Senators Seek Future Legislative Vehicles for Cyber Language
Legislators plan to attach cyber incident reporting language to a legislative vehicle in the near future, Senate Homeland Security Committee Chairman Gary Peters, D-Mich., told us last week after bipartisan language was dropped from the National Defense Authorization Act (see 2112070067). The office for Sen. Rick Scott, R-Fla., denied Democrats’ claims that Republican “dysfunction” led to a bipartisan agreement falling apart last-minute.
“We absolutely have to get those provisions,” said Peters. “The cyber threat is real. It’s growing. We have to deal with it in a strong fashion." Lawmakers will have "other opportunities to move the legislation forward, and we’re focused on it," said Peters. He left open the possibility of passing a standalone bill.
“I’m very disappointed it was not included in the NDAA,” Senate Homeland Security Committee ranking member Rob Portman, R-Ohio, told us. “It clearly affects our national security. A lot of these attacks are state-sponsored. We know that. We at least know the malign actors are getting safe haven in countries that should be stopping them.” Portman hopes to pass legislation early next year. He noted the committee has made “all kinds of concessions to people, and we worked it all out. I’m very disappointed it wasn’t included.”
The Senate agreement included provisions from the Senate Homeland Security Committee, Senate Intelligence Committee and House Homeland Security Committee (see 2110060077). It was a “master agreement,” said Senate Intelligence Committee Chairman Mark Warner, D-Va. “I understand in the House, you’ve got to get it to the printer at some point. It’s frustrating, but hope springs eternal.” He noted the lack of amendment votes for this year’s NDAA. “This would have been a much easier process if we had amendments,” he said. “I think it overwhelmingly would have been approved, but” congressional “sausage-making” is “sometimes kind of ugly.”
House Homeland Security Committee Chairman Bennie Thompson, D-Miss., and Rep. Yvette Clarke, D-N.Y., blamed “dysfunction and disagreement stemming from Senate Republican leadership that was not resolved until ... well past the NDAA deadline.” Scott raised concerns about the language’s potential impact on small businesses and negotiated with Senate Majority Leader Mitch McConnell, R-Ky., on late changes. Assertions from House Democrats are “patently false,” a Scott aide told us. Scott “fought to ensure the scope of this new cybersecurity incident reporting law would be limited to critical infrastructure and not burden America’s small businesses. After hearing late on [Dec.6] that a deal had been reached to change the amendment and make Senator Scott’s proposed change, which was supported by [the Cybersecurity and Infrastructure Security Agency], we were surprised and disappointed to see it left out of the NDAA language released by the House.” McConnell’s office didn’t comment.
“I don’t believe that we ought to be telling businesses that they’re not critical infrastructure, that they need to be reporting something to some agency they’ve never heard of,” Scott told reporters. What was “important to me supposedly got changed. ... It’s my understanding they agreed to take that out.”
“I was very disappointed” the language was dropped, said Sen. Susan Collins, R-Maine, who worked closely with Warner and Senate Intelligence Committee members on their own bill before merging with Senate Homeland Security Committee efforts (see 2104140043). She noted she has been working on the issue since 2012, when she and then-Sen. Joe Lieberman, D-Conn., introduced the first cyber incident notification bill. “It’s something that’s desperately needed to help us prepare for inevitable attacks on our critical infrastructure,” said Collins.