Biden appointees split on key cyber bill

President Joe Biden’s top national security officials are publicly split over legislation that would require critical infrastructure companies to report hacks to the government, in a remarkable display of disharmony over a bill with bipartisan support and industry backing.

The squabbling over the cybersecurity bill comes just days after the Senate unanimously passed the measure and amid rising concerns that Russia’s invasion of Ukraine could lead to Kremlin-backed hackers attacking critical resources such as hospitals, power plants or fuel pipelines.

The departments of Justice and Homeland Security have staked out opposing positions on the bill, S. 3600 (117th), which would require operators of critical infrastructure to report hacks to DHS’ Cybersecurity and Infrastructure Security Agency.

CISA Director Jen Easterly has praised the reporting mandate as a critical tool for enhancing the nation’s cyber defenses. But on Wednesday, Deputy Attorney General Lisa Monaco said the legislation would make the country “less safe” and FBI Director Christopher Wray said it had “serious flaws.” An FBI official later told POLITICO that certain provisions might discourage companies from talking to the bureau and make it harder for the government to disrupt cybercrime gangs.

The White House said Thursday night that it supports the bill, which it said “will ensure the federal government rapidly receives information about cyber incidents affecting critical infrastructure.” It expressed interest in tweaking the bill to address DOJ’s concerns — but didn’t threaten that Biden would veto the measure if lawmakers don’t make those changes.

The legislation’s main Senate champions, Homeland Security Chair Gary Peters (D-Mich.) and ranking member Rob Portman (R-Ohio), have expressed no interest in altering the bill. The legislation emerged after months of jockeying among House and Senate committees on how to toughen the nation’s cyber defenses following a series of destructive and invasive attacks on industries including food, shipping, health care and energy.

The dissension is unlikely to stymie the bill, which would require operators of critical infrastructure to report hacks within 72 hours and ransom payments within 24 hours. But the conflicting messages underscore how, for all their talk about improving their collaboration to fight hackers, agencies still have their own interests and priorities. And the fight over the incident reporting mandate comes at a time when security experts say it’s essential for the U.S. to present a united front on cyber issues.

“It’s disappointing to see the FBI take a bureaucratic dispute public under the guise of a serious threat to public safety,” said Trey Herr, director of the Atlantic Council’s Cyber Statecraft Initiative.

“The optics are certainly awkward at best,” said Matthew Travis, a former deputy director of CISA.

In comments provided exclusively to POLITICO, Monaco and Wray blasted the incident reporting bill Wednesday for requiring companies to disclose hacks only to CISA. Wray said the current bill “would make the public less safe from cyber threats” by slowing down the FBI’s investigations and disruptions of hackers.

In contrast, Easterly and White House National Cyber Director Chris Inglis have been outspoken in supporting the bill. At a Senate hearing in September, both of them favored boosting the FBI’s role in the incident reporting program, but neither of them said that failing to do so would make America less safe.

Easterly has also expressed disappointment that lawmakers removed the proposed reporting mandate from the defense policy bill that Biden signed in December. In January, after researchers found gaping security vulnerabilities in a widely used software package found on web servers, Easterly said that “we were all disappointed” that the mandate “was not already signed into law when this broke.”

“It's important that such legislation is passed to ensure that CISA and our partners receive timely information” about intrusions, especially those affecting critical infrastructure, Easterly said.

The White House said much the same thing in its Thursday night statement.

“The administration supports final passage” of the reporting mandate “and appreciates Congress’s bipartisan work to draft the legislation,” National Security Council spokesperson Emily Horne said. “Cyber threats to the United States are increasingly sophisticated and this legislation enables the federal government to bolster cyber protections.”

DOJ hasn’t publicly explained its objections to the bill. But an FBI official, who spoke anonymously in accordance with agency policy, said the bureau was seeking two changes to the legislation.

First, the bureau wants companies that sit down with FBI agents during a cyber incident to receive the same liability protections that Congress is offering to companies that send written hacking reports to CISA. Absent that change, the official said, companies will stop discussing hacks with FBI agents and will share information only with CISA through its liability-free channel. That will slow down the FBI’s investigations as the bureau waits for CISA to share information with it, the official said.

The FBI’s 56 field offices have long been the first point of contact for hacked businesses, creating relationships that the bureau fears may now change because of how the law is written.

“There's no desire to take anything at all away from CISA that this statute gives it,” the FBI official said. “The more information they're armed with, the better. … The only thing we're asking for … is to make sure that those liability protections extend to other conversations as well.”

The FBI also wants lawmakers to tweak a liability provision in the bill that would prohibit companies’ reports on hacking from being used in court proceedings. The bureau official said that language could prevent agents from presenting the evidence needed to obtain warrants to seize cybercriminals’ computer servers or cryptocurrency.

The bill's sponsors do not seem interested in making these changes.

A Peters aide, who requested anonymity to discuss a sensitive matter, emphasized that the incident reporting program was about protecting critical infrastructure, not facilitating law enforcement investigations, which was why the lawmakers focused on empowering CISA. They also said nothing in the bill would prevent companies from alerting the FBI about hacks in a timely manner.

Monaco and Wray’s criticism of the bill — which made no mention of these specific objections — sounded familiar to cyber experts, who noted that the FBI has not been shy about seizing the limelight in the past. Former FBI Director James Comey spent years imploring Congress to require tech companies to give law enforcement agencies access to encrypted data when courts order it, while then-President Barack Obama and his advisers debated what position to take on the issue.

“We've seen a number of instances of the Justice Department taking a hyperbolic approach to threats and issues where they have policy disputes [and] have bureaucratic challenges,” Herr said.

A former senior White House cyber official, who was granted anonymity to speak candidly, said DOJ’s public statements must be “spectacularly frustrating for the majority of agencies that feel differently than DOJ does and the White House staff that is trying to run a coherent decision-making process.”

Former officials and cyber experts said DOJ’s criticism reflects the FBI’s struggle to accept that CISA has become the lead agency for cyber response.

“This is [the] Department of Justice extremely not recognizing that critical infrastructure protection and cybersecurity defense has an important law enforcement component but not a lead law enforcement component, and that the lead naturally sits at the Department of Homeland Security,” said Mark Montgomery, executive director of the congressionally chartered Cyberspace Solarium Commission, which recommended a reporting mandate.

“That inability to absorb the decision that both the executive and legislative branches have come to about the centrality of DHS is frustrating to the FBI and DOJ,” Montgomery added.

CISA used to depend heavily on the FBI for reports of cyberattacks, Travis said, and “this bill will put the shoe on the other foot, to some extent.”

Tensions between DOJ and DHS aren’t surprising, but the public nature of this conflict is, said Kellen Dwyer, a former deputy assistant attorney general for national security. “Every administration has internal processes to referee interagency disputes,” he said, “but they seemed to have failed here.”

Some cyber experts said they understood the bureau’s anxieties.

“There's been a lot of trust built up [with businesses], and so I understand that concern in not wanting to get rid of that,” said Lauren Zabierek, executive director of the Harvard Belfer Center’s Cyber Project. She noted, however, that companies could still contact the FBI if they want.

Christopher Ott, a former senior cyber lawyer in DOJ’s National Security Division, said the FBI’s concerns deserved serious attention.

“The FBI has spent years building a network of connections with private industry so that it can promulgate warnings and act on tips,” he said. “Those resources are now, at best, redundant or, at worst, useless.”

But for whatever reason, lawmakers don’t seem to share the FBI’s view.

“The fact that they couldn't get a single senator to object on their behalf is pretty telling about the validity of their concerns, or at least the persuasiveness of their arguments,” said Chris Finan, a former NSC director for cyber policy.

Law enforcement agencies’ “first priority is always access to information, not strengthening information security,” he said, “as the encryption debates have repeatedly demonstrated.”

The FBI will still receive incident reports if the bill becomes law. After the bureau first objected to the legislation in September, senators added a provision requiring CISA to share data with other agencies within 24 hours.

On Friday, Easterly promised to ensure that “cyber incident reporting received by [CISA] is immediately shared with” the FBI, with which she said CISA has a “terrific operational partnership.” But she did not endorse DOJ’s urgent warnings or request changes to the bill, which she called “a critical step forward in ensuring our nation’s security.”

Meanwhile, the White House is still interested in tweaking the bill. Horne, the NSC spokesperson, said the administration “remains committed to working with the House, and exploring all options, to ensure that the legislation enables all relevant federal agencies to receive and process these incident reports as quickly as possible to carry out their cybersecurity missions.”

Lawmakers, meanwhile, just want to get something to Biden’s desk.

New York Rep. Andrew Garbarino, the top Republican on the House Homeland Security cyber subcommittee, urged Congress “to get this bill across the finish line as soon as possible.”

“We cannot afford to sit on the sidelines as the cyber threat landscape grows increasingly complex with threats from Russia and other foreign adversaries,” he said.