White House backs bill requiring mandatory cyber reporting to CISA amid Ukraine crisis
The White House has come out in full support of a bill requiring hospitals, power plants, water utilities, airports and other critical infrastructure to report cyber attacks to the Department of Homeland Security within 72 hours.
The move comes amid the escalating war in Ukraine and concerns of possible Russian cyber threats to the U.S.
In a statement confirming the White House's support, a spokesperson said the legislation is "a part of the Administration's comprehensive effort to modernizing America's cyber defenses and complements the President's efforts to improve cybersecurity."
The White House underscored that the bill will "ensure the Federal government rapidly receives information about cyber incidents affecting critical infrastructure which provide the essential services on which Americans rely," enabling the government to "better investigate, mitigate, and further prevent cyber-attacks."
Yet in their statement, the White House left the door open to future changes, indicating it "remains committed to working with the House, and exploring all options, to ensure that the legislation enables all relevant Federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions."
The statement came after top Justice Department officials claimed that failing to include the FBI in a bill requiring infrastructure companies to tell the government when they are hacked makes the country less safe, clashing with decisions made by Democrat-led committees.
That criticism has taken lawmakers and congressional staffers by surprise, after the Senate Homeland Security and Government Affairs Committee worked alongside the FBI and Department of Justice in crafting cyber incident reporting legislation for months, according to Senate committee aides. The bill passed with rare unanimous support in the Senate on Tuesday, just 24 hours after the Homeland Security Secretary Alejandro Mayorkas urged lawmakers to act fast amid an escalating Ukraine-Russia crisis, as cyber threats loom over the U.S. homeland.
Deputy Attorney General Lisa Monaco said the bill "as drafted leaves one of our best tools, the FBI, on the sidelines and makes us less safe at a time when we face unprecedented threats," and added the bill could be a "game changer" with the right changes.
"I applaud the momentum we're seeing toward mandatory breach reporting, but the current, well-intentioned bill has some serious flaws," FBI Director Christopher Wray said in a statement. "In its current form, it would make the public less safe from cyber threats – slowing aid to victims, hampering identification of other companies the same attackers are targeting, and undercutting disruption operations against cyber threats."
Politico was the first to report on the Department of Justice and FBI's criticism of the bill.
Congress has been working on the Strengthening American Cybersecurity Act for the better part of a year. Senate aides made more than a dozen changes to address the concerns of the FBI and DOJ in recent weeks. After FBI officials first objected to an earlier iteration of the bill in November, lawmakers added language that requires the Cybersecurity and Infrastructure Security Agency (CISA) to share incident reports with other agencies "as soon as possible but no later than 24 hours" after receiving them.
Legislators also added a subsection to the bill granting the president – or a designee, such as the National Cyber Director – the power to set a deadline shorter than 24 hours. According to a Senate aide, that loophole could allow the FBI to receive contemporaneous access to all reports received by CISA, if greenlit by the White House.
In response to a request by the FBI and DOJ, committee members also mandated consultation with the agencies during the rulemaking process.
Despite the concessions, the committee received a second round of DOJ and FBI requested changes on Wednesday, following passage of the bill on Tuesday.
"This is the direction Congress wants to go," a Senate committee aide told CBS News. "These guys are undermining national security over a bureaucratic turf war," the aide added, in reference to the FBI and DOJ.
The FBI, Department of Homeland Security and the Justice Department all see the legislation as critical in fighting back against cyber attacks. The DOJ and FBI want changes to ensure both DHS and the FBI are notified, not just DHS. The agencies also want to give businesses protection from their records being discovered through the Freedom of Information Act, which allows members of the public to request records. U.S. officials advocating for the changes proposed by the DOJ and FBI, tell CBS News they view them as relatively minor.
But at public hearings and behind closed doors, critical infrastructure operators and lawmakers alike have expressed confusion over where incidents should be reported in the case of a major cyber breach. Notably, in May 2021, acting Director of CISA, Brandon Wales, told Senator Rob Portman of Ohio during a public hearing that CISA was notified of the Colonial Pipeline breach only after the FBI brought them into the investigation.
Tuesday's passage of the cyber incident reporting bill by the Senate marks a long awaited victory following several setbacks and is championed by Homeland Security Committee Chair Gary Peters of Michigan and Portman.
On Monday night, DHS Secretary Alejandro Mayorkas appeared before lawmakers at the classified all-Senators briefing on the ongoing Ukraine-Russia crisis. Pressed about what Congress could do to support the federal government's ongoing efforts to safeguard the homeland, Mayorkas urged senators to pass the cyber incident reporting bill, as businesses and organizations ready themselves for the possibility of Russian cyber aggression or retaliation.
The Department of Justice and FBI's statements came as a shock to lawmakers and congressional aides following months of deliberations and amid a heightened cyber threat environment.
"The suggestion that passing the first requirement to report cyber-attacks on critical infrastructure would make us less safe is completely false," said Jay Bhargava, a spokesperson for Chairman Peters in a statement to reporters. "The requirement created in this bill will – for the first time ever – ensure that the federal government is getting timely information about substantial cyber-attacks so that they can take swift action to mitigate the damage and prevent ripple effects that threaten our national and economic security.
"The FBI and DOJ were consulted for months, changes were made to the bill to address their concerns – and 100 Senators came together and passed this bill unanimously to move forward with the most significant update to American cybersecurity defenses in our nation's history," Bhargava added.
Kylie Nolan, a spokesperson for Portman, told CBS News the bill "reflects changes from DOJ and FBI as well as many others to obtain the broad support it currently enjoys across government and the private sector."
Nolan called protests issued by the Justice Department and FBI "shameful," noting they "are out of sync with the rest of the country including, it seems, the Biden administration that they work for."
The FBI and Justice Department had expressed their discontent with the cyber reporting mandate to CISA before the Oversight Committee. In November, Bryan Vorndran, head of the FBI's Cyber Division said the agency was "troubled" that cyber incident reporting legislation "does not explicitly account for the essential role that federal law enforcement, and notably the Department of Justice and the FBI, plays in receiving cyber incident reporting and actioning the information to assist victims and impose risk and consequences on cybercriminals."
Despite the ongoing debate, the bill is likely to be greenlit by the House and pass into law.
A spokesperson for House Homeland Security Committee chair Bennie Thompson told CBS News in a statement, "We take issue with how the DOJ and FBI are characterizing the bipartisan, bicameral agreement on cyber incident reporting."
"The legislation would ensure that the federal government has timely access to information regarding cyber incidents to help identify malicious cyber campaigns early and enhance situational awareness within the government and private sector in a way that protects privacy, civil rights, or civil liberties," the spokesperson added.
Congressman Andrew Garbarino, ranking member of the House homeland cybersecurity, infrastructure protection and innovation subcommittee, said that pending legislation to address cyber incident reporting "has been in the works for close to a year with many opportunities to field concerns from public and private sector stakeholders."
"As the lead federal civilian cybersecurity agency, CISA is best equipped to collect incident reporting data and share with the appropriate federal partners in a manner that will prevent cascading impacts across all 16 U.S. critical infrastructure sectors," he added. "I look forward to working with my colleagues to get this bill across the finish line as soon as possible. We cannot afford to sit on the sidelines as the cyber threat landscape grows increasingly complex with threats from Russia and other foreign adversaries."
DHS' under secretary for policy Rob Silvers has repeatedly called cyber incident reporting the Biden administration's "top legislative priority in cybersecurity for 2022."