The National Defense Authorization Act for FY2022 was the best avenue for passing cyber legislation in Congress. Industry, the Department of Homeland Security and federal law enforcement agencies expected it, but it fell short in Congress.
The House passed the NDAA Tuesday, and it is set to advance to the Senate. But it omitted a key and highly anticipated cyber rule: mandatory incident reporting.
"There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA," Rep. Bennie Thompson, D-Miss., and Rep. Yvette Clarke, D-N.Y., said in a statement Tuesday.
"This result is beyond disappointing and undermines national security," the representatives said.
Federal agencies expected incident reporting to improve and transform data analysis, information sharing, ransom fund recoveries, and holding threat actors accountable. With its exclusion from the NDAA, companies are again waiting for what was a highly anticipated — and expected — policy.
The revised NDAA rules from the House give private industry more space to collaborate with the government, and potentially shape the expectations of incident reporting.
"I think the take on this is a good intention," and provides the government flexibility with developing reporting requirements, said Kenneth Frische, director of cybersecurity and risk services for 1898 & Co. Other cyber components in the NDAA, such as the national cybersecurity exercise program, are an opportunity for CISA and other government agencies to hone cybersecurity needs of the 16 critical infrastructure sectors. Then the enforcement needs will need codification, he said.
Missed opportunity
Congress missed the deadline to include the cyber provision in the NDAA because of pushback against what sectors the rule should apply to.
Sen. Rick Scott, R-Fla., wanted to revise the rule to only apply to critical infrastructure, CyberScoop reported. His goal was to "not burden America's small businesses," a spokesperson for the senator said in a statement to The Hill. "We were surprised and disappointed to see it left out of the NDAA language released by the House."
The majority of critical infrastructure is owned by private industry, so owners and operators have as much stake in protecting their assets as the federal government does.
Because cyberattacks on critical infrastructure could potentially escalate to loss of life, "timely notification plays a crucial role in restricting the scale of an attack," said Marcus Fowler, director of strategic threat at Darktrace.
"Cybersecurity is fundamentally a bipartisan issue, but politics can sometimes taint the waters," he said. For Fowler, the U.S. needs a standalone law separate from the NDAA.
As more attention is given to cybersecurity, companies are adjusting their strategies to comply with new mandates while anticipating future ones.
When it comes to cyber legislation, the biggest concern is complexity, not the number of laws, and incident reporting has been on everyone's mind. Several members of Congress drafted their own bills ranging from the Senate Intelligence Committee to the Senate Homeland Security and Governmental Affairs Committee.
Federal agencies have issued directives, too. The Transportation Security Administration's (TSA) recent cybersecurity directives for the rail and airline industry require owners and operators to comply with a 24-hour reporting requirement. And other industries, including banking, have reporting requirements.
But the lack of a federal mandate leaves gaps in threat intelligence and information sharing.
Ross Rustici, managing director at TurnStone, is cognizant of "a short-fuse reporting deadline" that could divert "valuable resources away from incident response action to ensure the notification is correctly drafted and submitted per guidelines." Now is the time for CISA or the national cyber director to engage with industry stakeholders.
"To effectively craft reporting requirements would be predicated on first aligning the different government agencies," Rustici said.
While CISA and the FBI maintain that companies can report incidents to either agency and they will communicate it to each other, a reporting mandate has to also align with other government agencies, according to Rustici. "Without first quelling this oversight disagreement … requiring companies to report to the government would lead to confusion and undermine many of the net benefits that such an authorization is intended to have."
Businesses are spending large amounts of resources to satisfy dozens of security frameworks and standards, said Brad Medairy, EVP at Booz Allen Hamilton. The compliance-based approach to security "adds to the cost and complexity of security with a questionable reduction in risk." For Medairy, having guidance from NIST and CISA supersede government agencies will make it easier for organizations to keep up with existing and new cyber rules and regulations.
"The sweet spot" would be if the federal government can establish a breach notification law, and a standard framework with flexibility built in for industry-specific risks, he said.
Prior to Tuesday, incident- and ransomware-specific bills had the best chance of becoming law by way of the NDAA for next year, just as cyber provisions were included in last year's NDAA FY2021.
"The NDAA ends up being the writer for the cybersecurity bills because it ultimately becomes the only piece of legislation that's guaranteed to be done," Stacy O'Mara, director of government affairs at Mandiant, said.
O'Mara can see the potential for an NDAA-like, annual, single bill specifically for cybersecurity. It would be ideal for this theoretical cybersecurity bill to get "into the same habits as the NDAA so that it enjoys the same process that the Defense Department sees," she said.
However, the NDAA is overseen by the House and Senate Armed Services Committee, whereas more than 80 committees have jurisdiction over cyber.
Correction: This article has been updated to add context to Brad Medairy's view of overlapping cybersecurity regulations, and the need for one cybersecurity framework.