Scoop: Senate HSGAC is working on a bill that combines the House's industry-friendly cyber incident reporting legislation w/ a bunch of programs to tackle ransomware.
Raises Qs about what happens to Warner/Rubio/Collins bill, which industry doesn't like.
subscriber.politicopro.com/article/2021/0…
Raises Qs about what happens to Warner/Rubio/Collins bill, which industry doesn't like.
subscriber.politicopro.com/article/2021/0…
The big stuff in the HSGAC bill:
* The House Homeland incident reporting legislation, with some tweaks and additions
* "Due diligence requirement" for companies facing ransom demands
* Ransomware task force
* "Ransomware vulnerability warning pilot program"
* The House Homeland incident reporting legislation, with some tweaks and additions
* "Due diligence requirement" for companies facing ransom demands
* Ransomware task force
* "Ransomware vulnerability warning pilot program"
Due diligence req:
Before paying a ransom, a company would have to determine whether it could recover from the attack “through other means,” including by seeing if experts have published a decryption tool that works for them.
It would have to report to CISA on this process.
Before paying a ransom, a company would have to determine whether it could recover from the attack “through other means,” including by seeing if experts have published a decryption tool that works for them.
It would have to report to CISA on this process.
Ransomware task force:
DHS and agencies of its choice would get together to coordinate response to ransomware, incl. prioritizing intel collection on ransomware gangs, compiling list of most dangerous groups, and disrupting their infrastructure and finances.
DHS and agencies of its choice would get together to coordinate response to ransomware, incl. prioritizing intel collection on ransomware gangs, compiling list of most dangerous groups, and disrupting their infrastructure and finances.
Ransomware vulnerability warning pilot program:
CISA would try to identify the technology most vulnerable to common ransomware techniques & then alert companies using that technology.
If it can't identify them, it can use its new administrative subpoena authority to do so.
CISA would try to identify the technology most vulnerable to common ransomware techniques & then alert companies using that technology.
If it can't identify them, it can use its new administrative subpoena authority to do so.
DHS would also have to brief Congress on the “defensive measures” that companies can legally take in response to ransomware intrusions and identify any laws that “need to be clarified to enable that action.”
Also, any company that pays a ransom, except for a small business, would also have to submit a report to CISA about the underlying attack, the ransom amount & currency type, & other details.
CISA chooses reporting timeframe, but would have to be b/w 24 & 72 hours after payment.
CISA chooses reporting timeframe, but would have to be b/w 24 & 72 hours after payment.
As I mentioned, the main portion of the bill is the broader cyber incident reporting mandate, which is almost identical to the latest version of the House Homeland bill (homeland.house.gov/imo/media/doc/…), but there are a few additions and changes, which I'll note here...
Some of the changes:
* CISA can't set the cyber incident reporting deadline beyond 7 days after an incident (the floor is 72 hrs)
* Companies don't have to report incidents to CISA if they already report to other agencies & those agencies share with CISA w/in 6 hours
* CISA can't set the cyber incident reporting deadline beyond 7 days after an incident (the floor is 72 hrs)
* Companies don't have to report incidents to CISA if they already report to other agencies & those agencies share with CISA w/in 6 hours
Provisions added to language from House bill:
* CISA has to compare incident reports w/ companies SEC filings
* CISA's pre-reg outreach must include security response firms and cyber insurers
* Pentesting and other VDP-compliant activity excluded from def'n of incident
* CISA has to compare incident reports w/ companies SEC filings
* CISA's pre-reg outreach must include security response firms and cyber insurers
* Pentesting and other VDP-compliant activity excluded from def'n of incident
The new Senate bill would also create a Cybersecurity Incident Reporting Council — CISA, OMB and the Office of the National Cyber Director — to “deconflict” and “harmonize” incident reporting rules, so there's no redundancy in what companies are being asked to do.
It's unclear when Senate Homeland leaders will introduce their bill, but an industry source told me that the committee has asked for industry feedback by 9/14.
House Homeland leaders could also introduce their bill in the coming weeks.
House Homeland leaders could also introduce their bill in the coming weeks.
But what does this mean for the Senate Intelligence bill?
As I said, industry doesn't like it —
it allows for a 24-hour reporting deadline, as well as financial penalties for noncompliant companies. (CHS and HSGAC bills only allow for subpoenas.)
Its status is unclear.
As I said, industry doesn't like it —
it allows for a 24-hour reporting deadline, as well as financial penalties for noncompliant companies. (CHS and HSGAC bills only allow for subpoenas.)
Its status is unclear.
Warner's office says they've had productive meetings with stakeholders and are digesting feedback.
But HSGAC has jurisdiction over their bill. So even though Warner, Rubio, and esp. Collins have lots of sway in the Senate, Peters still controls their bill's fate.
But HSGAC has jurisdiction over their bill. So even though Warner, Rubio, and esp. Collins have lots of sway in the Senate, Peters still controls their bill's fate.
When I got this draft, I was talking to industry sources about whether Warner et al. would change their bill after seeing industry feedback at yesterday's House hearing.
Now that may not even matter. Peters could just sweep the SSCI bill aside and focus on his legislation.
Now that may not even matter. Peters could just sweep the SSCI bill aside and focus on his legislation.
If the homeland security panels team up, House Homeland would still need to change its bill, which doesn't include the ransomware stuff in the Senate Homeland bill. But other than that, it would be relatively easy for them to push ahead with their industry-friendly approach.
As usual, at this point, the NDAA is the most likely vehicle for whichever bill wins out. The reconciliation bill would be another option.
But there are some tight timelines here, which means Peters, Warner, etc. will need to huddle and make some decisions soon.
But there are some tight timelines here, which means Peters, Warner, etc. will need to huddle and make some decisions soon.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
