Congress is close to reaching a compromise on legislation that would mandate that certain critical infrastructure entities in the U.S. report cybersecurity incidents and a new bill could surface early in 2022, although when it would be passed is another matter, two lawmakers said on Wednesday.
“I think it’s one of the major pieces of unfinished business which we should be able to work through early in the new year, that’s my intention,” Sen. Angus King (I/D-Maine), one of the two co-chairs of the Cyberspace Solarium Commission, said on a conference call with reporters. Rep. Mike Gallagher (R-Wis.), the other co-chair, agreed with King, saying “I think we have a decent starting point for next year,” but added it won’t be easy.
With 2022 being a mid-term election year, Gallagher said not many bills are expected to be passed by Congress, suggesting that the annual National Defense Authorization Act (NDAA), which has been the legislative vehicle of choice for the commission’s recommendations to become law, will get hung up.
However, Gallagher said he’s unsure what other legislative vehicle would be an option.
While it would be best to have incident reporting legislation approved sooner rather than later, “I think we want the win regardless of whether it happens in the later stages of 2022,” he said.
The incident reporting bill was expected to be included in the recently passed NDAA fiscal year 2022 but King said it the provision was “derailed” near the finish line because one senator had an objection about the reporting of ransomware. Gallagher said these concerns were related to reporting requirements for small and medium-size businesses.
But progress has been made in the past few weeks.
“I think we’re close to a compromise on” the ransomware issue and “there’s plenty of room to find a middle ground that alleviates the concerns that certain members of Congress expressed about small and medium size businesses being adversely impacted by incident reporting,” Gallagher said.
He expects a final incident reporting bill would authorize the Department of Homeland Security to work with the private and public sector to identity the critical infrastructure entities that would be covered. He also said any information shared would likely be anonymized and eventually shared with the yet to be established Bureau of Cyber Statistics within the department.
After 30 months of operation, the congressionally-authorized Cyberspace Solarium Commission officially stood down on Tuesday as its charter expired. However, the 2.0 version of the commission will continue on its own under the auspices of the Foundation for the Defense of Democracies where Mark Montgomery, who served as executive director of the Blue-Ribbon panel, is a senior fellow and will continue to lead staff work.
A key ingredient of the commission was the fact that in addition to Gallagher and King, Reps. James Langevin (D-R.I.) and Patrick Murphy (D-Pa.) were also commissioners, giving the panel a higher stature within Congress. The commission also turned its recommendations into legislative proposals, helping to grease their path toward becoming laws.
So far, half of the commission’s 110 recommendations have become law or are working their way toward that end. The creation of the National Cyber Director within the White House earlier this year was one of the commission’s key recommendations as were a number of provisions to strengthen and elevate the status of DHS Cybersecurity and Infrastructure Security Agency and establish it as the key bridge between the federal government and the private sector.
Gallagher said that given momentum so far with the Cyberspace Solarium Commission there is plenty of uptake on cybersecurity within Congress as the panel transitions to a thinktank. He also said the 2.0 commission will be able to explore new issues such as government policy on the recovery of ransomware payments and encryption.
He also said that two major international hotspots, Ukraine and Taiwan, and cyber activities by Russia and China, respectively, around these countries, will keep cybersecurity top-of-mind with Congress. There will likely be debate around speeding up the “operational tempo and decision-making” around cyber operations, Gallagher said, adding that more has to be done to approve offensive cyber operations and discussing them to “enhance our deterrence in cyberspace.”
Supply chain issues have a lot of bipartisan interest and will remain a focus for cybersecurity challenges, Gallagher said.
Montgomery, who was also on the press call, said that the existing commissioners and a small staff will continue to work toward implementing the commission’s recommendations that haven’t become law yet. During the next two years, he said the 2.0 commission will work to continue publishing an annual scorecard on how Congress and the executive branch are doing in implementing the recommendations and put a strong focus on key areas such as the federal cybersecurity workforce, and the security of the water and maritime transportation sectors.
There will also be a website for the public to continue to track the recommendations and other reports, Montgomery said.