators are taking time to get more bipartisan sponsorship and talk with business groups about mandatory cyber reporting. “I don’t want to overstate this endemic cyber problem, but this is a real-time, common sense, immediate thing to do,” he said.
Sen. John Cornyn, R-Texas, was one of the original negotiators on the cyber reporting bill (see 2103040066) but didn’t endorse the legislation when it was introduced. Asked about Cornyn’s lack of endorsement, Warner said legislators are working through business concerns.
“It wasn’t any disagreement over the merits of what they’re trying to do,” Cornyn told us. “It’s really more or less a jurisdictional matter and trying to reconcile the differences. I’d like to get a bill that enjoys broad consensus and can easily pass out of the HSGAC and then the floor.” He’s “certainly open” to attaching the bill to HSGAC legislation. He noted recent Judiciary Committee testimony from Department of Homeland Security and FBI witnesses (see 2107270067) about “importance of notification because they don’t have a complete picture about what the cyber threats are.” People want specificity when determining what's an incident, but Congress shouldn’t write something that can't keep pace with cybersecurity norms, said Warner.
HSGAC is drafting legislation, negotiating with Warner and co-sponsors and talking with House counterparts about other cyber bills, Peters told us: “So there’s a lot of people working on it, and our hope is to pull it together and be able to move a bill that incorporates a lot of what people are working on.” Mandatory reporting is one item “we’re discussing now and how that would possibly work, but we’re looking at a variety of other ideas,” said Peters. “There’s no question we need to have more visibility as to exactly what’s happening.”
About 25% of ransomware intrusions are reported, Cybersecurity and Infrastructure Security Agency Executive Assistant Director-Cybersecurity Eric Goldstein told the Senate Judiciary Committee last week. There are questions about confidentiality, liability protections and public-private initiatives, Warner told us when negotiations began over the legislation. Warner’s bill has support of all Senate Intelligence members except Ron Wyden, D-Ore.; Tom Cotton, R-Ark.; and Cornyn. Offices for Rubio, Portman and Collins didn't comment Monday.