The House passed the National Defense Authorization Act Tuesday, and it is set to advance to the Senate. But it omitted a key cyber rule: mandatory incident reporting.
The National Defense Authorization Act for FY2022 was the best avenue for passing cyber legislation in Congress. Industry, the Department of Homeland Security and federal law enforcement agencies expected it, but it fell short in Congress.
The House passed the NDAA Tuesday, and it is set to advance to the Senate. But it omitted a key and highly anticipated cyber rule: mandatory incident reporting
“There were intensive efforts to get cyber incident reporting done but ultimately the clock ran out on getting it in the NDAA,” Rep. Bennie Thompson, D-Miss., and Rep. Yvette Clarke, D-N.Y., said in a statement Tuesday.
“This result is beyond disappointing and undermines national security,” the representatives said. 
Federal agencies expected incident reporting to improve and transform data analysis, information sharing, ransom fund recoveries, and holding threat actors accountable. With its exclusion from the NDAA, companies are again waiting for what was a highly anticipated — and expected — policy. 
The revised NDAA rules from the House give private industry more space to collaborate with the government, and potentially shape the expectations of incident reporting. 
“I think the take on this is a good intention,” and provides the government flexibility with developing reporting requirements, said Kenneth Frische, director of cybersecurity and risk services for 1898 & Co. Other cyber components in the NDAA, such as the national cybersecurity exercise program, are an opportunity for CISA and other government agencies to hone cybersecurity needs of the 16 critical infrastructure sectors. Then the enforcement needs will need codification, he said. 
Congress missed the deadline to include the cyber provision in the NDAA because of pushback against what sectors the rule should apply to. 
Sen. Rick Scott, R-Fla., wanted to revise the rule to only apply to critical infrastructure, CyberScoop reported. His goal was to “not burden America’s small businesses,” a spokesperson for the senator said in a statement to The Hill. “We were surprised and disappointed to see it left out of the NDAA language released by the House.” 
The majority of critical infrastructure is owned by private industry, so owners and operators have as much stake in protecting their assets as the federal government does.
Because cyberattacks on critical infrastructure could potentially escalate to loss of life, “timely notification plays a crucial role in restricting the scale of an attack,” said Marcus Fowler, director of strategic threat at Darktrace.
“Cybersecurity is fundamentally a bipartisan issue, but politics can sometimes taint the waters,” he said. For Fowler, the U.S. needs a standalone law separate from the NDAA.
As more attention is given to cybersecurity, companies are adjusting their strategies to comply with new mandates while anticipating future ones.
When it comes to cyber legislation, the biggest concern is complexity, not the number of laws, and incident reporting has been on everyone’s mind. Several members of Congress drafted their own bills ranging from the Senate Intelligence Committee to the Senate Homeland Security and Governmental Affairs Committee
Federal agencies have issued directives, too. The Transportation Security Administration’s (TSA) recent cybersecurity directives for the rail and airline industry require owners and operators to comply with a 24-hour reporting requirement. And other industries, including banking, have reporting requirements. 
But the lack of a federal mandate leaves gaps in threat intelligence and information sharing. 
Ross Rustici, managing director at TurnStone, is cognizant of “a short-fuse reporting deadline” that could divert “valuable resources away from incident response action to ensure the notification is correctly drafted and submitted per guidelines.” Now is the time for CISA or the national cyber director to engage with industry stakeholders. 
“To effectively craft reporting requirements would be predicated on first aligning the different government agencies,” Rustici said. 
While CISA and the FBI maintain that companies can report incidents to either agency and they will communicate it to each other, a reporting mandate has to also align with other government agencies, according to Rustici. “Without first quelling this oversight disagreement … requiring companies to report to the government would lead to confusion and undermine many of the net benefits that such an authorization is intended to have.” 
Depending on the industry, companies are already required to follow cybersecurity frameworks and standards. It “adds to the cost and complexity of security with a questionable reduction in risk,” said Brad Medairy, EVP at Booz Allen Hamilton. The desired standards will have CISA and NIST as the leads. 
Prior to Tuesday, incident- and ransomware-specific bills had the best chance of becoming law by way of the NDAA for next year, just as cyber provisions were included in last year’s NDAA FY2021
“The NDAA ends up being the writer for the cybersecurity bills because it ultimately becomes the only piece of legislation that’s guaranteed to be done,” Stacy O’Mara, director of government affairs at Mandiant, said. 
O’Mara can see the potential for an NDAA-like, annual, single bill specifically for cybersecurity. It would be ideal for this theoretical cybersecurity bill to get “into the same habits as the NDAA so that it enjoys the same process that the Defense Department sees,” she said. 
However, the NDAA is overseen by the House and Senate Armed Services Committee, whereas more than 80 committees have jurisdiction over cyber. 
Follow on Twitter
Get the free daily newsletter read by industry experts
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
Subscribe to Cybersecurity Dive for top news, trends & analysis
Get the free daily newsletter read by industry experts
More than 80% of developers knowingly release applications with insecure code, but experts say security and development don't have to be at odds.
Insurers joined high-profile CEOs at the White House summit last week to discuss how to improve national cybersecurity. For one insurance CEO, the industry needs three points of improvement.
The free newsletter covering the top industry headlines

source