New CRS report compares selected bills addressing cyber incident reporting

A Congressional Research Service (CRS) report released on Monday provided a side-by-side comparison of selected legislative bills that have been brought into the 117th U.S. Congress, in the aftermath of a spate of cybersecurity incidents and attacks on the nation’s critical infrastructure sectors. These bills also address the cyber incident reporting techniques that must be adopted.

Members of Congress introduced legislation seeking to address reporting requirements in different ways, and the CRS report compares selected bills addressing cyber incident reporting from the current session. Congress has debated requirements for nonfederal entities to report to the federal government incidents of cyberattacks.

The 117th Congress has debated requiring non-federal entities to report to a federal agency when the entity experiences a cyberattack, Chris Jaikaran, an analyst in Cybersecurity Policy, wrote in the CRS report. As part of this debate, members of Congress have introduced legislation seeking to address reporting requirements in different ways, he added.

Because of the rising frequency and severity of ransomware attacks, some see the debate on reporting as an evolution of the debates concerning data breach notification requirements during the 115th and 116th Congresses, according to the report. Independently, others see cyber incident reporting as a necessary tool for policymakers and authorities to better understand cyber threats in their own right.

The CRS operates as shared staff to congressional committees and members of Congress. Its experts assist at every stage of the legislative process, right from the early considerations that precede bill drafting, through committee hearings and floor debate, to the oversight of enacted laws and various agency activities.

In examining threats to federal information technology and data, officials seek to collect information from federal agencies, as well as from non-federal entities which may store or process government information, or operate federal systems on behalf of the government. “Irrespective of individual contracts, Executive Order 14028, Improving the Nation’s Cybersecurity, requires entities providing information and communications technology to the federal government to report to CISA when they discover a cyber incident on a product or service used by the government,” according to the report.

The agency has analyzed the ‘as introduced’ versions of all bills including the H.R. 5440, the Cyber Incident Reporting for Critical Infrastructure Act of 2021, which was introduced on Sept. 30, 2021, following a House Committee on Homeland Security (CHS) legislative hearing on a discussion draft of the bill. The S. 2407, the Cyber Incident Notification Act of 2021 was introduced on July 21, 2021, and was referred to the Senate Committee on Homeland Security and Governmental Affairs (HSGAC), and has not been debated.

The S. 2875 Cyber Incident Reporting Act of 2021 was introduced Sept. 28, 2021, marked up during an HSGAC business meeting, and was ordered to be reported favorably with an amendment in the nature of a substitute on Oct. 6, 2021. All three bills mandate the Cybersecurity and Infrastructure Security Agency (CISA) to impose cyber incident reporting requirements upon nonfederal entities via rulemaking. However, the entities affected and what the federal government does with the information received differ slightly among the three bills.

The S. 2943 Ransom Disclosure Act was introduced on Oct. 6, 2021, and referred to HSGAC. It differs more significantly from the other three bills in that its rulemaking authority is limited to enforcement and that it does not apply to cyber incidents broadly, but it only addresses the payment of ransoms from ransomware attacks.

The latest CRS report complements an earlier one, released towards the end of September that investigates cybersecurity principles and provides case examples of challenges to those principles. The report also provides an overview of policies related to federal cybersecurity by exploring and analyzing laws, agency guidance, and standards for cybersecurity, along with agency responsibilities for cybersecurity.

It concludes by examining options for Congress to address federal cybersecurity issues through updating statutes, requiring cyber incident reports, establishing cybersecurity funding levels, mandating the use of shared services, and/or requiring the adoption of modern cybersecurity tools.

Earlier this month, the CRS brought out a report on the legal issues surrounding the federal law that provides potential approaches to combat ransomware attacks in the wake of rising cybercrime and cybersecurity attacks.

The report summarizes the potential for criminal prosecution under federal statutes, such as the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA), focusing on the legal issues facing ransomware victims, in particular, whether victims risk legal liability by making ransomware payments. It also summarizes federal laws governing public and private-sector cybersecurity, including preparedness and incident response.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT. Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with around 14 years of experience in the areas of security, data storage, virtualization and IoT.